Record-level permissions
Control user access with record-level permission rules
What are Record-Level Permissions?
Record-level permissions control which specific records users can access within a table. Unlike UI-level filters, these permissions work at the database/API level, making them much more secure.
Key Benefits:
API-Level Security: Data restrictions apply even when accessed through APIs
Role-Based Access: Different user roles can have different record access
Relationship-Based Filtering: Restrict access based on record relationships
Complete Data Protection: Unauthorized records never reach the user's device
Security Note: While filters at the UI level can manage what users see, database-level permission rules are much more secure as they ensure restricted data never reaches the app, protecting sensitive information effectively.
When to Use Record-Level Permissions
Use record-level permissions when:
Users should only see records they're assigned to or own
Different user types need access to different subsets of data
You need secure, API-level data protection
Building multi-tenant applications
Handling sensitive or confidential information
Example Scenarios:
Real estate agents only seeing their assigned properties
Sales reps only accessing their client accounts
Project managers only viewing projects they lead
Students only seeing their own courses and grades
Step-by-Step Setup Guide
Prerequisites
Before setting up record-level permissions, ensure your data model supports the required relationships:
User Relationships: Your target table must have a relationship field linking to the Noloco User table or a related user table
Proper User Roles: Users must be assigned appropriate roles in their user records
Data Structure: The relationship between users and records must be clearly defined
Example Setup: In a real estate CRM, each property record has an "assigned agent" field that links to the agents table, which is connected to the Noloco User table.
Configuration Steps
Step 1: Navigate to Table Permissions
Go to the Data & API tab in your app builder
Hover over the table you want to secure (e.g., "Properties")
Click the permissions icon 🛡️
If permissions aren't enabled, toggle them on (this creates a default rule)
Step 2: Create a New Permission Rule
Click "+ New" to add a new permission rule
Name your rule descriptively (e.g., "Agent Property Permissions")
Select the user role this rule applies to (e.g., "Agent")
Step 3: Configure Record Access
Disable "All Records" toggle - by default, new rules allow access to all records
Add access condition by clicking "Add Condition"
Set the relationship filter:
Choose the field that links records to users (e.g., "Assigned Agent")
Select "equals"
Choose "Logged in User" from the dropdown
Configure CRUD permissions (Create, Read, Update, Delete) as needed
Click Save to apply the rule
Testing Your Permissions
After setting up permissions, always test to ensure they work correctly:
Use "View as User" feature:
Look for the "👥" icon in the build toolbar
Select a user with the role you've configured
Navigate through the app to verify record access
Verify expected behavior:
Users should only see records they have access to
Restricted records should not appear in lists or searches
Direct navigation to restricted records should be blocked
Example: When testing as "Gal Samurai" (an agent), the properties list should only show properties assigned to her, and she shouldn't be able to access other agents' properties.
Common Permission Patterns
Pattern 1: User-Owned Records
Use Case: Users can only access records they created or own Setup: Link records to user via "Created By" or "Owner" field Condition: Owner
equals Logged in User
Pattern 2: Team-Based Access
Use Case: Users access records based on team membership Setup: Link records to teams, and users to teams Condition: Team
equals User's Team
(via lookup)
Pattern 3: Hierarchical Access
Use Case: Managers see their team's records + their own Setup: Multiple permission rules for same role Conditions:
Rule 1:
Owner
equalsLogged in User
Rule 2:
Team Lead
equalsLogged in User
Pattern 4: Client Portal Access
Use Case: Clients only see records related to their company Setup: Link records to companies, users to companies Condition: Company
equals User's Company
Troubleshooting Common Issues
Users Can't See Any Records
Cause: Permission rule is too restrictive or missing required relationships
Solutions:
Check if the user has the expected role assigned
Verify the relationship field exists and is properly populated
Ensure the permission condition matches your data structure
Test with "View as User" to debug the specific issue
Permission Rules Not Working
Cause: Common configuration errors
Solutions:
Verify relationships: Ensure the linking field connects to the right table
Check user roles: Confirm users have the role the rule applies to
Review conditions: Make sure permission conditions match your data model
Test systematically: Use "View as User" with different user roles
Conflicting Permission Rules
Cause: Multiple rules for the same role creating unexpected access patterns
Understanding Rule Logic:
Permission rules are additive for the same role
Users get access to records that match ANY of their role's rules
Field permissions combine (if any rule grants access, user gets that permission)
Best Practices
Security Best Practices
Always use record-level permissions for sensitive data
Test permissions thoroughly before deploying to production
Regularly review permission rules as your app evolves
Use the principle of least privilege (grant minimum necessary access)
Performance Considerations
Simple relationship conditions perform better than complex filters
Index fields used in permission conditions for better performance
Monitor query performance with complex permission setups
User Experience
Combine permissions with clear error messages when access is denied
Use visibility rules to hide UI elements users can't access
Provide clear feedback when users encounter restricted content
Last updated
Was this helpful?