Environment based user restrictions

Hi everyone,

We have 2 issues as highlighted below:

Problem 1:

We have set up 4 envs in retool and the way our permissions work is that when a user logs in using our login flow we save the entitlements received from our APIs into local storage and these are then used to drive what components are visible to the user.

This is fine for a 1 env setup but we have a 1-1 mapping of envs and entitlements. So even if we save all 4 sets of entitlements in the local storage, we are not sure how to reference a specific set of entitlements basis the env selected.

Problem 2:

As I have mentioned above we intend to save the entitlements in local storage for all envs, but since we need to allow people to switch envs it opened the apps in unauthenticated state (so nothing would load).
To solve this we implemented auth verification endpoint which automatically triggers our re-auth process.

The issue is we were saving the entitlements via a login page where we had added a success handler on the auth component to save entitlements in the local storage. Now since this page is being skipped as retool redirects the user to our internal login page directly, we are not sure how to prompt the system to save entitlements when user completes authentication for whichever env.

I can understand this is a long post, would be happy to give more details as required

1 Like

Hi @Ritik_Garg, the approach we're taking to manage access and restrictions for different user types in our apps might work, but its complexity could lead to bugs, and potentially, allow access to an unwanted user. We strongly recommend setting up User attributes for this purpose. Once they are set up, you could display components based on current_user.metadata.<attribute_name>.

1 Like

Hi Paulo,

Thanks for your response, as far as I can understand the solution suggested works for a 1 env setup or where attributes are the same across all envs. Our users can have varying user attributes basis environment.

e.g. Lets assume there is a module called reports with write access and I name it as reports.write.
As per your explanation, this attribute will be associated with someone at a user level and is environment agnostic. This means that I cannot control what the user see's basis what environment they are in.

Thank you for expanding on your use case, could you share an example of all the environment - entitlement relationships for one user? In addition, how often do they change? Perhaps we could have a "relationships" join table where we have:

user_id, environment, entitlement columns. Once they log in, we could pull all relationships for that user, and render in the selected environment if the required entitlement is present.