From our early testing one thing, almost everyone came back with one feature we didn’t expect to be important. Permissions.
We spent a lot of time designing culminating in an in-depth post about designing user permissions. We want it to provide the granular control most tech companies need while at the same time being relatively simple.
Heres a quick 1-minute demo of what we’ve built:
Users & Roles
As a starting point, we’ve opted for RBAC users and roles. We have used ACL (like google drive) in past products but it gets complicated fast and we wanted simplicity.
For users you can:
- Create a user;
- Assign them to a group;
- Activate/deactivate their account;
- Set their password;
For teams (groups) you can:
- Set groups of abilities (more lower in post)
Most of the people we spoke to said that any permissions would be a significant improvement. Only very large enterprises wanted per user granularity and we have other ideas on how to solve for why they want that.
Access to content
The question we asked ourself was if we gave every team in a company full access to all of the databases what would we want to be able to restrict?
Firstly, we would with broad strokes want to be able to control which tables people can access. In a lot of cases, this is as far as in-house admin panels go. So here we created ‘enable/disable’ switches per table.
Finally, we might want the granularity of being able to control what they can do with data in those tables. So we added View, Create, Edit and Delete checkboxes per table.
Note: Currently the app only allows CRUD via DB, a further version will allow CRUD via API. Currently, we’re planning on basing the permissions on the fields in the database rather against the API.
The next thing after content that we looked at was what we would allow users to do. For simplicity, we have grouped these into three broad groups.
- Change general settings;
- Add/remove users;
- Add/remove databases;
- Set permissions;
- Edit settings related to tables e.g. fields and mapping;
- In future edit layouts and how some information is displayed;
- User can export data from any table;
- The number of rows the user is allowed to export;
The last one there was added to provide what most data protection authorities such as the ICO in the UK, GDPR in the EU and CCPA in California would consider as adequate controls to prevent data leakage.
We have plans to go further in this area but for now it significantly better than most companies we’ve talked to have in place today.
We’re happy that for now permissions is finished for v1. We’ll take feedback once the product is live and see what if anything needs to be changed.
We’re working on building the ability to connect to multiple databases. It should be ready in around two weeks.