How do permissions work

Access to data is controlled via permission rules in Stacker, permission rules determine the tables, records and fields a user sees.

Stacker has a flexible permissions system designed to allow you to share records, fields and actions with the right users. It can take a moment to get your head around how it works. This page will take you through it one step at a time.

Setting up permissions

To set the permissions for a table navigate to Setup Home, select the table and then pick the Permissions tab.

You will see the permissions that are currently being applied for your table:

This is a single permission rule and it is broken down into sections:

  • Which records: this is determined by the permission filter

  • Which actions: will users be able to update and create records

  • Which fields: exactly which fields are included

The records, actions and fields all work together to define the permissions. The permission rule says that users will be able to perform these actions and these records with this access to these fields.

Permission filters determine which records

A permission rule can grant access to All Records of a table, or only Some Records. In the case of Some Records a permissions filter is used to determine which records are available to each user. The format of these filters is a single condition that must match between the record and a users record.

For example if you would like a user to only see Books records for which they are the writer the permissions filter would be:

  • Property > Writer must match User

Another common example would be if you want a user to only see items that belong to the same team as the user. Imagine in a B2B scenario your users work for agencies and you want all of your users who work at a particular agency to be able to see all of the Video records that are related to that agency.

In this case the permissions filter would be:

  • Video > Agency must match User > Agency

You can match on any relationship fields. For the Airtable data source this includes Airtable lookup fields which are treated as read-only relationships in Stacker. You may need to make some changes to your Airtable structure to permission the records in the way that you want. If you need help doing this, get in touch.

Actions control what users can do

Every permission rule includes the read action, so your users will be able to read the records that have been matched by the permissions filter.

There are two additional actions that you can toggle on and off:

  • Update records

  • Create records

These settings control whether Stacker will show your users an edit button or a create button respectively.

Field permissions go granular

Field permissions is where we get into the real detail. For every enabled field on your table you can choose whether your users will be able to read the field, edit the field or set the field while creating a record.

Stacker automatically disallows combinations that don't make sense here, for example you can't edit data that you can't read.

Simply click on the ticks to turn them into crosses and vice versa.

Permission rules give but do not take

One key principle of permissions in Stacker is that they are additive.

Permission rules can grant permissions but they cannot take access away.

This means that if a user cannot do something it is because they don't have a permission rule enabling them to do it, it is not because there is a permission rule stopping them doing it.

This may seem like a subtle difference but with multiple permission rules applying to users the distinction does make a difference. Understanding this point will help you avoid any permission surprises.

Advanced Permissions

Permission rules get more functionality in Advanced Permissions. Read more:

  • About the differences between Standard and Advanced Permissions

  • How to use Roles to create different experiences for different users.