Assining Premissions to a User Role (2023.9)

🧩 Low-Code Development
#1

Hey there!
Currently Im using Corteza to create a web portal. Now I wanted to create a user role, that only has access to a specific page in a specific namespace. After a lot of research I couldnt figure out, how to use the permission system in Corteza, to achive my goal. Currently the User who has this role, are able to access the admin area and the admin panel in a namespace even thoug I didnt gave them the premission to do so. Can anyone explain me, how to setup the permissions so the user only has reading rights on a page and cant do anything else?

#2

Complex answer for a simple question.

Firstly I would take note of the roles currently assigned to the user in question. Check the permissions granted to the role/s.

When setting up Corteza permissions, I would firstly familiarise myself with the hierarchy of roles.

The way I think about them in order of highest privilege to lowest is as follows:

  • system roles (like access to auth)
  • compose roles (which governs access to all compose records)
  • automation roles (governs access to workflows)
  • namespace roles (governs access to a specific namespace)
  • module and page roles (governs access to a module or a page in a namespace)
  • module record roles (governs access to records in a module)
  • module field roles (governs access to module fields)

Once you get to understand the different levels, you need to determine at which level you want to set permissions which will be different for each role.

We also take a position on what can an Authenticated user (a system role) do or see. That effectively becomes your base permission. It takes a bit of trial and error but it is important to set this system role correctly according to your business requirements.

After that we create additional “additive” roles that add specific permissions. Some of our users may have 8, 10 or even 15 roles to ensure we only give the least permission.

It is important to note that using Deny should be minimised, as it will override any competing Allow permissions.

Roles and permissions is unfortunately an area that requires a lot of time, research, trial and error to get right, particularly if you are not an expert in role based permission design (like me).