Row level security

RE: Row level security

ashwing264 — Fri, 17 Sep 2021 18:31:24 GMT

I tried modifying the Default Filters in the example application with the instructions here: https://community.appian.com/w/the-appian-playbook/207/record-level-security-for-entity-backed-records under the Managing Global Viewers section as shown in the screenshot below.

When I view the record list from tempo/sites, the grid duplicates the cases. Considering that the entity backing the record has duplicates, I'm not surprised to see duplicates. But, based on the link in the playbook, it seemed like Appian had handled the duplication issue.

Am I missing something obvious?

RE: Row level security

Peter Lewis — Thu, 08 Jul 2021 21:46:32 GMT

No worries, I'm glad you got it to work!

RE: Row level security

Chris — Thu, 08 Jul 2021 20:57:42 GMT

No worries! Good excuse to double check security anyway ;)

RE: Row level security

Joshua F — Thu, 08 Jul 2021 20:37:20 GMT

Chris, I had a typo in my filter. I appreciate you testing it for me on your side. Sorry about wasting your time.

RE: Row level security

Joshua F — Thu, 08 Jul 2021 20:36:13 GMT

My apologies, I think I had a typo in my code. After I started from scratch with the app in the playbook it worked correctly. Thanks for the response.

RE: Row level security

Chris — Thu, 08 Jul 2021 20:01:30 GMT

I'm not able to reproduce that behavior of being able to access a record that is not visible via default filters. In my 21.1 instance, I still see the earlier behavior of an error when a record is not accessible via default filters (and it does not appear in the grid), which is what I would expect.

1) Accessed a record summary for process #1, saved the link

2) Updated default filters to exclude process #1

3) Refreshed the record, #1 disappeared as expected

4) Pasted the saved link into a new browser tab, received the error below as expected

RE: Row level security

Peter Lewis — Thu, 08 Jul 2021 19:56:35 GMT

The playbook article should provide a solution that limits users access, even if they navigate via URL. Did you see a change in behavior from a version prior to 21.1 after you upgraded to 21.1? Also can you provide more context on how you configured your record-level security?

RE: Row level security

Joshua F — Thu, 08 Jul 2021 19:43:33 GMT

In the past I thought the approach described in these comments, as well as in the playbook https://community.appian.com/w/the-appian-playbook/207/record-level-security-for-entity-backed-records#ExampleApp1 use to limit not only users from seeing the record instance on the record grid, but would also throw an error if they navigated to the record instance via url. I just tried this in 21.1 and it allowed me to view the record instance. Did something change?

Is there another approach that could be taken that would truly limit visibility to a record instance via an expression, and not just filter what is in the record grid list. If the user has a bookmark of the record link, or if the system has a record link outside of the record grid, then they can still hit the record.

RE: Row level security

nanfak — Tue, 05 May 2020 19:28:34 GMT

Yes,

This does the trick.

Thanks

RE: Row level security

Mike Schmitt — Tue, 05 May 2020 17:40:14 GMT

In that case i think your best bet is to create an expressionized default filter where the current user's permissions are taken into account when deciding which filter(s) to apply.

RE: Row level security

nanfak — Tue, 05 May 2020 16:02:01 GMT

There is an employees record and we're looking to filter out a number of rows from being viewed by most users. For example, only director level employees can see rows of data for other director level employees. Everyone else can see every other row.

RE: Row level security

Mike Schmitt — Tue, 05 May 2020 15:54:00 GMT

What "security" for a single row of a record are you thinking of? Could you describe your general use case a bit more?

RE: Row level security

Stewart Burchell — Tue, 05 May 2020 15:51:18 GMT

Not that I am aware of. But I think if you sat down and though about it you'd easily solve this. Security in this context means 'Authorisation' (since you've already been Authenticated). So for your specific Use Case what is it that means some Users can see some rows and others cannot?

RE: Row level security

nanfak — Tue, 05 May 2020 15:48:35 GMT

Hmmm, is there a document on this or a step by step guide?

Thanks

RE: Row level security

Stewart Burchell — Tue, 05 May 2020 14:48:57 GMT

Row-level security can be implemented by having a value from your App select/filter data by a correlating piece of data in your ow e.g. if you marked a row with a UserId that is the same as the User Accounts in Appian you could add a default filter to only select data where that UserId was the same as the loggedInUser(). Other data could be used but the principle would be the same - can you select a data item in Appian that correlated with a data item in the database.