Secure app model data

As a core part of app security, you can protect the data that your apps gather and use with access controls. Even when the app doesn't include sensitive or confidential data, such as personally identifiable information (PII), contact information or other organization data could be put at risk if a user's account is compromised.

To protect model data:

These access controls limit what users can do in the app UI, but they don't restrict server scripts.

Control who can work with records

For models in your app that require data security, specify which users can create, load, save, and delete records. You can set access permissions (Admins Only, Everyone, Roles, Script, or Owner) for all operations on a model, or for each operation separately.

For example, you develop a Human Resources (HR) app for your organization. You could permit the following:

  • All employees can search for contact information for other employees.
  • Only the employee or an HR admin can view and edit an employee's personal information.
  • Only managers in the HR department can create, edit, and delete employee records.

Access permissions restrict user access to records when that access is through bindings and client scripts, but not access through server scripts.

App Admins always have access to all records, even if the security settings permit no one access.

Set the same access permissions for all record operations

When the same permissions apply to all record operations, you can set one permission.

  1. Open App Maker and open your app.
  2. In the left sidebar, click the model that you want to set permissions for.
  3. Go to the Security tab.
  4. Clear the Advanced checkbox if it's selected.
  5. Under Model Permissions, select the access permission.
  6. Supply additional information for Roles, Script, and Owner:

    • Roles—For each role, click Add Role and select an existing role from the list. You can also click Manage Roles if you need to create roles.
    • Script—In the script editor, enter or paste the server authorization script.
    • Owner or Roles—From the binding picker, select a field that corresponds to the email of the record owner. This option requires that a field in the model contains the email of the owner. Learn more about the Owner role. Optionally, add one or more roles.
  7. Click Save.

Set access permissions for Create, Load, Save, Delete operations individually

  1. Open App Maker and open your app.
  2. In the left sidebar, click the model that you want to set permissions for.
  3. Go to the Security tab.
  4. Select the Advanced checkbox.
  5. Under Create, Load, Save, or Delete, select the access permission.
  6. Supply additional information for Roles, Script, and Owner:

    • Roles—For each role, click Add Role and select the role from the list. You can also click Manage Roles if you need to create roles.
    • Script—In the script editor, enter or paste the server authorization script.
    • Owner or Roles—From the binding picker, select a field that corresponds to the email of the record owner. This option requires that a field in the model contains the email of the owner. Learn more about the Owner role. Optionally, add one or more roles.
  7. Click Save.

  8. Repeat this process for the other types of operations in the model.

Control who can access relations between models

When models contain confidential data, you must ensure their relations are under access control. If you don't protect relations, users might be able to gain access and modify records that they shouldn't.

Each time a non-Admin user requests records that have a relation, App Maker checks the load permission for the records. If the user doesn't have access to all the models, the query is denied. Also, if a non-Admin user changes an association in a relation, App Maker verifies relation permissions before it allows the change.

Relations access permissions are a little different from model access permissions. You can use the Admins Only, Everyone, Roles, and Script permissions as with models. However, instead of an Owner permission, you can use an Inherited permission.

For example, in your Human Resources (HR) app, you can allow only HR managers to add an employee to a department. To set this permission, create an HRAdmins role and a relation between an Employee model and a Department model. In the relations permission section, add that role for the relation. When you deploy the app, you add members to the HRAdmins role (or edit the members if you already deployed the app). Members of the HRAdmins role are allowed to associate records in the Employee model with records in the Department model. Other users aren't allowed to associate these records.

Set access permissions for a relation

  1. Open App Maker and open your app.
  2. If you want to use role-based access control, add roles.
  3. In the left sidebar, click the model that you want to set permissions for.
  4. Go to the Security tab.
  5. Under Relation Permissions, find the relation you want to secure.
  6. Select the access permission.
  7. If you select Roles or Script, enter additional information:

    • Roles—For each role, click Add Role and select an existing role from the list. To add a role, click Manage Roles.
    • Script—In the script editor, enter or paste the server authorization script.
  8. Click Save to confirm your changes.

Secure data based on record ownership

App Maker automatically gets the email address of the user who is signed in to an app. You can use this email address to restrict access to records in a model. The model must have a field that contains the user's email address. When you select the Owner and Roles access permission, you bind the Owner permission to that field. With this setting, App Maker allows access to the record only if the app user's email matches the email in the bound field.

The Forum Sample is an example of an app that secures data based on record ownership. With the app, users can create forums and post messages to the forums. A user who creates a forum is the owner of that forum. In the Forum model, data security is set to require Owner access permissions for save and delete operations. This app uses a script for the onBeforeCreate event to automatically assign a record owner when a user creates a record.

To use Owner access permissions:

  1. In the model, add a string field for the email address of the record owner.
  2. Go to the Security tab for the model.
  3. For operations on records (Create, Save, Load, and Delete) that should be restricted to the record owner, select Owner or Roles.
  4. Select the field in the model that contains the record owner's email.

Each record must have a value for the field that sets the record owner. To automatically set the owner as the user when the user creates a record, you could set it in the model's onBeforeCreate event. For example, if the owner field in the model is called Email, go to the model's Events tab, click onBeforeCreate, and enter the following script:

record.Email = Session.getActiveUser().getEmail();

Control who can import and export data

No matter what access controls you set on models in the app, the app owner can import and export data in deployments. Users with view permission on the app project file can also export data. This data access might be a security risk. For example, the data might include sensitive or confidential data, such as personally identifiable information (PII).

  • Import data—When the app owner imports data from Google Sheets into a model in a deployment, App Maker imports all the data into the deployment. If the sheet contains sensitive or confidential data, then the deployment of the app also contains that information.
  • Export data—When the app owner or a user with view permission exports data, App Maker exports all the data to a Google spreadsheet. If the model contains sensitive or confidential data, then the spreadsheet also contains that information.

Best practices for app data security

  • Allow users access to record operations and relations only as much as they need to achieve their tasks in the app.
  • Don't rely on UI security (when you show or hide pages and widgets) for data security.
  • Don't use client scripts or an app startup script for data security. These scripts aren't secure. Use server scripts for script-based security and write access control into the scripts.
  • Make sure that the users who own the app project file and who have edit or view permission understand the data security risks of importing and exporting data.