Is filtering records by USER already built in as a REI3 feature?

rfernandez

Hi,
I need to implement a record filtering feature based on the logged in USER and some GROUPS he belongs to. (which are part of the USER information)
That is, a logged in user should only see his own records, and the records that belong to the groups he belongs to.

From what I've understood, the USER that you manage in the Admin UI is not a USER but only a login(user). Is that right?
However in the ADMIN UI there is a form with a lot of data related to the USER to fill in. (and the corresponding tables in the app schema in the database)
In order not to rebuild something it is already there I'd like to use this information to do the filtering. Is there any reason for which you wouldn't recommend doing so? (I ask because from other posts I kind of get to the conclusion that you have to create your own USER ecosystem in order to to that, which does not seem very logical since you already have a ROLES/USERS system already in place). Did I get it wrong?

In case the sole purpose of the existing ROLES/USERS is to grant access to the REI3 Features and Application Menus and Features, how would you recommend to proceed with the implementation of the by USER filtering?
Do you also have to manually include a GROUP and USER fields in each table you want to filter?

I'm eager to hear you recommendation on this matter, as at first glance the use case seems to be contemplated natively by the platform, but later on once you dig deeper, some doubts arise, and I'd like to be confident in my understanding of the built in capabilities in this matter.

Thank you!

gabriel

In short:

A user is an entity that is allowed to log into r3. It can be created manually, imported from ActiveDirectory (or other LDAP sources) or be created during OAuth login.
Users have meta data (firstname, lastname, organization, etc.), which can be set manually or imported from identity providers.
The user as well as its meta data is, at first, disconnected from any r3 application. It just exists for the instance (ie. the r3 system) to manage authentication.
Many use cases that r3 apps need to address however require that users are connected to data in some fashion. There are roles in r3, but these only define the general user permissions (menus, forms, basic data permissions). What roles do not do is to define what a user can do in relation to specific data. This is usually not possible to define globally, as apps often need complex permission systems (user groups, resource owners, approvers, and so on). In some apps, an approver role can see all data for example, but many apps define that approvers are only approvers if they are the department head of the requestor. And many more complicated examples like that.
To enable this, you need users being represented in r3 apps as their own relation so that relationships between entities (users, groups, permission levels, departments, supervisors, ...) can be modelled. In the past, you had to manually create these user records in your r3 app and then connect them to users via the admin panel - nowadays you can use the user sync to make this automatic.

To directly answer your question:

Users almost always need to be modelled in r3 apps so that relationships to data are possible.
Best practice is to use the user sync to create user records automatically, when users are created/imported/updated in the r3 instance.
But you do not have to do any of that, if you use standard apps, like REI3 Organizations. This app has user sync and the relation contact is used to represent users in many r3 apps. If you can/want to build on REI3 Organizations, you just refer to contact for your user needs.
If you do not need a permission system, where it matters what record can be edited by whom - you do not need policies in the first place. These only help you limit access based on relationships in your r3 apps. If do not need them, no need for policies. If you do need them, you need to have your users represented in r3 apps - either in your own app(s) or in REI3 Organizations.

rfernandez

Hi Gabriel,

Your "In short" explanation is crystal clear.
I managed to make the user_sync work. When I create a user in the Admin UI it creates or updates a user in a custom user relation I created in my app.

However for the record level fltering, what should I do?
If I have to manually create the filtering attributes in each relation I want to filter, (like adding a user, and group columns in each table), then create a filtering function in the backend that uses these fields to return a list of IDs that match these values for the current user, it is basically the same as coding a generic where condition in the postgresql backend select function for that tables, that uses these attributes to filter the query.
Not to mention that I should have to save that information every time I save each record, which has to be manually included in each Form or whatever artifact you use to save these records.
Is that the way it works?
I hope I'm wrong, because otherwise there is no value added, as it is basically the same you would do if you have to code it from scratch in any platform, or in plain code.

I'm really hoping for you to prove me way wrong ;-).
Thank you!
Warm regards

gabriel

rfernandez Your "In short" explanation is crystal clear.

As short as I can make a complex topic. :)

But to your question. No, you do not need to put filtering attributes on all relations, at least it´s highly unlikely. In most applications only a couple of primary entites need to be filtered - often it´s just 1. Even if you need to filter multiple relations, already existing relationships can be used to resolve things like ownership of records.

Example:
In a task management app, you might have dozens of relations - but many of these are for customizable states or to store membership in access groups. In many cases, configuration or membership relations are restricted to roles as only some users should be able to modify them at all - no need to filter on a per-record base.

In some cases, per-record filtering is required however. Like for the relation task in our example. It has an owner, which can be defined by having a relationship to a user relation. Child entities of a task (such as task notes, sub tasks, or check lists) belong to a specific task. So if you need to filter these, you would resolve the parent (ie. the task) - and by knowing if the current user has access to a task, you know if they have access to the corresponding child entities. In other words, you do not put a relationship to a user relation on all child relations, you check the parent and know the user this way using the relationship between parent & child (like between task and task note).

In most apps, there are a few relations where ownership of records is defined directly, sometimes there are n:m relationships like for group or team access, but that´s about it. Even in extrem cases, there might be a couple of policies, because multiple levels of ownership, groups memberships, substitutions and supervisor access exist.

Regardless of no-code or written in plain code, you need to define complex access if it´s required - there is no short cut because no system can guess how your access system is supposed to work.

If you find that you need to create policies for all relations, than you are likely doing something very wrong. I´ve never seen an application where every relation needs to be filtered. And where you store ownership/access in the form of attributes, should only ever follow what your permission system requires - everything else is resolved via relationships.

rfernandez

100% agree. At this point I should rephrase my question.

Whatever you need to filter, you have to do it manually, by adding the corresponding fields to the main subject table, being Tickets, Orders, or whatever, and as this table will be in the center of every query it will be enough to filter the records in this table.
The key concept is here is "manually". That means that you have to build the functions that will apply these filters to the table and return only the records that match that filter. In the case of REI3 this will be the function associated with he Policy for that table,. The function will return the valid records and the Policy will enforce that any operation of that table applies the filtering funciont.
The same applies if you need a more complex filtering system that involves filtering by user and groups to where users belong.
You need to have the fields that will be used for filtering in the table to be filtered, and then build the backend function and associate it with the Policy,

Have I got it right now?
If so, what I have left is to undestand how to use the policy in order to allow the current user to query, modify, only the records he is allowed to work with (being the filter using his userid or any other attribute like group or organization, etc.)

In summary, whatever you put in the Relation Policies are ad-hoc functions that respond to your definition of hierachies and filtering criteria for your application. There is no pre.-build filtering system , just the possibility of applying your filtering, system-wide to that table. I guess that on every attempt to use that table the system will force to apply the Policy, which in practice will apply the filtering through the postegresql function, using the current user and other user attributes, and return an array of the records that match.
That filtered dataset will be returnes in the query you define in for example your forms, of data fields.

Please let me know if I'm getting closer, or hopefully already there. :-)
And if this is the case, I willl appreciate a lot if you point me to any of the standard application/part of the application in which I can see how to get the userid an other user attributes, and how to use them in the ad-hoc Policy function to allow it to filter the records in everyt attempt to access the target table.
Thank you!!

gabriel

rfernandez The key concept is here is "manually".

I take slight offense with the word manually here ;)

It does not matter what software you use or if you write it yourself from scratch - any solution will require you to define your conditions if you need them. r3 has one of the simplest solutions I´ve come across, when it comes to complex permission systems. Many systems will require you to re-define these on every view, be it lists, forms, etc. Easy to forget and a lot of work to update. Even when writing them from scratch, you will need to implement complex access permissions and apply them everywhere it´s needed - helper functions or access methods are then often used, pretty much the same way r3 does it by offering a central place to define the access.

Policies in r3 enable you to define these restrictions in a single location, applied everywhere automatically and enforcing it wherever you deal with data. They work with the same syntax and the same DB access, you can use everywhere else in r3.

rfernandez There is no pre.-build filtering system

That is literally what r3 policies do. It´s a pre-built system that is automatically applied everywhere where it´s relevant. The only "unique" thing about it, is that it does not serve you a pre-defined structure of things (like hierarchies, such as departments and other organizational structures) that might or might not work with the structure and requirements of your application. You are free in defining access based on any chosen structure (ie. relationships in your app) - which can model your organization, regulatory requirements, best-use dates of your products, countries of origin of supplier provided material, and anything else.

rfernandez I willl appreciate a lot if you point me to any of the standard application/part of the application in which I can see how to get the userid an other user attributes, and how to use them in the ad-hoc Policy function to allow it to filter the records in everyt attempt to access the target table.

Please have a look at any of our standard applications in the repository that use policies. Examples are REI3 Tasks, REI3 Tickets, REI3 Password Safe, REI3 Kanbans. It works by using instance functions that tell you, who is currently logged in, if they have specific roles and so on. The rest is SELECT statements.

Here is an example from the app REI3 Kanbans. It uses a backend function from REI3 Organizations to get the contact ID of the currently logged in user (you can look at that function too). This of course works when your app builds on REI3 Organizations. As you have your own user relation, you would use the instance function instance.get_user_id() to get the ID of the currently logged in user - it must match with the user ID on your user relation. The rest is just SELECTs looking up the record IDs of everything the current user may access (or not if blacklist policy) based on your defined access rules (may access if in department, if substitute of owner, if part of team that is managing that record, ...).

$BODY$
DECLARE
	_contact_id INTEGER;
BEGIN
	_contact_id := {lsw_organizations}.[get_contact_id_by_user]();
	
	IF _contact_id IS NULL THEN
		RETURN ARRAY[]::INTEGER[];
	END IF;
	
	RETURN ARRAY(
		SELECT k.(lsw_kanbans.kanban.id)
		FROM {lsw_kanbans}.[kanban]        AS k
		JOIN {lsw_organizations}.[contact] AS c ON c.(lsw_organizations.contact.id) = k.(lsw_kanbans.kanban.owner)
		WHERE k.(lsw_kanbans.kanban.owner) = _contact_id
		OR    (
			k.(lsw_kanbans.kanban.share_department) AND
			c.(lsw_organizations.contact.department) = (
				SELECT (lsw_organizations.contact.department)
				FROM {lsw_organizations}.[contact]
				WHERE (lsw_organizations.contact.id) = _contact_id
			)
		)
		OR    EXISTS (
			SELECT 1
			FROM {lsw_kanbans}.[kanban_team_share]
			WHERE (lsw_kanbans.kanban_team_share.kanban) = k.(lsw_kanbans.kanban.id)
			AND   (lsw_kanbans.kanban_team_share.team)   IN (
				SELECT (lsw_organizations.team_contact.team)
				FROM {lsw_organizations}.[team_contact]
				WHERE (lsw_organizations.team_contact.contact) = _contact_id
			)
		)
	);
END;
$BODY$

rfernandez

Hi Gabriel,I
My deepest apologies for the use of the word "manually", I never meant it to be an offense. It is just that manually for me means coding (my nemesis 😉)
I'm completely aware of the advantage of having to define only once the filtering function related to a table (relation), and that that definition will apply whenever you use that relation. That is the beauty of Policies.

At first glance what confuses me a bit is the fact that in a regular query you filter out records that do not match certain condition in the where condition, and in the case of policies, it seems the Form query (the one with which your work on your forms or data fields) filters on the basis of matching the array of IDs returned by the policy along whith any other filters you might have used. (unless I got it upside down). I didn't get to the point to understand if this filtering mix happens automatically
For example if in my List query in my Form I select all records from table Orders without any filter (and the orders records have an userid attribute), the policy will take charge of returning only the records belonging to the current user, that is matching the userid.

I need to be honest about the fact that up to now I haven't been able to conduct a case from point to point, that is from defining the query for the form or data field, on a relation that has a Policty, and see the practical effects of not having to worry about the user or group in that query, but to receive the mixed result of the query, that will ask for all the records of the relation and only receive the ones filtered automatically by the Policy.

Definetely I'll have to study the examples you mentioned, and the one you provided in your answer.
I know it will take me some time ,as fjguring out, and putting together pieces of code is problably what challenges me the most. But I'll put the required effort on it.

Thank you very much!
Best regards!!

gabriel

rfernandez I didn't get to the point to understand if this filtering mix happens automatically

The filtering is applied anywhere data is accessed. In forms, lists, calendars, APIs, charts, collections, and so on. Only exception: In backend functions - here the author might need to get access to data that the current user usually does not have access to. But even in this case, the author can directly use the policy filter function in SELECT requests, if need be.

Frontend filters (ie. filters on the form, lists, relationship input fields, ...) are always applied in addition to policies. The frontend does not even apply policies itself, because the frontend (as it´s in the browser) can be manipulated by a smart user.

rfernandez For example if in my List query in my Form I select all records from table Orders without any filter (and the orders records have an userid attribute), the policy will take charge of returning only the records belonging to the current user, that is matching the userid.

Yes, it does not matter if the list query filters or not - a policy is applied in the backend. This is part of the appeal of the feature - even row counts are affected so a user that should not see data, does not even know it might exist.

Try to build the simplest policy you can and check the result. Once you can manage your policy, you can piece-by-piece add complexity where needed.

rfernandez

Well,... things are moving on
I have the users synchronized, each time a user is created in the Admin UI a user is created in the App user table.
I have the Orders table filtered by a policy that applies every time a query is executed on that table (regardless of other filters that might be present)
Final step, or mayble close to it :-), how do I automatically insert the user_id every time I create a new record in the Orders able ? My guess is a trigger, but I just wanted to confirm it is the right choice, because from my former experience as DBA, triggers are sometimes silent killers, in the event you forget they are there.

Thank you!!

gabriel

rfernandez

Triggers is one option. The other is just relationship input fields with default values.

What we do in our apps: We have a collection for the user relation (REI3 Organizations: contact) which fetches only the record that belongs to the currently logged in user.

On relevant forms we have an input field for the relevant relationship (like task owner or absence requestor), which is auto-filled with the user ID from the collection (field option: Set default value from collection). This input field can be set to readonly so that it´s not overwritable by the user.

Having a collection like this is very handy, because it is fetched once when a user opens r3 and can be used again and again wherever you need data for this user.

rfernandez

Yupiii!!
Got them both working!!
I have never used collections before, but now I see a clear use case for them.
Thank you very much!