Start a new topic

User groups and permissions....

Hi



I am playing around with usergroups and just wanted to bounce off what I am trying to do to ensure I am not doing it wrong:



I have a set of users called admin users. Lets call then Admin1 and Admin2. From my android app backed by Kinvey, I allow creation of new users (Lets call them User1, User2 and User3). Now on creation each user is allowed to pick an admin user account who will have read-write access to all the user data. So lets say if User1 and User2 pick Admin1 as the associated admin account, then all the collections created/owned by User1 and User2 are accessible to Admin1 in read-write mode. The way I am trying to solve this problem is by using UserGroups. Whenever the admin account is created, an associated user group is created with the same name as the admin username and the Admin1 account is added to the usergroup. Now whenever the user accounts are created and they are asked for the associated admin account, the user account id is added to the user group that was created by that specific admin account. The group will look something like this:

{

"_id": "Admin1",

"groups": [

{}

],

"users": {

"all": false,

"list": [

{

"_collection": "user",

"_id": "dhsw436475745", // Admin1

"_type": "KinveyRef"

},

{

"_collection": "user",

"_id": "c331dce3bced562b", // User1

"_type": "KinveyRef"

},

{

"_collection": "user",

"_id": "sdf4354bced562b", // User2

"_type": "KinveyRef"

}

]

},

"_acl": {

"creator": "54cfb4515743sder0edf0"

},

"_kmd": {

"lmt": "2015-02-10T16:37:52.184Z",

"ect": "2015-02-10T16:37:52.184Z"

}

}



Is this the correct user group that should be created such that Admin1 has read/write permissions to both User1 and User2 data? I understand that in this situation even User2 will get read/write access to User1 data and both User1 and User2 get read/write access to Admin1 data. Is there a way to prohibit these two cases?

I might suggest adding a flag to the user collection, "assignedAdmin" if they are, maybe have a collection of admin id's and then remove those from the ACL before you add the new administrator. That's probably the easiest case to handle this.
> @Damien said:

> Good afternoon Pankaj,

>

> I wanted to let you know that we don't really suggest using 'groups' in this manner. You could accomplish this same effect by using the _acl of each user by adding the admin1's ID to each user's _acl's.

>

> Please let me know if you have any other questions,



Thanks Damien. I also figured that _acl is the best way to go. The only reason I was looking at groups was because there can be an instance where the User1 gets reassigned to say Admin2. Since all the data generated by User1 till that point of time had _acl pointing to Admin1, is there a way to update the _acl of that data to point to Admin2? Using groups I just had to update the group membership by removing Admin1 and adding Admin2?
Good afternoon Pankaj,



I wanted to let you know that we don't really suggest using 'groups' in this manner. You could accomplish this same effect by using the _acl of each user by adding the admin1's ID to each user's _acl's.



Please let me know if you have any other questions,
Ok, it seems like I may not be able to do it as whenever I use Client.userGroup().addUserToGroup(), it creates the group afresh with only the user id given even if the group ID given is same. This means I can't really create a group with a list of users where each user add themselves to the group. The only way possible seems to use the addUserListToGroup() but then that means I need to store the relationship of Admin1, User1 and User2 in a separate collection and trigger a addUserListToGroup whenever the collection is updated??
Login or Signup to post a comment