Implemented Create better User/Group management

abraun

Member
I would like to see some improvements when it comes to user/group management. Currently only being able to assign one group to a user makes it difficult to maintain permissions. I get that the primary purpose is more 'Role' based that individual table based, but we have a lot of people that don't fit the standard role thus we have to make specific groups for an individual person.

I would like to be able to assign a person to multiple groups and if any groups overlap, use the most permissive setting from each of them.
I would use this to create permissions groups based on tables or groups of tables.

For instance, we might have a table where we have an admin that can create/read/update/delete all records in a table, another that can only update a certain subset of columns, and another that has read only access. For this case, I would create 3 groups with the needed permissions.

We have 118 tables and 292 users so far and continue to add more every day. Allowing more than 1 group per person would greatly improve the functionality and ease of managing permissions. I often get requests to add certain permissions for certain tables and by going with the role based, I have to verify all permissions the group has and if its too permissive or not enough I have to make a new group, much easier to just add the user to the groups for permissions to specific resources.

Many other applications are designed this way, just look at how active directory is set up to be flexible and goes with the most permissive options.
 
Upvote 0
This suggestion has been implemented. Votes are no longer accepted.

eugenio

Administrator
Staff member
I see your point about the multiple groups but I am not sure it worths the (huge) development efforts needed.
How many groups you have in your application?
In my experience, considering you can copy permissions from one group to another, it isn't a big effort to create a new group if I realize that none of the existing groups fit. Maybe if you can provide a specific examples it would help.

And I would be glad to hear the experiences of other users as well.

Finally, about the possibility to assign permissions to "group of tables", maybe this other suggestion I made could help:

Best,
 

abraun

Member
So far we've got 39 groups. So we have somewhat remained condensed, but it can be difficult to generalize 'Operations'. If we have 20 different sub-applications (we frequently have 2 or 3 tables together to curate dropdown lists) we are running and each has a different 'Admin' (someone who can edit all of the tables/options) then we have to create separate groups for each of the app admins and it gets even more complex if someone manages multiple of them and overlaps with other users, then we are down to creating a group for a specific person.

In a scenario where we could assign multiple groups to a user, I could create an admin permission group for the specific sub-application, then just add the user(s) to the admin group.

I've implemented this approach on several Python Flask applications I have developed.

We do love the general ease that dadabik provides to quickly and effectively give users a space to work with Data.

Just a little bit about how we use dadabik. We primarily use it as a CRUD frontend for user data entry, manipulation and as a replacement for excel files. So we typically only have 1 to 3 tables that are grouped together to form a small 'application'. Most of this data is then joined into our datawarehouse for use in Tableau.

Thanks for taking the time to consider this use case.
 

deep64blue

DaDaBIK Guru
I like the current system but I tend to have only a few groups - I have worked with systems where you can be members of different groups and my experience is that it makes applications complex and trouble shooting very difficult.
 
Last edited:

abraun

Member
I like the current system but I tend to have only of few groups - I have worked with systems where you can be members of different groups and my experience is that it makes applications complex and trouble shooting very difficult.
We use tableau for our Analytics and they have a multi group approach. Even user level permissions. Below is a screenshot of one of our report permissions pages. This uses the most permissive method. Perhaps it might be beneficial to have an interface that better allows one to see all permissions that have been granted to a specific table for troubleshooting. You can see the effective permissions at the bottom of this screenshot and this allows me to easily see who should or should not be able to access what and up top I can see the permissions that were applied. Tableau makes it very easy to see what can or cannot be done. I know this is table level and not row level, but this is a great example of what I would like to see.

1652207768252.png
 

eugenio

Administrator
Staff member
@abraun Considering that in DaDaBIK for each table/view we should show the permissions on each field for each group of users, I think a page that summarize in a "screenshot" all the permissions would be very difficult to design (too much information to show).

I am very interested in talking about possible improvements on users / groups permissions though, because I know permissions setting can be time consuming (see also https://dadabik.com/forum/index.php?threads/permission-template-for-table-and-fields.24170/)
 

eugenio

Administrator
Staff member
I had an interesting talk with @abraun and I think it's useful to add some details here to provide context to the future readers of this post.

He has a quite complex DaDaBIK application (some details here: https://dadabik.com/forum/index.php?threads/create-better-user-group-management.24302/#post-24532) that is divided into several sub-applications, each one having one or more "main tables" and several "secondary tables" used as source for dropdown lists.

Some power users are devoted to the curation of the secondary tables, however those users are not the same for all the sub-applications and the same power user could be allowed to curate secondary tables belonging to two or more sub-applications

In this particular situation, creating one "curator" group for each sub-application and assigning each power user to multiple groups (according to the sub-applications they are involved in) can make the permissions assignment easier and clearer.
 
Top