I'm playing with RBAC for an external app, and to that end I'm curious to know if variables or user attributes are stored server side.
I'm thinking of using variables or user attributes to disable/hide components.
Also open to other approaches to RBAC.
Hey @ferret141 ,
I think this is is a good approach.
Attributes are secure by default: bad actors cannot spoof data passed into queries that reference attributes.
From docs
I've done RBAC using attributes and I'm quite happy with it.
Darren
March 7, 2025, 2:21am
3
Agree with @MiguelOrtiz that user attributes are the more secure option, for the reasons mentioned above.
1 Like
Confirming for my peace of mind. My understanding is that:
User attributes are fed into queries and workflows server-side.
For anything initiated client-side, spoofing checks are done against the user attribute values sent in.
This includes the hiding/disabling of components.
However, no checks are done against variables. But are they ever stored client-side?
It looks like I don't have access to the User API on the Business plan to set the attributes dynamically.
Any recommendations?
Thanks
Darren
March 12, 2025, 6:28pm
6
Yes - the value of the user attributes referenced within a query are validated server-side in order to prevent spoofing.
ferret141:
Any recommendations?
There is a separate set of endpoints specifically for interacting with user attributes that is accessible on a Business plan.
@Darren , no success unfortunately
Is our account stuck in some legacy mode?
Darren
March 17, 2025, 5:36pm
8
It looks like you're trying to hit one of the User
endpoints, which is scoped to Enterprise plans. You can see documentation on the specific User Attributes
endpoints here .
Aha. After hitting the right endpoint and cracking my head with some JSON I'm able to update user attributes.
However I've hit a new hurdle. How do I get the user sid to be able to update their attributes?
Darren
March 25, 2025, 12:48am
10
The short answer is that there's not currently a simple solution without being on an Enterprise plan. I've already documented a feature request internally, but there's a decent workaround you can read about here .
Darren
April 24, 2025, 10:54pm
11
Have you had a chance to do more work on this, @ferret141 ? Let me know if you have any additional questions!
Not yet, but eager to look at it soon as I've noticed slow query behaviour on another app.
1 Like