Mastering AppSheet: Role Management Strategies

‍

What is Role Management?

Role management allows app creators to define different access levels for users based on their roles within the organization or the app. This is one of AppSheet’s greatest strengths, offering the finest possible granularity in management!
AppSheet enables control over actions such as adding, editing, deleting, and viewing. You can control these actions on rows, columns, or even combine them for pixel-perfect management. ⭐
When working on a shared Google Sheet, your only option is to grant either view or edit access. However, with AppSheet, in an invoicing app, for example, we could implement the following rules:

• A user cannot view everyone’s invoices.
• A user can only edit invoices they’ve created, except for the validation field, and they cannot delete them.
• The manager can view all team invoices, can only edit the validation field, and can delete invoices.
• Only certain people can view internal comments on an invoice.

Let's see how this scenario can be implemented. There are several ways to do it!

Defining Roles in Your App

If you only need two roles (Admin and User), AppSheet offers a function called USERROLE(), which returns the user’s role (Admin or User) based on the app’s settings.
➡️ Check out the documentation here for best practices: USERROLE() Documentation

If you need more than two roles:

• You can have a Users table with an “Enum” type column for the role.
• You can base your app on Google Groups and assign a role to specific groups.
• You can base your rules on other fields, such as Department or Entity.

Deep Dive into "How It Works..."

In this article, we will cover two examples of Role Management:

• An example using two roles with USERROLE() (Admin and User).
• An example using three roles (Admin, Manager, Member).

1. Create roles either in a user table or by assigning them to groups (if using Google Groups).
   Here, we’ll define the access control rules. The rules are applied to your data rows, columns, or actions on the data (Delete, Create, or Update).
   There are several levels of access management:
   • Security filter
   • Table filter
   • Slice filter
   • Column filter

‍

Choosing the Type of Filter

2.1 Security Filter

This is the highest level of access management, and it only concerns data rows, not columns or actions. For each row in the table, you can define whether the current user can access it or not.

‍

In this example, we use two roles with USERROLE() to allow access to the row only if the user is the invoice owner, the manager of the owner, or an administrator.
This setup allows users to see only their own invoices, while administrators or managers can also view them.

2.2 Table Filter

The Table filter is at the same level as the Security filter but is only used to define rules regarding actions on data (such as deleting, creating, or updating).

We see above that, at the table level, a formula can specify the level of granularity for each action.

In the image above, we use the LOOKUP function to retrieve the current user's role.

• If the current user is a manager, they can only update the table data.
• If the current user is an administrator, they can perform any operation.
• For other users (Members in our example), they can only read the table data.

2.3 Slice Filter

Slice filters let you create rules that apply to your data (rows and columns) as well as actions on the data (delete, create, or update). In terms of performance and security, it’s preferable to use security filters and table filters.

In the image above:

• "Row filter condition" defines whether the current user can access each row in the table (similar to the Security filter).
• "Slice Columns" defines which columns should be present.
• "Slice Actions" defines which actions are available for this slice. The advantage of using a slice is that you can set different rules for your custom actions (such as "Compose an email") and not just on basic data actions.

Let’s take a closer look at the condition in the “Row filter condition” field:Table Row Filter Condition

This condition allows us to populate the Slice only if at least one of the following three conditions is true:

• The current user is part of the team via the [TEAM_MEMBERS] column.
• The current user is the team’s manager via the [MANAGER] column.
• The current user is an administrator via the [ROLE] column.

This setup would allow displaying the team(s) related to a user, facilitating invoice reviews, especially if the user manages multiple teams.

2.4 Column Filter

In the table, you can define for each column which columns should be displayed based on a formula. You can use this feature to restrict access to certain columns for specific users.

In the image above, we restrict the view of the "Internal Comments" column to certain individuals. If desired, you can also filter using various conditions.

This formula allows us to display the column containing internal comments, which should only be visible to a select group of people. We verify whether the logged-in user is the manager of the invoice owner, an administrator, or a member of the HR team. This lets us restrict the read access to certain fields.

You can also restrict the write access to the column using the Editable property.

As seen in our example, only the manager can modify the "Validation" field of an invoice, provided the invoice was issued by a member of their team.
We check this using the formula in the Editable field, as shown above. This lets us restrict the write access to certain fields.

Moreover, if you wish to use the tab view via a Show-type column, keep in mind that columns may appear even if they are empty.

Conclusion

In conclusion, there are several levels of filters within an AppSheet app, each with different advantages and consequences for your application. However, be careful to use the correct filters, as improper use may quickly make your app difficult to maintain or lead to performance issues.
💬 Feel free to contact us at Idun Group to explore your use cases together or arrange a live demo!

‍