User permissions 🔐

[FelixMalfait]

Currently, all users on a workspace have the same rights to create, edit, view and delete records.

In the future we want to provide a more granular role/permission system that lets an admin control who can edit workspace settings, but also setting object-level permissionning.

Example implementation on Hasura: https://hasura.io/docs/latest/auth/authorization/permissions/common-roles-auth-examples/
Other example: https://www.producthunt.com/posts/permit-io

Implementation

• Create a new table permissionSet within the metadata schema: nameSingular, labelSingular, isCustom, isAdmin
• Create a new table permissionSetAssignment with userWorkspaceId and permissionSetId
• Create a new table objectPermissions with permissionSetId, objectMetadataId, canRead, canCreate, canEdit, canDelete

Later we will create fieldPermissions and replace isAdmin by a more granular table with individual permissions.

Update

Note

We began developing permissions. ETA end of Q1.

twentyhq/core-team-issues#12

[skamensky]

Just for some community feedback, this is a blocker for us. We must be able to support permissions to be able to migrate to twenty.

See #501 (comment) for a related comment of mine.

[FelixMalfait]

Thanks @skamensky - that's a big lift so not coming soon unfortunately. But definitely on the roadmap and will get done

[estan]

We are exploring a migration to Twenty as well.

Just so I understand this current limitation: There's currently no way to restrict what a user can do e.g. in terms of altering the Data model of a workspace? If so, that would be a blocker for us as well, or at least a tough pill to swallow. That users have free reign to modify objects is something we could live with for a while, but letting everyone modify the data model itself would be a bit too much - people tend to get "creative" and carried away with such freedoms, even if you tell them not to, and we're a bit worried cleaning up unwanted model changes might become problematic..

[FelixMalfait]

@estan Yes that's correct. It's not the long term vision obviously but that's the current state.

[skamensky]

Understood, @FelixMalfait . Thanks for the reply.

In terms of permit-io, I just browsed their code and site and it looks like they don't support permissioning at the query level yet, which would make larger filtering either inefficient or insecure.

https://github.com/permitio/docs/blob/58384169b2786c02895abbec345cfe45668e68f4/docs/how-to/enforce-permissions/data-filtering.mdx?plain=1#L56-L67

[FelixMalfait]

Thanks! still a lot TBD. We were exploring relying on Postgres-level RLS but not sure we'll go that way

[bwmirek]

Any updates? Still blocker to implement this for real clients

[skamensky]

Looks like they're trying to hire someone to do this right now!

https://www.ycombinator.com/companies/twenty/jobs/b1Uku7w-senior-software-engineer

Just posted today.

[hjpineda]

Hi all, this is also a blocker for us to move to Twenty. Is it possible to bump this priority up?

[FelixMalfait]

Hey @ijreilly and @Weiko are starting to work on this on Monday.
@ijreilly will work full time on this. We'll complete it by end of March.
(row level permissions probably not covered by this date but at least we'll have at least object-level / settings-permissions)

[ReessKennedy]

+1 ... I can use Twenty for organizing personal contacts but without solid permission control (and ability to hide some records from some users, like "hide all records with tag of finance") then we can't use for collaboration or team.

This feature feels, to me, like core to CRM and more important than automated Workflows given it seems clear this is a blocker for many with being able to use the CRM with their team? (Automatted workflow beta is amazing but just feel like in hierarchy of adoption, this one is more important.)

My only thought for achieving is multiple workspaces with the thought that these workspaces could be merged if/when this feature ships but not sure that is possible.

[FelixMalfait]

Hey thanks for the feedback! we're still on track for a v1 of permissions by end of March. We'll keep iterating in Q2 to make them more powerful (row-level permissions will come at the very end, prioritizing object level/ field level and settings permissions first)

[FelixMalfait]

#10159 (frontend only, backend not done)

[FelixMalfait]

V1 of permissions is now in production, it's very basic for now but followups will come in April/May to bring role creation, object-level/field-level permissions.

[cryptoraichu]

Hello any update about role creation, object-level/field-level permissions?

[FelixMalfait]

Object level is code-complete. We are adding it to the Lab (public beta) next week and it will be out of the lab the following week (June 24 max). As for field-level it's planned but no date yet

[cryptoraichu]

Thank you very much for your answer, one of the best crm I ever seen. Looking forward for new features 👍

[FelixMalfait]

Thank you!