This article describes the best way to control access to apps for end users.
Overview
For end users of a PhixFlow application, we recommend that access to PhixFlow itself is restricted. You can ensure that users can only access applications as follows.
- Set up an App User role with only essential privileges; see App User
- Assign application users to the App User role. They will have no access to the repository lists of dashboards, views, streams or any other modelling objects.
- Configure a default dashboard to act as a landing page when user logs into PhixFlow that is, setting a default dashboard for their User
- Ensure that all the navigation that they require is available in the application's menu options or Action buttons on dashboards.
Considerations for app building
This means that while building the an app, for each type of user you must:
- Consider all the dashboards that they need to be able to see
- Determine the routes that that allow them to get to these dashboards from their landing page
- Add buttons to dashboards as needed to allow users to follow these routes
- Leave access open to:
- dashboards: Public ticked; All Users Can View Data ticked
- streams: All Users Can View Data ticked
- views: All Users Can View Data ticked
- Close access to actions: untick All Users Can Run Action
Restricting access to dashboards, streams and views can be useful in some cases, but when putting apps together with the method described in this article it is not required, since end users are not able to navigate to these except via action buttons, and their access to actions buttons is controlled. If you restrict access to these components you will need to add these privileges to the relevant user groups, and this can easily become complex and hard to manage.
Controlling access via action buttons
With this in place, access to apps can be controlled as follows:
- Build up a series of user groups that represent roles
- To each user group add access to the actions buttons that give access to the tasks and routes to other dashboards required by this role – only associate the privileges specifically for this role, not for this role and everything “underneath” it
- At least one user group must contain the role App User - for clarity, it is best if the App User is only in one of the user groups added for users (commonly via an "App User" user group)
- Layer the user groups onto the users so that they end up with the access they need