Security Filters for Company, vendors and users of each with Roles

AppSheet AppSheet Q&A
, , ,
1

Hello, I’m looking for assistance w/ security f

Scenario: I have multiple companies that each have multiple vendors both with multiple users each having a Role within their respective organization.

Goal: I need the Company users with the roles of Admin or Dispatch to be able to see everything and the Vendors see and manage their users and jobs assigned to their companies.

Companies will assign Vendors Jobs. The Admin (Dispatch) of the Vendor account will assign a user (driver) a job. The Driver will be able to update the job status and notes only.

Tables:
Companies, Users, Jobs, Groups

Companies Columns:



CompanyID

Company

Company_Owner

Company_Main_Contact

Company_Owner_Email

Job Columns:



Job ID

Date

Name

Route

Production_Location

Lat Long

Company Assigned To

User Assigned To

Job Type

Status

Notes

User Columns:



User Email

Last Name

First Name

Phone

Company

Role

Group ID

I’ve found multiple ways of implementing different parts of this, but am circling as a whole..

Filter by User’s Company: IN([Company Assigned To], SELECT(Users[Company], [User Email] = USEREMAIL()))

Filter by Role: IN(lookup(useremail(), Users, User Email, Role), list(Admin, Dispatch)))

Security Filter in Jobs: if(in(lookup(useremail(), Users, User Email, Role), list(Admin, Dispatch)),
“ALL_CHANGES”,
“UPDATES_ONLY”
)

if(
AND([Company]=LOOKUP(USEREMAIL(),Users,user email, company),
in(lookup(useremail(), Users, User Email, Role), list(Admin, Dispatch))), “ALL_CHANGES”,
“UPDATES_ONLY”)

If I limit the user’s table for the companies to see their own, that works but in the jobs table the rows show the broken links to the jobs that they shouldn’t see that belong to other vendors.

I am especially struggling at the customer level for the customer to see everything if they have the role of admin or dispatch as well as manage vendor accounts. I feel like I need to break tables out to companies and their users and vendors and their users but I see so many formulas that make it seem possible with less tables.

I’ve also started these tables but have not used them yet as I don’t know how far I need to break down the tables to achieve my results:
Vendors
Managers
Routes
Locations

Any assistance is greatly appreciated!

ZOCO_Unlimited_2-1696712898833.png
ZOCO_Unlimited_2-1696712898833.png662×357 14.8 KB

if(
AND([Company]=LOOKUP(USEREMAIL(),Users,user email, company),
in(lookup(useremail(), Users, User Email, Role), list(Admin, Dispatch))), “ALL_CHANGES”,
“UPDATES_ONLY”)

ZOCO_Unlimited_0-1696712608929.png
ZOCO_Unlimited_0-1696712608929.png773×342 19.7 KB

ZOCO_Unlimited_1-1696712627731.png
ZOCO_Unlimited_1-1696712627731.png867×323 39.4 KB

(reposted, was in wrong category)

2

The easiest way to handle Security Filters in a multi-tenant app, is to identify the tenant table…in your case that seems to be the Companies table…and filter off of that tenant table for all other associated tenant data. This means clearly assigning the tenant/Company on all associated data tables - which it seems like you have already done.

The idea then is this…

The Companies table would be filtered by the logged in user with a filter like:

[Company ID] = Current User[Company]   

Where CurrentUser is a Slice derived from the logged in user but it could just be a LOOKUP() or SELECT() instead of a Slice. However, I think you’ll find that you need access to the logged in user info all over the app so a Slice IS the way to go.

Then with all other data tables that need filtered including a Company column, their filter expressions would be something like:

[Company] = ANY(Companies[Company ID]) 

This assumes there will always only be a single Company the user will be viewing.

If a user can, for some reason, view multiple companies, then you would adjust these expression to use IN() functions instead.

This approach will greatly simplify the Security filtering and make it more efficient. Hopefully it will also eliminate the struggles you are having with the complex expressions.

I hope this helps!

3

Thank you for your response, I started with the current_user slice, this is the error that I received:

ZOCO_Unlimited_0-1696773712757.png
ZOCO_Unlimited_0-1696773712757.png547×247 14.5 KB

Tested on the Jobs table as well:

ZOCO_Unlimited_2-1696774243660.png
ZOCO_Unlimited_2-1696774243660.png596×167 12.6 KB

Current user slice for reference if needed:

ZOCO_Unlimited_1-1696773887453.png
ZOCO_Unlimited_1-1696773887453.png468×241 12.7 KB

Users: Company Column

ZOCO_Unlimited_0-1696776421328.png
ZOCO_Unlimited_0-1696776421328.png527×442 20.8 KB