G Suite Business customers can preview App Maker. Ask your domain admin to apply for early access.

Secure App Data

As a core part of app security, you can secure data for all apps, even if some apps don’t contain sensitive or confidential data; for example personally identifiable information (PII).

Use these security measures to secure data

  1. Run the app as the user or as the developer (the person who publishes an app deployment)—Choose the appropriate execution identity for the app’s use case, which determines:

    • Which files in Google Drive users can access—the app publisher’s files and data, or their own files and data

    • Which G Suite data users can access—the app publisher’s files and data, or their own files and data

    • The identity for API calls to Google Apps Script services; for example, to send mail and make entries in a calendar

  2. Secure operations on records in models—Use Roles, Script, and Owner access permissions for operations on records (Create, Save, Load, and Delete). This allows specific users to perform specific types of operations on records in models. You can use one access permission type for all types of operations on records, or different access permission types.

  3. Secure relations between models—Use Inherited, Roles, or Script access permissions for relations (or some combination). This allows specific users to associate records on both ends of the relations.

Recommendations

  1. Don’t rely on UI security for data security—UI security measures (page security and controlling the visibility of UI elements) do not secure data. UI security only controls who can do what through the UI.
  2. Don’t use client scripts or an application startup script for data security—Client scripts are inherently insecure. Script-based security must run on the server.

Secure operations on records

For models in your app that require data security, specify which users can create, load, save, and delete records. This secures access to records through bindings and client scripts. You can use the Admins Only, Everyone, Roles, Script, and Owner access permissions to secure operations on records.

For example, you could permit all employees to search for contact information for other employees, but limit the ability to create, edit, and delete employee records to managers in the HR department.

Use the same access permissions to secure all operations

  1. Open App Maker and navigate to your app.

  2. In the left sidebar, click the model for which you want to secure operations.

  3. Click the Security tab, then make sure the Advanced box is unchecked.

  4. Under Model Permissions, select the access permission to apply—Admins Only, Everyone, Roles, Script, or Owner or Roles.

  5. Supply additional information for Roles, Script, and Owner:

    • Roles—For each role, click Add Role and select an existing role from the list. You can also click Manage Roles if you need to create new roles.

    • Script—In the script editor, enter or paste the server authorization script.

    • Owner—From the binding picker, select a field.

    • Owner or Roles—From the binding picker, select a field. Add one or more roles.

  6. Click Save to confirm your changes.

Use different access permissions to secure Create, Load, Save, Delete operations

  1. Open App Maker and navigate to your app.
  2. In the left sidebar, click the model for which you want to secure operations.
  3. Click the Security tab, then check the Advanced box.
  4. Under Create, Load, Save, or Delete, select the access permission to apply—Admins Only, Everyone, Roles, Script, or Owner.
  5. Supply additional information for Roles, Script, and Owner:

    • Roles—For each role, click Add Role and select the role from the list. You can also click Manage Roles if you need to create new roles.

    • Script—In the script editor, enter or paste the server authorization script.

    • Owner—From the binding picker, select a field.

    • Owner or Roles—From the binding picker, select a field. Add one or more roles.

  6. Click Save to confirm your changes.

  7. Repeat steps 4 to 6 for the other types of operations.

Secure relations between models

If models contain confidential data, you must ensure their relations are secure. Failure to secure relations can result in users gaining access to data they shouldn't be able to see.

Each time a non-Admin user requests records that have a relation, App Maker checks the load permission for the records. If the user doesn't have access to all of the models, the query is denied. Additionally, if a non-Admin user changes an association in a relation, App Maker verifies relation permissions before allowing the change.

You can use the Admins Only, Everyone, Roles, Script, and Inherited access permissions to secure relations.

  • Inherited permission—Users who can save records on both ends of the relation can associate records across the relations (for example, by associating an Employee record with a Department record).
  • Owner permission—Not available directly for relations, because relations don’t have fields. However, if you use Owner permission for Save operations on one end of a relation, then the ability to associate records is governed by the Owner permission for that end of the relation. (You can specify Owner permission for Save operations on both ends of the relation.)

For example:

  1. Create an HRAdmins role and add that role in Roles security for a relation between an Employee model and a Department model.
  2. Add members to the HRAdmins role by editing the app deployment.

    • Members of the HRAdmins role are allowed to associate records in the Employee model with records in the Department model.

    • Other users aren't allowed to associate these records.

Secure a relation

  1. Open App Maker and navigate to your app.
  2. In the left sidebar, click the model for which you want to secure a relation.
  3. Under Relation Permissions, find the relation you want to secure.
  4. Select the access permission to apply—Admins Only, Everyone, Roles, Script, or Inherited.
  5. Supply additional information for Roles and Script:
    • Roles—For each role, click Add Role and select the role from the list. You must add roles before you can select them.
    • Script—In the script editor, enter or paste the server authorization script.
  6. Click Save to confirm your changes.

Secure data based on record ownership

The Forum Sample lets users create forums and post messages to the forums. A user who creates a forum is the owner of that forum.

To use Owner access permissions:

  1. In the data model, add a field to contain the email address of the record owner; for example a String field named Owner.
  2. In Security for the data model, select Owner access for operations on records (Create, Save, Load, and Delete) that should be restricted to the record owner. Owner permission is not available directly for relations. However, if you use Owner permission for Save operations on one end of a relation, then the ability to associate records is governed by the Owner permission for that end of the relation. (You can specify Owner permission for Save operations on both ends of the relation.)

  3. Set the value of the Owner field in the record to the user’s email address; for example, in the onCreate event for a record. In the Forum data model in Forum Sample, Owner access permissions for the Save and Delete actions specify that only the owner can edit the forum or delete it.