Add users and assign roles
This section covers adding and updating Users and providing them with the correct Roles.
In important note on Users in Appfarm, is that one User (with an unique email as login) may exist only once inside a solution. The build-in Users database is shared across environments. Therefore, providing a User with correct Roles, and restricting access to various environments by Roles is important.
When logging into the client (
https://YOUR-HOST-NAME), you meet the login screen (unless you have a direct link to an App with Public Access). Upon login, if authentication succeeds, your User's Roles are evaluated. If your Role(s) have access to more than 1 App, a splash screen for App selection will be presented. In only 1 App is available to you, you will be redirected to it automatically.
When accessing the App, all App Data is read. But only data of those Object Classes allowed to read for your Role(s), as defined in Permissions > Object Classes. When using the App, updates, create and delete of App Data will only be allowed if your Role(s) have those Permissions. In other words, you may have access to Read data of an Object Class, but not Update it.
When setting up logic in your App, you may access the properties of the logged-in user from the built-in Data Source (found in App Data) called
Current User. When logging into an App, the
Current Useris you.
Users may be manually added from the menu Users. Providing a User with one of the built-in roles Owners, Maintainers or Developers will give them access to Create. Owners have full access in Create, being able to add other Owners as well. You may view the settings for access within Create from menu Permissions > Advanced. If you are to add a User with a custom access to Create, you need to add a Custom Role for this, and adjust the Create access from the Advanced Permissions section.
Obviously, you could create a Custom Role with access to your Apps, and add these User manually from Create.
However, most solution need an App with functionality for adding or removing Users.
The built-in User object may not be extended with additional properties. In most cases, you would need to create a
PersonObject Class. This Object Class should at least have a property
Userwith data type User, and may have other properties, such as
Adding a new User to your App, would in the above example, require some UI to Create a new Person. For example, an dialog for entering First Name, Last Name and Login (email). Clicking the SAVE button shuold create a new User (action node Create User Account)
- We have runtime properties on the
Personobject for holding
Personobject as well (adding these 3 properties as Object Class Properties of the
- These properties are copied down to the User object created using Data Bindings
- We assign a Role
App Usersin the Role Memberships setting
- Accept Existing User is ticked. This means, if the User object is already created (e.g. added manually in Create or added from Dev or Test environments), the User object will just be read and updated with correct Role (defined by the setting Add Roles being ticked).
- Add to Data Source: We have a runtime only Data Source (cardinality One) for the purpose of holding the User object just created (or read, if already existing). We need this for updating the reference Person.User to point towards this User object in the next step.
- Optionally, you may tick the Send Welcome Mail. A default welcome mail will be sent to the User. The Welcome Mail content may have overrides defined from menu Environment Config (see this section). Or you could just create your own welcome email using the Send Email action node.
Once this action node has succeeded, the User just created exists in the User database with correct permissions.
Personobject is yet not saved. This Action Node (Create Object) creates the Person object, with reference to the User object just created. The next Action Node Persist saves the Person object to the database.
Updating Users from your Apps is explained following the same example as above.
Note that Updating a User's
You could reuse your UI for Creating a
Person. Edit a Person is typically done from a Table listing all Persons. Before opening the dialog for editing, just read the object in context into the Person (temp) Data Source! And if properties First Name and Last Name are not stored on the Person Object Class, just update these 2 runtime only properties on the
Person (temp)Data Source (from
Person (temp).User.First Name,
Person (temp).User.Last Name) before opening the dialog as well.
The SAVE button could trigger an action as follows
Executing this action will update for
Last Nameof the User.
Action Node Delete User Account allows you to delete a user. But note that doing this from Development or Test environment, for a User that is using the Production, will delete the User for good - leaving the User without possibility to access the Production environment anymore. Therefore, a good policy is to disable Delete User globally for Dev and Test environment (defined in the User Account Manipulation setting of Environment Config, also explained below).
If you do not want to permanently Delete the User, you could instead perform an Update User Account, and remove all permissions. This may be done by applying all roles in the Remove Roles setting of the Update User Account action node (se screenshot for Update User Account above).
Each environment has a global setting found in Environment Config >
ENVIRONMENT. By default, user manipulation from Apps is only enabled for Production environment. When testing your functionality for adding or updating Users from either Develop, Test og Staging environment, you need to tick the checkboxes found in Environment Config >
ENVIRONMENT, as illustrated below.
Setting to allow User Account Manipulation, to be turned ON
From menu Permissions > ACCOUNTS AND ROLES, you need to define which Roles are allowed to Create, Update or Delete User Accounts. This setup applies to user manipulation from the Client only, not from Create.
Service Accounts are users without a username and passwords. Service Accounts are added manually from Create - no action node exists for adding them from Apps.
Service Accounts are members of one or more Roles, similar to Users. They follow the same principles with regards to Permissions. But the normal use case for Service Accounts is that they are member of a dedicated Role, and this Role has access to one or more Services.