Groups

Groups are collections of users which you want to share equal access, but the relationship doesn’t warrant the creation of a specific role. Group based permissions can be achieved with Submission Resource Permissions.

Note: Only users with edit access to a group can add users to the group itself.

Group Structure

Groups can be configured in three ways:

  • Groups and Users (Resources)
    • Add Users to groups on creation
  • Groups, Users, and GroupUsers (Resources)
    • Add Users to groups after creation
  • Groups, Users, PublicUsers, and GroupUsers (Resources)
    • Allows non-Administrative users to create and maintain groups of users.

The benefit of using a third and forth resource, PublicUsers and GroupUsers, is that they act like join tables and allow you to make groups at will. With four resources, you can safely allow non-administrative users to configure groups (selectively filtering sensitive data). Since non-administrative configuration is most commonly used, we will cover that here. Below are the following Required resources, their components, actions and any permissions, necessary for Groups to work; You may add any additional components and actions that you would like.

Note: Making a Group Resource, with a multi-select for users wont properly propagate the permissions, you must use the GroupAssignment Action for Group based permissions.

Users (Default Resource)

Components

  • Email (Email component)
  • Password (Password component)

Actions

  • Save Submission Action

Submission Permissions

  • Anonymous Users
    • create_own
    • read_own
    • update_own

Groups (Resource)

Components

  • Name (Text component)
  • Users (Select / Resource component -> GroupUsers)

Actions

  • Save Submission Action

Submission Permissions

  • Authenticated Users
    • create_own
    • read_own
    • update_own
    • delete_own

PublicUsers (Resource)

Components

  • User (Select / Resource component -> Users)
    • Each user should be able to read their own submission via the read_own permission.
    • Use the select fields to only grab each _id, and each email

Submission Permissions

  • Authenticated Users
    • create_own
    • read_all
      • Each user should be able to see all the submissions, so they can see the pool of users to add to their group.
    • update_own
    • delete_own
      • Allows a user to remove themselves from the pool of users available to assign to groups

GroupUsers (Resource)

Components

  • Group (Select / Resource component -> Groups)
  • User (Select / Resource component -> PublicUsers)

Actions

  • Save Submission Action
  • Group Assignment Action

Submission Permissions

  • Authenticated Users
    • create_own
    • read_own
    • update_own
    • delete_own

Making PublicUsers

The PublicUsers resource is important, because it allows you to proxy non-sensitive data from the User Resource into a separate Resource which is publicly available to your users.

PublicUsers can be created programmatically or by each user, with benefits for each. If you choose to do it within your app, then you can make all users available for group access. If you choose to make each users enable it, then it can be a premium feature, or you can allow users to turn their group access off.

Without the PublicUser resource, then groups are dependent on Administrative users for configuration or you need to make your user table available to Authenticated users with read_all, which you don’t generally want to do!

Making GroupUsers

GroupUsers are the link between each Group and User. Through the GroupAssignment action, each group and user is linked together to share permissions on designated resources. To link a user to a group, the user submitting the form, must have edit access to the group, that is to say they must have a role with update_all/update_own or be assigned with write/admin permissions through resource submission permissions.

Assigning Group Access

To assign group access, you need to include a Group Select or Resource component in the Form where you would like to grant group access.

Note: You can hide this field during the form render if desired.

Once the Group resource has been attached to the form, the access settings for the form must be updated. In the form access page, use the Submission Resource Access panel to select your group component.

Once the Access is configured you may add group permissions to any new or existing submission to the form, by selecting the group which should have access (Enabling multiple will also work for multiple groups).