User Management: Have the User Rights Under Control

Avatar
Martin Večeřa

Collaboration is one of the Lumeer’s most important features. You can add other users to your organizations and projects and decide what they are allowed to see, change or add. You can also organize users in teams. See how user and team management works in Lumeer.

The user management in Lumeer is implemented in the way of Role Based Access Control. If you are familiar with that principles, you might just check the rights overview at the bottom of this article.

For details on how information are organized in Lumeer, check out Basic Principles.

Organizations and Projects

users and teams and organization structure

All users and teams are bound to an organization (or multiple organizations). All users always need to join your organization when you want to collaborate with them.

Teams are also defined at the organization level.

Within organizations, there are projects. While data among project are separated, they share the same users and teams within an organization.

In projects, there are tables, link types, and views.

Teams

Teams are only supported in the Business plan.

Users can join any number of teams. They can have no teams assigned, they can have (in theory) an unlimited number of teams.

user assignments to teams

The resulting user rights are computed as a union of all rights:

  • given directly to that user,
  • given directly to teams the user is member of,
  • the user obtained from the upper hierarchical levels (from project, or organization)
  • the teams (the user is member of) obtained from the upper hierarchical levels (from project, or organization)

Teams are very similar to users. You can think of Teams as sample users.

The recommended approach is to create Teams that represent individual organizational roles. Always think of a Team as of a sample user. Then assign that sample user (Team) the corresponding rights.

For example, Finance team should have necessary read and write access rights to specific tables and views. Then assign all users who work in the Finance team in your real organization to this team in Lumeer.

Later, when the needs of the Finance team change (they will need access to another table), you simply grant the corresponding right on that table to this team. All team members will be taken care of.

Please note that teams do not need to grant Join rights to an organization or project. It is a good practice to mostly keep the team rights as fine grained and possible and really limited to tables and views. With an exception of a few teams spreading the users across projects in the organization.

User Rights Hierarchy

User rights are configured separately for each of the units – organizations, projects, tables, and views. However, they need to follow a certain hierarchy.

For example, a user always need to have at least the Join right at the organization and project level to be able to see tables and views in that particular project.

directly assigned user rights

When the Join right at the organization and project level were missing, a user won’t be able to see the table. This is because they won’t be able to access the project.

It is possible to gain some rights from an upper hierarchical level. At the bottom of this article, there is an overview of all the user rights and their ability to be inherited.

This inheritance means that users might get rights to all tables, all views, all projects etc.

Let’s see an example. In the following diagram, we can see the Read Records right that the user or team has directly assigned at the table level. This gives a user an access to that specific table.

directly assigned user right

Another option is to have the Read Everything right assigned to the user or team at the project level. This gives the user an access to all tables and views in this particular project (including the table).

user right assigned at the project level

Finally, the user or team can have the Read Everything right assigned at the organization level. This gives them an access to all tables and views in all projects.

user rights assigned at the organization level

In Lumeer, user rights shown in green are always directly assigned. Those in gray are obtained from an upper hierarchical level (from a project, or organization).

In case of views, rights can be also inherited from tables. For example, a read only view becomes read and write for users who have write access to the underlying table anyway.

User Management In an Organization

To enter the user management screen, click on the organization code and select Configure.

access user rights settings

This is the main place where new users are added. There are couple more ways to add users to the organization (mentioned later), nevertheless, they always need to be present here. It is not possible to have a user just at the project level.

On the Users tab, you can see the list of the existing users and a field for inviting new users.

user management

When you add a user to the organization, they are automatically visible on Users tab in all projects. However, this does not grant them any rights (i.e. the newly added user does not see any project nor organization).

A user need to have at least the Join right to see an organization, project, table, link type, or view.

New users are always added with no rights assigned.

To remove a user from an organization (and all its projects), click on the red bin icon.

It is also possible to assign users to teams here (use the Add Teams button).

Team Management In an Organization

Teams are only created at the organizational level. However, their rights are configured separately at all levels (organization, project, table, link type, view).

As we have already mentioned, you can think of a team as a template user. This gives you a better idea of what rights need to be configured where.

Sometimes, it is possible to choose an opposite approach. Companies just invite a few users from various groups. They setup their roles and fine tune the system. Then they create teams that correspond to rights of those individual users. Other employees are then added with appropriate team membership.

team management

Every team has its name, description, list of users who are members of the team, and rights of the team.

User Management In a Project

Managing users on a project level is very similar to organization level. Click on the project code and select Configure.

user management settings in project

The list of existing users appears. There is no option to invite new users – that can be done only at the organization level.

Also, it is only possible to assign users to teams at the organization level. Not at the project level. However, nothing prevents you from creating teams in such a way that they only provide rights of a certain project.

user management at the project level

All users from the organization are listed in the project, but if they are not assigned any right (at least the Join right), they don’t have access to the project (i.e. they do not see it at all).

Teams setting is very similar, again with the exception that it is not possible to assign users to the team.

team user management

User Management In a Table

To enter table settings, click on the gear icon next to the table icon:

table settings

And switch to the Users tab.

user management in table

Inviting Users

In addition to directly adding users in the organization settings, it is possible to invite them directly into a project using the invite button in the upper right corner.

invite user

First, you must specify emails of the users you want to invite.

invite users dialog

Next, you just select the rights of the new colleagues.

select user rights

This will just grant users some basic rights so that they can primarily work with user data in Lumeer. For additional rights, you must further tweak their rights settings.

Another option is to specify an email of a colleague who is not present in your organization directly when sharing a view.

inviting users through view sharing

That way a user is added to the organization and project (using the Join right), and they you can fine tune their specific rights for that particular view.

User Rights

The user rights are quite fine grained to allow a very detailed control of what each individual can see and do in the system.

To allow that, the user rights mostly overlap but there are slight differences on each level (organization, project, table, link type and view).

Moreover, some user rights implicate inherited rights at lower levels. For example Read Everything at the project level automatically gives Read Records on all tables in the project.

Let’s see what rights are available at each level, what is their purpose (what do they control), and what impact they have on lower levels.

Organization User Rights

User RightDescription & PurposeWhat Rights It Implicates on Lower Levels?
JoinA user joins this organization and can see it.
Users need additional rights to see and work with data and configuration of this organization.
This is a minimal requirement for any user to be able to work within the organization.
ManageA user can change the organization name, color, icon, description, can trigger payments and update invoicing contact, can delete the organization.
Create ProjectsA user can create new projects in this organization. They become a manager of the new project.
User ManagementA group turning on the following two rights at once:
Manage Organization Users, Manage All Users
Manage Organization UsersA user can add, modify, and delete users in this organization (at the organizational level).
Manage All UsersA user can add, modify, and delete users and their rights everywhere in this organization.Implies Manage All Users in all projects in this organization, and also
implies Manage Users in all Tables, Link Types and Views in all projects in this organization.
Create Tables, Links and ViewsA group turning on the following rights at once:
Create Tables Everywhere, Create Link Types Everywhere, Create Views Everywhere
Create Tables EverywhereA user can create tables in all projects in this organization. They become a manager of the new table.Implies Create Tables in all projects in this organization.
Create Link Types EverywhereA user can create link types in all projects in this organization. They become a manager of the new link type.Implies Create Link Types in all projects in this organization.
Create Views EverywhereA user can create views in all projects in this organization. They become a manager of the new view.Implies Create Views in all projects in this organization.
Manage Tables, Links and ViewsA group turning on the following rights at once:
Join Everything, Manage Everything, Manage Table Columns, Manage Automations
Join EverythingA user can see this organization, all projects, and all tables, views and links in all projects in this organization. They need additional rights to be able to see and modify data or configuration though.Implies Join and Join Everything in all projects in this organization, and also
implies Join in all Tables, Link Types and Views in all projects in this organization.
Manage EverythingA user can change and delete this organization, all projects, and all tables, views and links in all projects in this organization.Implies Manage and Manage Everything in all projects in this organization, and also
implies Manage in all Tables, Link Types and Views in all projects in this organization.
Manage Table and Link ColumnsA user can add, modify, and delete columns in tables and link types in all projects in this organization.Implies Manage Table and Link Columns in all Tables, and Link Types in all projects in this organization.
Manage AutomationsA user can add, modify, and delete automations in all tables and link types in all projects in this organization.Implies Manage Automations in all Tables, and Link Types in all projects in this organization.
Manage DataA group turning on the following rights at once:
Read Everything, Write Everything, Contribute Everywhere, Delete Everywhere, Comment on Anything
Read EverythingA user can read all data in all tables and views in all projects in this organization.Implies Read Everything in all projects in this organization, and also
implies Read Records in all Tables, Link Types and Views in all projects in this organization.
Write EverythingA user can modify all data in all tables and views in all projects in this organization.Implies Write Everything in all projects in this organization, and also
implies Write Records in all Tables, Link Types and Views in all projects in this organization.
Contribute EverywhereA user can create, see, modify and delete only their own records (rows) in all tables, links, and views in all projects in this organization.Implies Contribute Everywhere in all projects in this organization, and also
implies Contribute Records in all Tables, Link Types and Views in all projects in this organization.
Delete EverywhereA user can delete all records (rows) in all tables and views in all projects in this organization.Implies Delete Everywhere in all projects in this organization, and also
implies Delete Records in all Tables, Link Types and Views in all projects in this organization.
Comment on AnythingA user can comment all records in all projects in this organization.Implies Comment on Anything in all projects in this organization, and also
implies Comment Records in all Tables, Link Types and Views in all projects in this organization.
Manage ViewsA group turning on the following rights at once:
Configure Views Everywhere, Manage View Queries Everywhere
Configure Views EverywhereA user can manage visual view configurations of all views in all projects in this organization.Implies Configure Views Everywhere in all projects in this organization, and also
implies Configure View in all Views in all projects in this organization.
Manage View Queries EverywhereA user can modify queries in all views in all projects in this organization.Implies Manage View Queries Everywhere in all projects in this organization, and also
implies Manage View Query in all Views in all projects in this organization.

Project User Rights

Project user rights are very similar to those at the organization level. They just cannot grant rights for all the projects. Only for the current one and its content (tables, link types, and views).

User RightDescription & PurposeWhat Rights It Implicates on Lower Levels?
JoinA user joins this project and can see it.
Users need additional rights to see and work with data and configuration of this project.
This is a minimal requirement for any user to be able to work within the project.
ManageA user can change the project name, color, icon, description, and can delete the project.
Manage SettingsA user can manage sequences, selection lists, variables and can publish this project.
User ManagementA group turning on the following two rights at once:
Manage Project Users, Manage All Users
Manage Project UsersA user can add, modify, and delete users in this project (at the project level).
Manage All UsersA user can add, modify, and delete users and their rights everywhere in this project.Implies Manage Users in all Tables, Link Types and Views in this project.
Create Tables, Links and ViewsA group turning on the following rights at once:
Create Tables, Create Link Types, Create Views
Create TablesA user can create tables in this project. They become a manager of the new table.
Create Link TypesA user can create link types in this project. They become a manager of the new link type.
Create ViewsA user can create views in this project. They become a manager of the new view.
Manage Tables, Links and ViewsA group turning on the following rights at once:
Join Everything, Manage Everything, Manage Table Columns, Manage Automations
Join EverythingA user can see this project, and all tables, views and links in this project. They need additional rights to be able to see and modify data or configuration though.Implies Join in all Tables, Link Types and Views in this project.
Manage EverythingA user can change and delete this project, and all tables, views and links in this project.Implies Manage in all Tables, Link Types and Views in this project.
Manage Table and Link ColumnsA user can add, modify, and delete columns in tables and link types in this project.Implies Manage Columns in all Tables, and Link Types in this project.
Manage AutomationsA user can add, modify, and delete automations in all tables and link types in this project.Implies Manage Automations in all Tables, and Link Types in this project.
Manage DataA group turning on the following rights at once:
Read Everything, Write Everything, Contribute Everywhere, Delete Everywhere, Comment on Anything
Read EverythingA user can read all data in all tables and views in this project.Implies Read Records in all Tables, Link Types and Views in this project.
Write EverythingsA user can modify all data in all tables and views in this project.Implies Write Records in all Tables, Link Types and Views in this project.
Contribute EverywhereA user can create, see, modify and delete only their own records (rows) in all tables, links, and views in this project.Implies Contribute Records in all Tables, Link Types and Views in this project.
Delete EverywhereA user can delete all records (rows) in all tables and views in this project.Implies Delete Records in all Tables, Link Types and Views in this project.
Comment on AnythingA user can comment all records in this project.Implies Comment Records in all Tables, Link Types and Views in this project.
Manage ViewsA group turning on the following rights at once:
Configure Views Everywhere, Manage View Queries Everywhere
Configure Views EverywhereA user can manage visual view configurations of all views in this project.Implies Configure View in all Views in this project.
Manage View Queries EverywhereA user can modify queries in all views in this project.Implies Manage View Query in all Views in this project.

Rights at this level do not have any further inheritance or any influence on other units of the information model (tables, link types, views).

User RightDescription & Purpose
JoinA user joins this table/view and can see it.
Users need additional rights to see and work with data and configuration of this table or view.
This is a minimal requirement for any user to be able to work with the table or view.
ManageA user can change the table/view name, color, icon, description, and can delete it.
Manage UsersA user can manage user rights in this table/view.
Manage AutomationA user can add, modify, and delete automations in this table or view.
Manage ColumnsA user can add, modify, and delete columns in this table.
This right is only available for Tables and Link Types.
Manage DataA group turning on the following rights at once:
Read Records, Write Records, Contribute Records, Delete Records, Comment Records
Read RecordsA user can read all records (rows) in this table, link, or view.
Write RecordsA user can modify all records (rows) in this table, link, or view.
Contribute RecordsA user can create, see, modify and delete only their own records (rows) in this table, link, or view.
Delete RecordsA user can delete all records (rows) in this table, link, or view.
Comment RecordsA user can comment all records (rows) in this table, link, or view.
Configure ViewA user can manage visual configuration in this view.
This right is only available for Views.
Manage View QueryA user can modify queries in this view.
This right is only available for Views.

View Rights Limitations

There is a special case with limited rights on Views. Nobody can ever gain more rights on a View than the original View author.

This is due to security reason, so that someone could not share a View with their colleague in another team and gain undesired access to, for instance, sensitive data.

Rights Inheritance In Detail

To give you a better idea about inheritance of individual rights, we provide the following table. In this table, you can see a list of user rights that can be inherited, and how they are called on individual levels.

The flow of inheritance is from left to right. For example, on the first row, we can see Manage All Users. When set on the organization level, it implicates everything to the right (project, table, link type, view). When set on the project level, it again implicates everything to the right from that level (table, link type, view). No inheritance happens from the Table, Link Type and View levels.

OrganizationProjectTable, Link TypeView
Manage All UsersManage All UsersManage UsersManage Users
Create Tables EverywhereCreate Tables
Create Link Types EverywhereCreate Link Types
Create Views EverywhereCreate Views
Join EverythingJoin
+
Join Everything
JoinJoin
Manage EverythingManage
+
Manage Everything
ManageManage
Manage Table and Link ColumnsManage Table and Link ColumnsManage Columns
Manage AutomationsManage AutomationsManage Automations
Read EverythingRead EverythingRead RecordsRead Records
Write EverythingWrite EverythingWrite RecordsWrite Records
Contribute EverywhereContribute EverywhereContribute RecordsContribute Records
Delete EverywhereDelete EverywhereDelete RecordsDelete Records
Comment on AnythingComment on AnythingComment RecordsComment Records
Configure Views EverywhereConfigure Views EverywhereConfigure View
Manage View Queries EverywhereManage View Queries EverywhereManage View Query

Example User Rights Settings

Let’s have a look at a typical scenario and what user rights we’ll need to set up. We can create both users with the roles, or teams with the roles and assign the users to teams.

For the simplicity of this demonstration, we’ll configure the rights for users directly.

In the example, we have the following five users:

  • a super user who can do anything (typically an organization owner)
  • next, there is a solution architect who configures the platform and builds solutions,
  • we also need a system administrator who does not see any data but manages users and settings,
  • then a user with data read and write access,
  • and finally a read only user (a temporary intern for example).

The Super User

As the company owner, they can have all the possible rights. It is sufficient to set the rights at the organization level. They will get automatically distributed (due to inheritance) throughout all projects, tables, link types, and views.

super user settings

The Solution Architect

The solution architect is allowed to create projects, tables, link types, views, configure the whole information model, fill in data, and develop automations.

It depends whether we have a single solution architect in the company, or we have multiple solution architects who are dedicated to specific projects.

If we have only one solution architect, we can set their rights at the organization level. If we have solution architects per project, we give them just the Join right at the organization level and configure the rights at the project level.

solution architect user rights

To make it easier, we can just list the rights that are left out: Manage, User Management.

The System Administrator

The system administrator complements the solution architect in the user rights. We should have at least one system administrator at the organization level so that they are able to add new users.

system administrator user rights

A Generic Employee

Most of the employees will have the right to Join the organization and project and work with data in selected tables and view.

This is what their settings need to look at least at the organization and project level:

join user right

Now we have several options. We can allow the employees to read and write all tables and views at the project level.

user rights at the project level

Or we can turn on the necessary rights at individual tables and views like follows:

user rights in view

Of course we can decide not to give users the rights to Configure View, or Manage Query.

Btw. whenever you hover the mouse cursor over a user right, you can see a tooltip explaining the right’s purpose.

An Intern

For interns, temporary employees etc. we follow the same approach as with a generic employee. So we make sure they have the Join right at the organization and project level.

We typically do not give them more rights at the top levels as we do not want these colleagues to automatically get any rights.

We just carefully select what they are allowed to do with individual views. Typically, we do not share tables directly as views provide much better control over what part of data is visible.

Sometimes, just a few rights can do the job.

intern user rights

Overview of User Rights

As user management can be quite complex, it is useful to have an overall overview of what rights do individual users have throughout the whole organization.

Such an overview is available in user settings in the organization settings.

overview of what individual users can access in your organization

There is also an audit log available for each user.

Conclusion

Should you have any question and needed any help configuring the user management for your organization, just contact us.

Also if you needed another user right that is not yet available, get in touch and we’ll consider implementing it.