Sign up to take part
Registered users can ask their own questions, contribute to discussions, and be part of the Community!
We are in the process of rolling out an application we have developed to our users. But we have a couple of open questions and I'm looking for some guidance, each associated with permissioning.
Creating application instances - We would like to centrally create application instances via a script (this has been set-up). We would like our users to be able to see these new application instances, however, we do not want users to be able to create their own application instances.
We believe this is something that should be possible, given one of the options when setting up an application is to restrict those able to 'instantiate the app' to only those with 'execute app' permissions.
When trying to set these permissions in practice however we are not able to achieve the desired state. In order to disable 'execute app' permissions we also have to disable 'read project' permissions. This process itself seems to prevent our users being able to see the application at all, yet alone any instances that have been created in it.
Deleting App Instances - We would like to prevent this same user group being able to delete app instances. The reason for this is there is a risk that users would hit delete, and also hit 'delete managed datasets' which could destroy some key tables.
We have not yet gotten round to understanding how this would be possible.
Any guidance is greatly appreciated!
Would you please try using the following permissions on the project level and the app level?
(Users in group "readers" can view the app. However, they cannot create or delete app instances )
App instance level:
> "In order to disable 'execute app' permissions we also have to disable 'read project' permissions."
As you can see in the screenshot above, the execute app permissions are disabled, while the "read project content is enabled".
If you are still not able to get your desired outcome, would you please provide a screenshot of your permissions?
Also, please feel free to open a support ticket and/or live-chat us.
I worked through the solution you provided and it got us someway to our desired behaviour.
Specifically users can now see the application within our workspace, and when given a link to the created application instance they can see and interact with the application user interface.
However, the permissions set up seems to require the user to know the link to the app instance and we seem to be unable to navigate directly to the application instance via the workspace...
land on workspace > select application > see application instances
At present when we select the application within the workspace the following error is given...
Any further guidance is appreciated!
Would you please check the security settings of the app instance and confirm that you have project visibility set to "discoverable"?
Also, you can add permissions to the App Instance folder (as shown below):
I hope this helps! Let me know if you have any questions.
Thanks for taking the time to respond to this post again; we scheduled a call with one of your colleagues who worked with us to an agreeable solution which was as follows;
- Remove all permision to our viewers group on the project which we wanted to serve to those users as an application
- Create a mechanism to dynamically create application instances. Store those application instances with a folder 'project x application instances'
- Give users access to 'project x application instances'
- During the creation process, also give users permission to run that specific application instance
This has taken us to a position where users are now unable to create their own app instances. We have had to move away from using the concept of 'workspaces' for this task, however within our project workspace we have linked to the 'project x application instnaces' folder.
Thank you for sharing your solution with the rest of the community @benmoss!