User Roles & Permissions

Keep tight control over user access levels using User Roles & Permissions

Why Use Permissions? πŸ›‘

Whether you're building an Internal Tool, a Client Portal or a Partner Portal, it's critical to control who has access to what information.

Permissions let you control what your users can see and how they can interact with data in your apps. You can use permissions to:

  • Limit which pages users can access

  • Limit which records a user can read, edit, create or delete

  • Hide sensitive fields from certain user types

  • Create secure multi-tenant applications

Access Control Methods

Noloco provides three complementary approaches to control user access:

Method
Security Level
Purpose
Configuration

πŸ”’ Permissions

High

Secure data access

Data & API tab

πŸ‘οΈ Visibility Rules

Medium

UI experience

Build mode

πŸ” Filters

Low

Data organization

View configuration

Learn when to use each approach β†’

Permission Types

πŸ“Š Record-Level Permissions

Control which records users can access within a table.

Example: Sales reps only see accounts in their territory.

Set up Record-Level Permissions β†’

🏷️ Field-Level Permissions

Control access to specific fields within records.

Example: Hide salary information from non-HR staff.

Set up Field-Level Permissions β†’

User Roles

Built-in Roles

Noloco provides two default roles:

  • Team Admin: Full access for internal team members

  • User: Default role for external users (clients, partners)

Custom Roles

Create additional roles for complex access patterns:

  • Pro plan and above: Add unlimited custom roles

  • Role-based permissions: Each role can have different access levels

  • Multiple roles: Users can have multiple roles (permissions are additive)

Quick Setup Guide

1. Plan Your Access Model

  • Identify user types (Admin, Agent, Client, etc.)

  • Define what data each type should access

  • Determine required security level

2. Create User Roles

  • Go to Settings > User Roles

  • Create roles for each user type

  • Assign roles to users in the User table

3. Configure Permissions

  • Navigate to Data & API tab

  • Set permissions for each sensitive table

  • Test with "View as User" feature

4. Test and Refine

Permission Configuration Examples

Example 1: Client Portal Setup 🏒

Goal: Clients only see their company's data

User Roles:

  • Admin (internal)

  • Client (external)

Permissions:

  • Record-level: Company equals User's Company

  • Field-level: Hide internal pricing and notes from Client role

Testing: Use "View as" Client user to verify restricted access

Example 2: Real Estate Team Access 🏠

Goal: Agents only see assigned properties

User Roles:

  • Manager (full access)

  • Agent (limited access)

Permissions:

  • Record-level: Assigned Agent equals Logged in User

  • Field-level: Agents can't create properties or edit status

Testing: Switch between Manager and Agent views to verify differences

Advanced Permission Patterns

Multi-Tenant Applications

  • Each tenant's data completely isolated

  • User organization determines data access

  • Shared resources controlled by admin roles

Hierarchical Access

  • Managers see their team's data + their own

  • Multiple permission rules for complex reporting structures

  • Inherited permissions from organizational structure

Progressive Access Levels

  • Viewer β†’ Editor β†’ Admin permission progression

  • Feature access increases with role level

  • Training and onboarding-friendly structure

Plan Feature Availability

Permissions Plan Requirements

All Plans: Basic permissions and built-in roles

Pro Plan and Above:

  • Field-level CRUD permissions

  • Unlimited custom user roles

  • Advanced permission patterns

Troubleshooting

Having permission issues? Check our comprehensive troubleshooting guide:

Permissions Troubleshooting Guide β†’

Common Quick Fixes

  • Users can't see records: Check if permission rules exist for their role

  • Fields still editable: Verify field-level update permissions

  • Changes not applying: Test in incognito window and check role assignments

Best Practices

Security First

  1. Start restrictive: Grant minimum necessary access

  2. Test thoroughly: Use "View as User" extensively

  3. Layer protection: Combine record and field permissions

  4. Regular audits: Review permissions as your app evolves

User Experience

  1. Clear communication: Users should understand access limitations

  2. Consistent patterns: Similar roles should have similar access

  3. Graceful degradation: Provide helpful messages for denied access

  4. Performance consideration: Complex permissions may impact loading times

Maintenance

  1. Document decisions: Keep track of permission logic

  2. Version control: Test changes before production

  3. User feedback: Monitor if permissions help or hinder workflows

  4. Simplification: Consolidate rules when possible

Last updated

Was this helpful?