Control table visibility through AD security groups

+4 votes

I'm not sure if this would even be possible, but it would be awesome to be able to restrict the visibility of tables to different Active Directory security/user groups. For example;

Main user group - can only view "Products" and "Clients" tables.

Super user group - can view "Products, "Clients", "Staff" and "Payroll" tables.

Accounts user group - can only view "Payroll" and "Staff" tables.

The current option of hiding certain table's relationships is fantastic, as well as the option of assigning a different group for "Admin" level access and "User" level access, but having that level of control over specific tables as well would be great.

in Features (Todo) by (970 points)

1 Answer

+3 votes

Thank you for the request.

As designed, the answer would be to create multiple applications to satisfy the different user groups. This would involve some duplicate effort but it does make sense since they are different roles.

The different roles likely need more than just additional table access. They might need different reports, exports, access to differ procedures, etc....

That said, I can definitely see how this would make it easier to implement systems where there are multiple groups each having their own access levels.

NOTE: Please vote on this Feature Request if it interests you.

by (64.4k points)
I can see the benefit of both ConnorK's original request and Anthony's suggestion that separate applications are a possible solution. I think that the separate applications are cleaner but will, necessarily, involve more work. A possible way to circumvent some of the additional work would be to allow the export and import of individual table metadata to cut down on the re-keying and re-design.
If you imported this table metadata into a Repository application you've got the beginnings of a data dictionary which you could use as building blocks for other applications.
Best Regards
We will be using SSO (OKTA), with that we pass in our DBFront AD groups that the user belongs to.  These AD Groups are used for general access to the application.  It would be great if these AD Groups could held as a fixed variable like %ADGroups% that could be used in the Row Security queries.  This would allow me to put ('DBFront_PayrollAdmins' in %ADGroups%) in the Can Update section of Row Security.  We manage our AD Groups very closely so I can count on them being correct.

With this suggestion the %ADGroups% would contain a comma separated list of the AD groups that our SSO provider would pass to DBFront.
Welcome to the dbFront Q&A site, where you can ask questions and receive answers from other members of the community.
 | Minimalist Answer Theme by Digitizor Media
Powered by Question2Answer