Collection Permissions
Provide an extra layer of protection for sensitive data such as emails, names, or birthdays by setting up permissions on your collections!
Skill Level: Intermediate

Before You Begin

Walkthrough

In-Depth
FAQ
Setting up permissions on Collection data provides some extra protection of sensitive information and is quite easy to do!
Updating collection permissions is different from just hiding this information from users by using visibility rules. Instead of just hiding the information, the data is not even served to the users device from the database.

User Collection Permissions

1. Click on the database icon
in the left menu of the Adalo Editor.
2. Click on your Users collection, then choose Records
3. In the top right corner of the records popup, click on the Shield and Key icon
4. On this screen, you can select different properties in the User collection and change who can View and who can Edit that particular property. Note that no one is able to view the password property - not even the owning user.
5. Under the View and Edit dropdowns you have a few options to choose from:
  • Everyone - This allows any user to view or edit the property if your app is designed for them to do so.
  • Only Logged In Users - This allows only users who are logged into your app to view or edit a property if your app is designed for them to do so.
  • Only the Record Creator - This means that only the user with the email listed on the user record can view or edit the property if your app is designed for them to do so.
  • Nobody - This data will not be accessible to anyone outside of the Adalo Editor Database UI.
6. Once finished editing the permissions, click Save and Close in the bottom right of the popup.

Other Collection Permissions

1. Click on the database icon
in the left menu of the Adalo Editor.
2. Click on the more button next to the Database Collections heading.
3. On this screen, you can select how these collections will handle the creation of new records, who can view those records as well as who can update & delete those records.
4. These dropdowns provide the following options to choose from:
  • Everyone - This allows anyone to perform that action
  • All Logged In Users - This allows any user that is currently logged in to perform that action.
  • Some Logged In Users - This allows only certain user-related properties to perform that action. See the requirements below.
  • Nobody - No one can perform that action
Some Logged In Users requirements A relationship property to the User Collection must be set up in that collection in order for this to be an option in this dropdown list.
This feature is currently limited to a relationship depth of 2. Meaning a relationship of a relationship can be used but no further. Each related property should have the toggle set to 'checked' in order to be active.
  1. 1.
    What are User Permissions/Collection Permissions? Allows you to control how you protect sensitive data in your app at the database level.
  2. 2.
    How are User Permissions and Collection Permissions different? User permissions currently work to a more granular level whereby each property within the collection can have the access controlled for viewing and editing. Whereas Collection permissions work at a high level only where access is controlled at the collection level and that access is then set to all properties within that collection.
  3. 3.
    Do I still have to set up visibility rules? Yes! Permissions are not a replacement for visibility rules. Permissions are database related and visibility rules are design-related. The two should be thought of completely separately and implemented individually. Here's an example; Bad: A list of all posts on a screen. Permissions filters that list to only show you your posts. Good: The list itself is filtered to only show you your posts. Permissions are also set up to reinforce this.
  4. 4.
    Why do I need to set up Permissions if I have visibility rules? Visibility rules will only hide UI components within the app but not the data that is accessible to the app. Setting up the permissions will ensure only the data that should be accessible, is accessible to the app.
  5. 5.
    When will permissions apply? Immediately! Once you make changes and click save, the change is active right away. It’s controlled at the database level so you do not need to re-publish an app for it to take effect.
  6. 6.
    What are the defaults that Adalo sets for makers? For normal collections, Adalo sets permission defaults to “Everyone” - meaning that data is as accessible as possible and you need to define the rules to restrict that. For the Users collection, Adalo automatically sets permissions to "Only the Record Creator" for the users' Email, Password, and Full Name.

Learn More

  • Applying permissions to relationships is only currently possible for relationships to the User Collection. Improvements to extend this functionality are planned on the roadmap.
  • Rules based on properties in Other collections are currently not possible and is a planned feature for the future.
  • This feature is completely optional but can help provide extra safeguards for sensitive user data.
  • This feature is retroactive for the User's collection. The Email, Username, Full Name, and Password will only be able to be changed by the owning user by default. For instance, [email protected] can only edit his own email, username, full name, and password. You as the app maker, can however, change these default permissions if you want to.

Help

If you need additional help with this article, you can always ask in our community forum! Be sure to paste the link to this article in your post as well!
Do you have a tutorial or help doc request? Let us know!