Most web apps need to track user data and access in some form or another. This set of functionality, which commonly serves to secure the application, needs to be both flexible enough to allow users to access the data they need, and secure enough so that a rogue user cannot gain access to sensitive portions of your application. Backand provides several ways to manage your Angular app’s users, as well as a variety of tools that can be used to secure your application. Below we’ll look at how users integrate with your Backand application, and how to leverage the available security options.
Interacting With Backand Users
Backand tracks all user registrations in an internal users table. You can access this table from your application’s dashboard, under “Security & Auth” → “Registered Users”. From this tab you can invite users to join your application (crucial when you don’t offer public access to your application), view your existing registered users, and change a user’s level of access. This will be your first stop in securing your app–getting the first few administrative users set up will require manual configuration to set their access appropriately.
Most Backand apps are private by default, meaning that users need to be invited in order to use your app. You can change this in “Security & Auth” → “Configuration” to allow any user with the URL to register for your app by enabling the “Public App” setting. From this page you can also determine the security role of new users, as well as set custom pages for registration, email verification, and password reset.
Types of Registration
There are three primary ways in which users can gain access to your Backand application:
- Via a direct invitation from the Registered Users tab — This allows you to add new users before your app is ready for public consumption.
- Via a customizable registration process when you mark your app “public” — This allows you to add a custom registration page, as well as email verification and password recovery functionality. Users are assigned a security role upon registration that controls their access to the application. This is available on the Configuration tab.
- Via anonymous access, which requires no login or registration — This setting is also available on the Configuration tab. Anonymous users are assigned a role that governs their interactions with the application. It is highly recommended that Anonymous users are given a “read only” role that cannot affect your application too severely.
The approach that is right for your app will depend on your application’s use case. A combination of anonymous access and invite-only membership, for example, would be highly useful for a blog app, while a public-registration app with anonymous access could serve as a base for a community news aggregator website.
User Roles and Security
User actions and access are governed by security roles. These security roles restrict access to all of the objects in your application at an object level. You can set permissions for each of the possible database actions, such as reading, updating, and deleting records. This access is governed with two tools: security roles, and security templates. It’s important to understand how these concepts interact and choose the appropriate role for your application–be sure to review and understand the differences.
A security role is a set of permissions that govern a user’s access to the application. A role has a set of permissions that applies to all objects in the application, unless otherwise overwritten. For example, by default the “ReadOnly” role can only retrieve records from the database–it cannot create, modify, or delete items. Security roles can also be assigned increased or reduced sets of access at the individual object level. These object-level settings are assigned from the object’s configuration tab, under “Security,” and can be changed for each role and each security template.
Security templates are the tools for governing a collection of user roles. In essence, security templates are collections of user roles that should be treated as a unit. By default only one template is available, but new templates can be created, and manipulated, at will. You can easily add or remove roles from a security template, and can override security settings for a template at a per-object level, just as you can for security roles on an individual basis.
Synchronizing Backand Users With Your App
One crucial thing to note is that the users for your Backand application are managed entirely by Backand by default. Backand maintains an internal Users object that tracks registered users for your application, as well as their permissions. If you wish to store additional application-specific data directly related to your user objects (such as an avatar), you’ll need to create your own table to manage those attributes and tie it to the internal User’s table. Backand gives you a wealth of options for synchronizing these two objects, with the primary route being through a set of pre-defined events on the Backand-driven Users object. These are available from the “Security & Auth” → “Security Actions” tab.
From the Security Actions tab, you can tie in to any level of database events on the Users table that you desire, much like the custom actions available for other objects in your system. Additionally, Backand provides a number of pre-configured events based on common user actions, such as upon updating a user. Using these events to drive user integration is straightforward, and as such we developed a sample application, ToDo With Users, that demonstrates how these settings are used.
The above was a very high-level view of the user and role-based security options available to Backand apps. Using these settings correctly is crucial to creating both a workable user experience and properly securing the data for those users. You can easily manage user registration and authentication in your Backand application using the dashboard, as well as controlling the governing security roles for those users. For more information, check out Backand’s documentation.
Don’t have a Backand account yet? Sign up for a Free-Forever Account.