Restrict Query Access
When you need to secure sensitive data and provide access only to specific users, you can manage this by setting the right permissions for queries. This guide shows how to restrict query access and dynamically show or hide widgets based on user permissions.
Prerequisites
Before you start, ensure you have:
- A self-hosted Appsmith instance running the Commercial Edition. If not installed yet, see the Installation Guides.
- A Business Plan. For more information, see Pricing.
- Enabled the Programmatic Access Control feature and have access to read roles assigned to users. For more information, see Admin Settings - Programmatic Access Control.
- Access to edit role configuration and applications. If you need access, contact your Instance Administrator.
Restrict query access and hide widgets
Follow these steps to update your existing role, revoke query permissions, and hide widgets for a better user experience.
Change role configuration
To allow only specific users to execute a query, identify the query that processes sensitive data (query_process_sensitive_data) and the roles that need access to execute the query, as well as roles that no longer need this permission. Then update the role configuration as follows:
-
Navigate to the Admin Settings by clicking the gear (⚙️) icon in the top right corner of your Appsmith Dashboard.
-
Under Access Control in the sidebar, select Roles.
-
Find the role you no longer want to have permission to perform the operation on sensitive data (Role1) from the list of existing roles.
-
Click the role to edit its permissions.
-
In the Application Resources tab, revoke the Execute permission by unchecking the checkbox under Execute permission for the relevant query. For example, query_process_sensitive_data. By removing execute permissions from roles that no longer need access, you prevent unauthorized data operations.
-
Click Save changes to apply the updated permissions.
-
Repeat the steps for all roles where you need to revoke access to execute the query.
After saving the changes, the updated roles will no longer have access to perform operations on sensitive data. The application developers can use the appsmith.user.roles
object to hide widgets.
Hide widgets
To ensure data security and a smooth user experience, hide widgets from users without the necessary permissions. For example, if a button triggers a sensitive data query, show the button only to users allowed to run that query:
-
Select the button widget in your application.
-
Enable the JS label for Visible property in the property pane.
-
Use the following JavaScript code to set up conditional rendering based on the role that has permission to execute the query. In the below code, the
roles
object holds all the roles assigned to the user. For more information, see roles.//Replace 'Role1' with the name of the role that has permission to execute the query.
{{appsmith.user.roles.includes('Role1')}} -
Deploy your application and verify the access using different user accounts - one with permission to execute the query, and one without.
Troubleshooting
If you face any issues, reach out to the support team via the chat widget located at the bottom right of this page.