User permissions 🔐

[FelixMalfait]

Currently, all users on a workspace have the same rights to create, edit, view and delete records.

In the future we want to provide a more granular role/permission system that lets an admin control who can edit workspace settings, but also setting object-level permissionning.

Example implementation on Hasura: https://hasura.io/docs/latest/auth/authorization/permissions/common-roles-auth-examples/
Other example: https://www.producthunt.com/posts/permit-io

Implementation

• Create a new table permissionSet within the metadata schema: nameSingular, labelSingular, isCustom, isAdmin
• Create a new table permissionSetAssignment with userWorkspaceId and permissionSetId
• Create a new table objectPermissions with permissionSetId, objectMetadataId, canRead, canCreate, canEdit, canDelete

Later we will create fieldPermissions and replace isAdmin by a more granular table with individual permissions.

[skamensky]

Just for some community feedback, this is a blocker for us. We must be able to support permissions to be able to migrate to twenty.

See #501 (comment) for a related comment of mine.

[FelixMalfait]

Thanks @skamensky - that's a big lift so not coming soon unfortunately. But definitely on the roadmap and will get done

[estan]

We are exploring a migration to Twenty as well.

Just so I understand this current limitation: There's currently no way to restrict what a user can do e.g. in terms of altering the Data model of a workspace? If so, that would be a blocker for us as well, or at least a tough pill to swallow. That users have free reign to modify objects is something we could live with for a while, but letting everyone modify the data model itself would be a bit too much - people tend to get "creative" and carried away with such freedoms, even if you tell them not to, and we're a bit worried cleaning up unwanted model changes might become problematic..

[FelixMalfait]

@estan Yes that's correct. It's not the long term vision obviously but that's the current state.

[skamensky]

Understood, @FelixMalfait . Thanks for the reply.

In terms of permit-io, I just browsed their code and site and it looks like they don't support permissioning at the query level yet, which would make larger filtering either inefficient or insecure.

https://github.com/permitio/docs/blob/58384169b2786c02895abbec345cfe45668e68f4/docs/how-to/enforce-permissions/data-filtering.mdx?plain=1#L56-L67

[FelixMalfait]

Thanks! still a lot TBD. We were exploring relying on Postgres-level RLS but not sure we'll go that way

[bwmirek]

Any updates? Still blocker to implement this for real clients

[skamensky]

Looks like they're trying to hire someone to do this right now!

https://www.ycombinator.com/companies/twenty/jobs/b1Uku7w-senior-software-engineer

Just posted today.

[hjpineda]

Hi all, this is also a blocker for us to move to Twenty. Is it possible to bump this priority up?