Fine grained access control (e.g. multi-company setups)

Fine grained access control (e.g. multi-company setups)

Privileges and roles in agileBase were two of the first ideas built into the system at the earliest stage of development eight years ago.

The fundamental concept has stood the test of time, being simple to understand, easy to set up, secure and covering a wide range of needs. A user can have no privileges, read only, edit or manage privileges on any table in the system (‘manage’ being the ability to make changes like add fields). To make things easier when dealing with large groups of users, people can be assigned roles, where each role has it’s own set of privileges. User and role privileges co-exist, so if a user needs a privilege they don’t have as a member of a role, that can be assigned to them on an individual basis.

There have been no major changes to this system, the only tweak added since the beginning has been the ability to turn particular views (reports) on and off per person. So for example if you want to let each member of regional sales teams see contacts in their area only, you can set up a few filtered reports and assign them accordingly.

Recently however there have been a number of proposed applications that extend this logic. Examples are

• giving customers logins to see data related to them only
• similarly for suppliers
• setting up a franchise, where each franchise branch deals with their own data but the central office can see everything

To deal with this type of thing, we’ve just introduced fine grained access control, which works at the level of individual records within a table, rather than the whole table itself.

It’s set up to be a very flexible for administrators to implement. Each user of the system can be given a filter that’s automatically applied to any data view they look at. The filter consists of a field name and filter value. When any view is loaded that contains a matching field, the filter is applied before returning the list of data to the user. Because the fields can be of any type, even calculations, filters based on any criteria that can be represented in a calculation can be applied, i.e. almost any criteria.

Thus your data can be shared with a wide a range of people as need to see it, without fear that they will access anything unauthorised. The potential for widening participation and collaboration is dramatically expanded.

As an administrator, to set this up, just go to Administration -> users and look under ‘restrict data access’.