Business-defined permissions best practices?

Hello everyone.

Some of our customers regularly express the need to limit access to certain apps/features/behaviors for users, based on business-defined roles/permissions. We are not talking about Tulip instance permissions (edit an app, publish an app etc.) or roles (Account Owner, Operator etc.) here.

This implies answering several questions.

Q1) What kind of data structure should we use to store permissions?

Usually, this is done by defining a set of boolean permissions and assigning them a value (true => granted, false => denied) for a specific user. This could be done:

• directly (custom per-user rights, but this is tedious to input, repetitive and harder to maintain),
• using a role (user is mapped to a role, the role is mapped to a set of boolean values for permissions, e.g. true everywhere for an admin role)
• a mixture of both if we want to go far (e.g. we rely on the user’s role for most permissions but have user-specific values for some of them).

Role-based approach example (Role permissions table)

Role-based approach example (User roles table)

Q2) How to store permissions so they can be accessed from any app?

• a Tulip table could be fine, but it becomes impractical if user roles/permissions must be accessible across all workspaces of an instance
• a connector to a REST API or SQL database could do it but it’s much more work and setup for unclear benefits

Q3) How would the access restriction manifest?

• by limiting access to an app to users having a specific role/permission (with an “App started” trigger?)
• by limiting access to some steps in an app (with an “On step enter” triggers?)
• by limiting access to some in-app behavior (via a test in a trigger?)
• by hiding a control (is this possible?)

Currently in Tulip, it seems we must do many things manually. Any tip/thought/experience feedback about any of these questions (or other related ones) are welcome from anyone (Tulip team or not) and will be greatly appreciated.

Thanks!

Hi Fabien! My name is Kevin, and I am the product manager for our governance features. A couple questions before answering:

1. Are you familiar with the User Table? How To Update Fields on Individual Tulip Users and Operators From Apps
2. Are you familiar with App Permissions? How To Change Editing Permissions on Individual Apps

I am happy to recommend more specific solutions, but wanted to make sure you understood the different possible tools in the platform first (beyond generic roles of course).

Hi Kevin.

I had never seen user fields before. They will potentially be very useful to us! I’m taking good note of that feature. They require repetitive manual actions if we have many users and permissions though. Ideally, it would be great to be able to:

• create our own user roles containing custom permissions
• consult these custom permissions from an app

Agreed, Fabien. We are developing a “User Groups” feature to solve this at scale. Would you like to see an interactive version of the feature? Happy to do a call and get your feedback.

Hello Kevin,

Thank you for this proposition. One of my customer and I are very interested to see this! I need to ask my customer to know when they are available. I’ll get back to you here via private message as soon as I know more.

Hello @fti and others,

The “User Groups” feature is available as of LTS13, and it also includes the ability to specify access within apps to members of certain user groups.

Read more here: Create and Manage User Groups