Question

How to give different permissions?

1

Hi Community! Usecase : I have three user roles(user, administrator, Viewer). New User who signs up to the application is said to be User. When ‘User’ creates an Organization-A is assigned as an Admin to that Organization. Now he invites a new Member into the organization with Viewer role, Whenever the user with Viewer role logged in and creates a new organization-B ,he should be the Admin only to Organization-B. An Administrator can delete, edit an Organization, Viewer cannot edit and delete the details. I have given visibility to the buttons. The above picture is related to Viewer, He can’t edit and delete the Organization. When he adds a new Organization, he should be Admin to that particular organization-B . Problem Facing: The edit and delete buttons are visible in the both Organizations-A&B as he is Admin to one of the organizations(B). Can anyone help me how to differentiate those permissions? Thanks!

asked 2021-10-13

Chandana Giri

2 answers

Eline Bijkerk · Answer 1 · 2021-10-13

You'll want to set up security on a database level instead of based on visibility, to prevent users from writing directly to the database.

You should be able to define access rules by adding an xpath with the “owner” or “path to user” buttons, depending on how your domain model is set up:

Then make sure users only have write rights to the organization they created, but read rights to organizations they were added to.

Tim v Steenbergen · Answer 2 · 2021-10-13

Thank you, exactly the question i needed to screw my head on straight about this subject of multi-tenancy. Busy with creating this myself. Eline is setting you on the right track but there is a big catch:

Using 'Owner' has two disadvantages, 1) an Organization's administrator-role is not transferable to another user. This will get you into trouble later on. 2) You can only have one Organization administrator.Instead of using 'Owner', you can use 'Path to user'. To do that you first have to associate the Organization to System/User (better: Person if you have that entity). Give that association the clear name, for instance: Person_OrganizationAdministrator. Then 'Path to user' will be:

Organization/Person_OrganizationAdministrator/Person/Person_User='[%CurrentUser%]']

Still need to give access to the person who is OrganizationAdministrator for assigning someone else to become OrganizationAdministrator too. And only for that particular Organization. Pfff, will let you know if I have figured that out and tested it. If you beat me to it, please describe the solution here. Of to diner now. A new restaurant re-opened nearby :-)