#Hi , i am new to permify
cobalt fulcrum
To configure your schema such that the view_ar_revenue_view action is accessible to both ar_lead and admin, but they can see different columns, you can use ABAC.
Here's how you can update your schema to achieve this:
- Use attributes to define the different columns accessible by
ar_leadandadmin. - Define rules to check which columns are accessible based on the user's role.
entity user {}
entity organization {
relation admin @user
relation org_member @user
action add_member = admin
action delete_member = admin
action give_permission_to_member = admin
}
entity team_ar {
relation parent @organization
relation ar_lead @user
relation ar_member @user
action edit_ticket = ar_lead or parent.admin
}
entity ar_revenue_view {
relation parent @team_ar
relation org_admin @organization#admin
attribute accessible_columns string
action view_ar_revenue_view_ar_lead = parent.ar_lead and check_columns(context.columns)
action view_ar_revenue_view_org_admin = org_admin and check_columns(context.columns)
}
rule check_columns(columns string) {
columns in accessible_columns
}
In this updated schema:
- We have added an attribute accessible_columns to the ar_revenue_view entity, which will store the columns accessible by different roles.
- We defined two separate actions, view_ar_revenue_view_ar_lead and view_ar_revenue_view_org_admin, to distinguish access for ar_lead and admin.
- The rule check_columns checks if the requested column is in the accessible_columns attribute.
When performing access checks, you can pass the context with the required columns for the user's role. Here is an example of how to perform access checks using the API:
Example for ar_lead:
{
"metadata": {
"schema_version": "",
"snap_token": "",
"depth": 20
},
"entity": {
"type": "ar_revenue_view",
"id": "1"
},
"permission": "view_ar_revenue_view_ar_lead",
"subject": {
"type": "user",
"id": "1"
},
"context": {
"data": {
"columns": "column1,column2"
}
}
}
Example for admin:
{
"metadata": {
"schema_version": "",
"snap_token": "",
"depth": 20
},
"entity": {
"type": "ar_revenue_view",
"id": "1"
},
"permission": "view_ar_revenue_view_org_admin",
"subject": {
"type": "user",
"id": "2"
},
"context": {
"data": {
"columns": "column3,column4"
}
}
}
This way, you can dynamically determine which columns each role can access without hardcoding the logic in your code. Hope that makes sense.
hardy depot
thank you so much, was stuck on this for days ... let me try this and see if i am able to implement this
cobalt fulcrum
no worries, let me know if that solves your problem
hardy depot
okay , i tried the solution ... a small correction from my end , is there a way the same action can work differently for different users , so both the roles have access to the view but i want admin to see X,Y,Z columns but the lead to only see columns X,Y only.
basically is there a way i can tell my backend that admin can see these columns , and lead can see so and so columns anyone else can see no columns, along with the ALLOWED OR DENIED ?
cobalt fulcrum
Interesting case, currently we don't have a direct solution to handle the granular control over specific columns in a resource. But, implementing this logic in your backend by combining Permify's RBAC with additional logic for column-level permissions might solve this.
Would you be against a quick call on your availability for discuss this? Also we would love to learn more about your use case and unblock you if needed.
hardy depot
sure , i am free for a call
cobalt fulcrum
Great! Here is our calendar: https://calendly.com/d/cj79-kyf-b4z. Feel free to schedule any time you want.
hardy depot
also is there any way i can know if the user i am checking authorization for is a admin or a member ? as a return object so that my backend knows how to maps this role to which all columns