[Epic] Granular Access Control | RBAC

[Nikhil-Nandagopal]

Problem statement

Users in larger organizations need more granular control over which users have access to which parts of an application. Developers need to be able to create groups of users and assign the permissions they have depending on the app/page they are a part of.

Related issues

• [x] #2788
• [x] #2890

Success criteria

Users are able to secure their applications up to the page level without any concern for security

PRD : https://www.notion.so/appsmith/PRD-Attribute-based-Access-Control-ABAC-1d18f6a7f344434c8e43809cce46e64c UI : https://www.figma.com/file/ahB1BWStZ7hnqnknrO7EEq/ABAC?node-id=5%3A3

RACI matrix

| ------------- | ------------- | | Responsible | @trishaanand @ankitakinger @albinAppsmith | | Accountable | @vuiets | | Consulted | @mohanarpit, @Nikhil-Nandagopal| | Informed | @hiteshjoshi |

Front conversations

[KirtiChug]

Consider below use cases:

1. For building a customer support panel dashboard, the pages would require categorisation (eg: few pages will be in product A category while few pages in the product B category). But all users won't have access to all pages. Product A category users will access only pages under product A and product B category users pages in product B. So would require page level access.

2. Continuing to above, even certain users having access to product A pages will have only read access i.e they can view the contents of the page while cannot perform actions like creating or updating entries. This will require ACL categorised on page level as well.

So considering the above use case

• User A will have read access to Page 1 in Product A
• User B will have CRUD access to Page 2 in Product B.

Will this issue be covering both the above-mentioned use cases. And what is the priority of implementing this

[dl-lim]

The way I can see UAC being controlled right now is by making different organizations with different shares, but there isn't currently a way to copy a project across organisations. Having too many organisations/apps in the front page is also very messy, so perhaps some form of grouping might be handy here? (Perhaps these are separate issues)

Nevertheless, I agree that there shd be more granular access, perhaps accessibility by each Page of an app, at the very minimum.

[Nikhil-Nandagopal]

@alderson59 we're introducing a way to copy apps across orgs. We'll be introducing app-level access control as well but it will be a part of our enterprise edition :)

[bamboowonder]

I do hope that this feature isn't only part of a very expensive enterprise edition. As a small business, it is very handy to have more granular permissions to reflect our business rules and processes into our systems. That said, as a business, we are very happy to pay for licenses or support contracts to support Appsmith and features like this. Unfortunately software like Outsystems and Retool have focused nearly entirely on "enterprise" by crippling or excluding features like granular permissions for smaller businesses (understandable as that is where the profit is).
(This isn't the only reason I decided on Appsmith. There are many reasons I believe Appsmith has more potential and is headed in the right direction. I look forward to seeing how you evolve.) Thank you for considering this.

[Nikhil-Nandagopal]

Thank you for the insight @bamboowonder! We will definitely introduce a reasonably tiered pricing for features like these. Stay tuned for more updates on this feature :)

[slysiou]

Hi, I need to be sure each user can see only data they have created and manager can see multiple users. Like in Parse-Platform: Role contain multiple Role and multiple User and each record has View, Read, Write, delete access, each table have a create right depending of users and roles. Is it your plan for Granular Access Control? Same as @bamboowonder I hope pricing will be raisonnable.

[vuiets]

Meeting Notes

2 Feb 2022

Wireframes

Discussed

• For self-hosted instances, User groups, Permissions groups and Policies will be maintained at the instance-level
• On a few granular permissions
  • Invite user will not be a standalone permission; it will be a part of Add user permission
  • Delete is destructive change and will remain a standalone permission

Next steps

• @vuiets to wireframe the creation of a single Permission Group, modeling a real-life scenario, to show the heirarchical and lateral propagation of permission configurations
• @Debsourabh and @vuiets to begin design explorations and flows

[vuiets]

Meeting Notes

9 Feb 2022

Discussed

• For self-hosted instances, Users will exist at the instance level
• On a few granular permissions
  • Manage datasources will combine creation and edit of datasources
• Design direction for the Permission Group creation flow to depict inheritance of permissions

Next steps

• Cover users and how to manage them @vuiets
• Flows to create user group and create policies @Debsourabh @vuiets
• Wireframes for user group creation @Debsourabh

[vuiets]

Meeting Notes

16 Feb 2022

Discussed

• Users can be invited to an instance and either assigned Permission Groups or invited into User Groups
• Multiple Permission Groups may be associated with a User or User Group
• Wireframes for User Group creation

Next steps

• Invite user flows @vuiets
• Wireframes for permission group creation @Debsourabh

[vuiets]

Meeting Notes

23 Feb 2022 and 1 Mar 2022

Discussed

• Iterations for Permission Group creation

Next steps

• Accommodate Create permissions in the CRUD matrix on the wireframes @Debsourabh
• Think through the permission group flow in CE vs EE and EE on prem vs EE cloud hosted version @trishaanand
• Scenarios for User Group and Permission Group configurations @vuiets

[vuiets]

Meeting Notes

23 March 2022

Discussed

• Iterations for Permission Group creation
• Closed on information architecture for the Permission Group configuration page - App Resources, Datasources and Queries, User Groups and Permission Groups, Git Sync
• Granularising permission group creation permissions like opening up configurations for sections discussed above is moved to the next phase
• For the first rollout View permissions will translate to showing or hiding a resource in the UI; making a resource read-only and managing access approvals will is moved to the next phase

Next steps

• @Debsourabh to initiate designs for wireframes discussed so far - User Group creation and Permission Group creation flows
• @Debsourabh to wireframe invite flows
• @vuiets to relook at Git Sync permissions

[vuiets]

Meeting Notes

30 March 2022

Discussed

• Wireframe iterations for Invite User flows and Permission Group creation
• Invite user flows will allow addition of users to User Groups but no longer association of Permission Groups
• We will sync User Groups from Identity Providers that we integrate with; Users will have to be invited
• Git Sync permissions are moved to the next phase. While we have a set of permissions, we are yet to identify the value in granularising them today. Also, there is an open question on if we should open up branch-level permissions

Next steps

• @Debsourabh to fix invite user flows based on feedback
• @Debsourabh to look at IA for Admin Panel page and entry points for this page
• @Debsourabh to work on further design iterations for User Group and, more importantly, Permission Group creation based on feedback

[myang-clgx]

Hi All,

I've asked the Appsmith support about the feature (not sure if it's existed or not).

I would like to know if there is a feature to assign "App Viewers" to different user/permission group so that as a Developer can strict which/what data (from data source) to be displayed on UI widget/components based on User/Permission group.

[Nikhil-Nandagopal]

@myang-clgx yes that will be possible with this feature. A possible workaround for this would be to manage this assignment on your end and return the users group in an API and use that to restrict what data can be displayed on the UI. Work on this feature is underway so you can stay tuned to this GitHub issue for updates :)

[vuiets]

Meeting Notes

20 April 2022

Discussed

• The last few weeks and this one has been about discussions around design iterations for User Group creation, Permission Group creation, Invite User flows and handling Search in these pages.

Next steps

• @vuiets to finalize PRD
• @Debsourabh to add option to invite multiple users across Invite User flows
• @Debsourabh to remove User Group selection from Invite User modal on User Group creation page
• @Debsourabh to design search for permissions on the Permission Groups page

[Nikhil-Nandagopal]

@vuiets @Debsourabh can you share the latest figma links here?

[Debsourabh]

@Nikhil-Nandagopal Figma Links : https://www.figma.com/file/15Kg4GX2SroULDbgkwy4xF/?node-id=353%3A19729

[Vadorequest]

I'm not sure if that will be useful for this particular feature, but I recently recorded a video about how I wish to use AppSmith, by comparing it to Stacker. The goal being to build things super fast. I share it in the hope that it'd be insightful.

Video: https://youtu.be/Lth1YzKrHa4 Discussion: https://discord.com/channels/725602949748752515/725609493974614076/967773553799888968

[vuiets]

Thanks a tonne for taking the time to put this together and share it with us @Vadorequest. Deeply appreciate the insights. With RBAC we're keeping it simple and quick to setup with fine-grained control over who has access to your app resources and data sources. We also give you some handy permission presets that you can leverage on the go for admins, developers and consumers of your app.

We'd still like to hear your thoughts around it and be happy to give you a glimpse of what is in works. Could you pick a time slot that works for you for a chat on RBAC?

📆 Calendly: https://calendly.com/appsmith-vishak/conversations

[bamboowonder]

I'm not sure if that will be useful for this particular feature, but I recently recorded a video about how I wish to use AppSmith, by comparing it to Stacker. The goal being to build things super fast. I share it in the hope that it'd be insightful.

Video: https://youtu.be/Lth1YzKrHa4 Discussion: https://discord.com/channels/725602949748752515/725609493974614076/967773553799888968

THIS. I agree with all of the feedback in the video. I use appsmith for a few small apps where I really needed fine detail customisation. But for the majority of our apps, we just needed boilerplate scaffolding. appsmith is great for something very custom, but for standard crud apps (80% of apps for us), it is so much slower because everything has to be built from scratch. I very much wish that a robust initial scaffolding could be created when starting to work with a datasource. the current crud builder is also more of a hindrance and brittle, and could use a lot more polishing.

[sashlabs-cyber]

Hi Team,

Thank you for the great product. Do you have any update on this feature ?

[cloudsuperapps]

Me too on timeframes. Also please share any thoughts on hosting license for resellers offering appsmith based apps to clients cloud or on-prem. This important as encourages us all to stay in the team vs fork and build RBAC open source.

[Nikhil-Nandagopal]

@cloudsuperapps @cyber-cyborg999 we're currently working on this feature. We have some designs ready and we'd love to speak to you to validate our solution. If you're interested in a sneak peek, you can block some time on my calendar below https://calendly.com/appsmith-nikhil/30min?back=1&month=2022-06

[vuiets]

Sorry about the lack of update in recent times. The project is very much in progress.

Meeting Notes

2 June 2022

Discussed

• Aim to move revamped User listing, User Group configuration and listing and Permission group configuration and listing to testing by end of July
• Avoid double confirmation modals for User Group deletes as we'll tackle double confirmation deletes for resources that need them on a separate task
• Use the existing search bars for now and we'll pick up the new search bar as a design system change
• For Admin pages, the universal ‘Save’ is removed it will be page specific and at the bottom of each page to keep it consistent
• 'Save and Restart' flow has to be redesigned for the existing Admin pages, outside of access control

Next steps

• @Debsourabh to close designs for ‘Invite User’ flows
• @Debsourabh to do prototypes for closed User, User Group and Permission Group configuration flows
• Team to list edge cases and microinteraction issues
• @Debsourabh to close Save and Restart flow for other Admin pages
• @trishaanand @ankitakinger Design documentation for implementation of Permission Group Editing page on the client + server side.
• @ankitakinger @berzerkeer to make final UI changes on the screens implemented
• @berzerkeer to complete unit tests for UI/UX implemented
• @RakshaKShetty to continue designing Test Plan
• @sidhantgoel to do a PoC for Caching Library to that will improve the performance of the new RBAC model

[vuiets]

Meeting Notes

8 June 2022

Discussed

• Main problem for 'Invite User' flows which is in design phase - The workspace and app share modals allow people to invite members to any User Group, not just the ones that are associated with that workspace or app. This is misguiding.
• Whether to write a native table component for the Permission Group configuration page or use the react alternative; the react one isn't performant for large datasets
• In the Admin pages, 'Save' button placed will be at the bottom and page-specific for newly introduced Access Control. We will decide how it will look for the rest of the Admin pages this week.

Next steps

• @Debsourabh to share prototypes for agreed flows - User, User Group and Permission Group configuration flows (CRUD flows)
• @Debsourabh @trishaanand @ankitakinger @vuiets to list problems and revisit ‘Invite User’ flows for design
• @Debsourabh @ankitakinger to raise and track ‘Save and Restart’ flow for other Admin pages in separate issue
• @trishaanand @ankitakinger to continue design documentation for implementation of Permission Group Editing page on the client + server side.
• @berzerkeer @ankitakinger to start implementation of Permission Group screen after finalizing the implementation method
• @sidhantgoel to finish test cases and raise PR for POC of Caching library

[vuiets]

Meeting Notes

6 July 2022

Discussed

• There is a change in the elements involved in our invite flows across the board while the experience remains the same
  • On the Community edition, we'll auto-generate permission groups for Admin, Developer and App Viewer and with the invite flow you'll be able to associate users with these permission group
  • On the Business edition, we're introducing user groups and custom permission groups and during invites you may either associate users with permission groups that you've defined or add them to custom user group
• We also have to simplify the terms and copy across the board for Granular Access Control - we're looking at calling User Groups as Groups and calling Permission Groups as Roles

Next steps

• @vuiets @Debsourabh to keep an eye out for simpler terms and rewrite PRD
• @Debsourabh to design for the changes discussed above
• @Debsourabh to design for the invite user flows
• @berzerkeer to complete mock API integration with frontend
• @ankitakinger to work on the pagination of listing screens and toaster messages
• @trishaanand @sidhantgoel to work on backend edits for the changes discussed above

[slysiou]

Thanks for the update. On my side, my access control needs was at row level mainly. I finally achieve it using parse platform with Graphql API. https://parseplatform.org/ After authentication, each user can only see his datas. In addition, UI elements visibility can be managed based on role defined in parse platform. Note: I used Tabs (Like the example on youtube) to hide application until user get login. Visibility of a page based on javascript would be more elegant. https://github.com/appsmithorg/appsmith/issues/1092 It looks it will also be part of the Business Edition.

[vuiets]

Hey @slysiou, thanks for sharing how you're managing access control at your end. This is interesting. Would you like to talk to us over a call so I can get your requirements down in detail? Please feel free to pick a time that works best for you - 📆 Calendly: https://calendly.com/appsmith-vishak/conversations

[vuiets]

Meeting Notes

20 July 2022

Discussed

• We have to design for these scenarios
  • Permission group configuration UI
  • Groups and Role configurations tab
  • 'Others' tab which houses workspace permission configurations
  • Side effect of enabling 'Edit' where 'View' is disabled
  • Upgrade triggers on the Community edition
• We aim to move the RBAC infra changes in CE to testing in this sprint

Next steps

• @Debsourabh to prioritise open design problems
• @berzerkeer to finish 'Members' page revamp
• @RakshaKShetty to revise test plan based on latest designs
• @trishaanand @sidhantgoel to move RBAC infrastructure changes to CE for testing

[naveenthontepu]

any update in this feature?

[vuiets]

Hey @naveenthontepu we are actively building and testing this right now and we'll have this up and running on our Business edition in this quarter.

[SisekoS]

Hi, will you there be a way to group & sub-group users? We have built an admin dashboard, with the focus of having different teams work on different client issues (team & issue: A,B,C), with different team members within those teams working on issues according to complexity qualifications (complexity: 1,2,3).

So, teams A,B,C attend to different types of issues, but within every team, there are levels 1,2,3. This would mean different people within team A would work on issues 1, 2, or 3, depending on the user group they might belong to.

E.g.: User: Tom Team: A Level: 3

This user would then only have access to team A, level 3 issues.

[Nikhil-Nandagopal]

@SisekoS we don't have a concept of subgroups but you can simply model them as teams A1, A2, A3 and have a role called RA, RA1. RA2. RA3 which is cloned from role RA. Would this work for you?

[infinitetrooper]

Closing this issue as the feature was released in v1.9, you can find documentation on the same here. Please track the RBAC label or #19228 for future development 👋