I'm playing with RBAC for an external app, and to that end I'm curious to know if variables or user attributes are stored server side.
I'm thinking of using variables or user attributes to disable/hide components.
Also open to other approaches to RBAC.
Hey @ferret141 ,
I think this is is a good approach.
Attributes are secure by default: bad actors cannot spoof data passed into queries that reference attributes.
From docs
I've done RBAC using attributes and I'm quite happy with it.
Darren
March 7, 2025, 2:21am
3
Agree with @MiguelOrtiz that user attributes are the more secure option, for the reasons mentioned above.
1 Like
Confirming for my peace of mind. My understanding is that:
User attributes are fed into queries and workflows server-side.
For anything initiated client-side, spoofing checks are done against the user attribute values sent in.
This includes the hiding/disabling of components.
However, no checks are done against variables. But are they ever stored client-side?
It looks like I don't have access to the User API on the Business plan to set the attributes dynamically.
Any recommendations?
Thanks
Darren
March 12, 2025, 6:28pm
6
Yes - the value of the user attributes referenced within a query are validated server-side in order to prevent spoofing.
ferret141:
Any recommendations?
There is a separate set of endpoints specifically for interacting with user attributes that is accessible on a Business plan.
@Darren , no success unfortunately
Is our account stuck in some legacy mode?
Darren
March 17, 2025, 5:36pm
8
It looks like you're trying to hit one of the User
endpoints, which is scoped to Enterprise plans. You can see documentation on the specific User Attributes
endpoints here .