Field restrictions by role not working - why?

  • 0
  • 1
  • Question
  • Updated 4 years ago
  • Answered

I've created a role that has View All Records permission on a specific table. However, I only want users in this role to see a couple of the fields in this table.

According to this help page: http://www.quickbase.com/help/default.html#about_restricted_fields.html

...I should be able to achieve this. Except it appears to not work as advertised.

I go to the Permissions section of the Role properties. Under Fields, I click Custom Access and set all fields to have None access except the couple fields I need to have View access.

When I switch to impersonate that role, I can still see all records and all fields in the table. Also, when I use the QuickBase HTTP API, the doQuery function returns all rows and all fields.

By the way, I also tried setting the table-level role permission to None (instead of View All Records), but that doesn't let me see any records.

Any ideas?

Photo of Quickbase Generic User

Posted 5 years ago

  • 0
  • 1
On my experience, the "test as role" does not emulate field level restrictions. That is typically initially very scary when dealing with sensitive data.

You will need to test "the old way". Use a second userid for the test and have it be only in that Role.
Thanks for the suggestion. Tried this but it did not work. Just seems broken.
Well, security is rock solid in  QuickBase so it is highly unlikely that is the QuickBase bug. You should check that the alternate user ID that you set up is only in that one test role and not in some group perhaps which has more permissions.
Thanks for the answers. Looks like my user was inadvertently in another role with overlapping permissions. The "Test as Role" appeared to work properly.
Photo of dhanny

dhanny

  • 0 Points
I tested another user. It will show the correct setting according to the limited roles. However when I use a filter. The whole fields will appear. Buggy. Please advise.
Are you the same person who posted the original question?
Photo of dhanny

dhanny

  • 0 Points
Nope, I am not same person. I am testing it right now. And I thought the Role Tester is not functional like being advised. I made another user and logged in. Of course it will cancel my administrator login. However when I see the List All the fields that need to be hidden is hidden correctly. but when I use the Filter at the left side, the result show ALL fields.
Photo of dhanny

dhanny

  • 0 Points
if only i can upload a screenshot. I can show this. is there anywhere I can send the screenshots to?
When you say the filters, you mean the dynamic filters?  Are you talking about when you are editing the report itself?  As for posting a screen shot, I believe that the original person "Daniel" can post a screen shot to the original question.
Photo of dhanny

dhanny

  • 0 Points
I am not sure what is the name of the filters. It is the kind of quick filter that I can do from the left side of the List All Report. I can click to filter only fields equal to particular value that I click will be shown. I am not original poster, but I came into this discussion when I faced the trouble and trying to check for similar case.
I think that you should post a fresh question and screen shots.
Photo of Ben

Ben

  • 30 Points
I am having this same issue.  I am finding that the field restriction is not being applied even when I set a user's role to have "No Access" to any of the fields in the table.  The view permissions are also not being applied... I am able to modify everything in the record regardless when logged in as a user under this role as well as when testing "as another role" through my admin login.  Was a solution to this found?
It is probably better to post a new question so it will be seen by a wider audience, but the odds of you finding a security loophole in Quickbase are about zero.

 As discussed in this forum post here, the Test As Role will not replicate field level permissions.

 When you're testing while logged in as the user, there just has to be a situation where that user ID is in multiple roles and the other Roles do not have these field level restrictions. Keep in mind that QuickBase always endeavors to give the most access possible when a user is in multiple roles.
Photo of Ben

Ben

  • 30 Points
Solved
Oh good, so you a good now. Was it multiple roles?
Photo of Ben

Ben

  • 30 Points
Yes it was a global role for all internet users.  I was unaware that we had such a role but it defaulted to full field permissions for the new tables created.