role-based-access-controlAs the Kinvey platform has evolved and its use cases have broadened, we have seen our customers develop apps using increasingly complex patterns of data access. As the wealth of interesting use cases continues to grow, we have also seen a need for increased levels of control over how access to this data is managed. Today, we are excited to launch Role-Based Access Controls for your data, as well as a set of related console usability improvements.

Revamped collection permissions

Until now, collection-level access has been controlled by selecting one of four pre-set permission types. With the introduction of Role-Based Access Controls, we are significantly expanding your ability to control how users access your data. When you navigate to the Settings ➡ Permissions page of any of your collections (as well as that of the Users section), you will find a table outlining the roles that can access the collection, as well as what types of access they grant their members.

Each row in the table represents the access granted to members of a specific role, and is broken into the four types of operations available for each collection: creating new entities (“Create”), fetching existing entities (“Read”), updating entities (“Update”), and deleting them (“Delete”). For each of these operations, you will choose the type of access members of the role will have when performing that operation.

Expanding a row by clicking the arrow on the right will display an explanation of how this role affects access to the collection. For complete information about collection permissions and access types, including examples illustrating how roles can be used to solve various use cases, see our updated Security Dev Center guide.

Note that each of the previously-offered permission types can be modeled using the new access controls. We have automatically converted each of your existing collection permission settings to its role-based equivalent, and you will see this change next time you log into the console. For a detailed list of how each previously-offered permission type maps to the new approach, see our Dev Center guide.

Role management

Role creation and management is available through the new Roles section of each environment, accessible through the sidebar. When you first navigate to this screen, you will find the built-in All Users role, which can be used to control the baseline access your app’s users will have to collections, before they are granted more specific access through additional roles you create. To create a new role, click the + Add a Role button, and follow the prompts. Once a custom role is created, click its settings button to see an overview of its usage and membership (this information will automatically appear once you grant the role access to collections and assign it to users).

To assign a role to your app’s users, use the new sidebar described below.

User sidebar

In the Users section of the console, you will find a new checkbox at the beginning of each row. Checking one of these will open the user sidebar, which allows you to perform administrative tasks such as resetting a user’s password, locking a user down, or deleting a user. It also lists all the custom roles granted to the selected user, and allows you to assign or revoke any role you’ve created.

Selecting multiple users will switch the sidebar’s display to bulk-user mode. In this mode, you are able to assign a custom role to any number of users at once.

Collection data sidebar

Similarly to the user sidebar, collection data now also support entity selection. Selecting a single row will display its JSON structure and allow you to delete that entity. Selecting multiple rows will switch the sidebar to bulk-entity mode, and allow you to delete any number of selected entities.

Cloning and migration

Cloning or migrating your environments will now also migrate your roles. In the migration screen, you will find a new “Roles” item available for selection. Note that since collection-level permissions now rely on roles, the “Roles” item must be selected in order to migrate collection or user settings.

Coming soon

In a future update to our client libraries, we will introduce the ability to create and manage roles from within your apps. By allowing you to control which users have the ability to assign roles to other users, this upcoming update will open up new possibilities surrounding complex data management and control.

Kinvey-console-roles

We look forward to seeing what you will achieve with these new capabilities, and will continue to work to bring even more functionality to the platform in the future. For more information on current features, head to our Dev Center.