Users in Molnify Apps
Sometimes, you want your Molnify application to be accessible to anyone. For example, if your application is a form for prospective customers, or if your application is displayed in an iframe on your webpage. Othertimes, you do not want precisely anyone to have access to your Molnify application, for example if your application is an internal tool. This guide describes the options which Molnify provides to you for access management, and how to use them.
In addition to determining whether a user has access to an application, different users can have different levels of access to an application.
Molnify has the access levels, in ascending order of access, user, manager, superUser, and uploader.
The user.email input
When a user accesses an application, Molnify populates an input with the UI string user.email with the user's email address, if they are logged in to Molnify.
If a user which is not logged in accessed the application, the input is empty. Note that this input is hidden, and not visible in the application's interface.
Similar UI-strings to create inputs to detect if a user is a manager or superUser exist.
Assign the value manager or superUser to the input's UI cell, and the input will be populated with TRUE or FALSE depending on the user's level of access.
However, these inputs are not hidden by default, and need to be hidden with the UI string hidden unless they should be displayed to the user.
You can limit access to an application's content through the use of these input cells. However, doing so has a few drawbacks:
- It is rarely truly secure. The option showIfCell and similar options can be used to hide an element from a user, but it does not remove the element. A malicious user could retrieve the hidden element using javascript in their web browser. You would instead need to ensure, through logical conditions in Excel formulas, that the data is not created or computed if the user should not have access to the data.
- It quickly leads to applications which are difficult to maintain as you make changes to them. As you make changes to your application, the logic which determines what to show to who easily grows more complicated and tangled.
Database
With the Metadata DBUsers, Molnify stores the list of users which are allowed to access your application in its database.
Setting the metadata DBUsers to TRUE enables the user management interface for your application.
This list of users is not defined in the Excel workbook or Google spreadsheet, but in a separate user interface.
You can access this user interface through the sidebar of any application which has the Metadata property DBUsers set to TRUE.
Note that a manager is never able to demote or remove a superUser, nor are they able to create or promote a user to superUser status.
The user management interface allows you to create new users (1), delete users (2), edit data of users (3), export the current users as a CSV file (4), and mass-import new users from a CSV file (5). Additionally, data tags can be associated with a user, which will then populate the input fields tag1, tag2, and so on in your application.
- Creating a new user. You can create a new user by clicking on the "New" button.
- Removing a user. By clicking on the checkbox next to a row, you can select that row. You can remove access for all selected rows by clicking on the "Delete" button.
- Editing users. By clicking on the email address or role of a user, you can edit them. Any and all changes are saved as soon as you deselect the input.
- Exporting CSV. Click the "Export CSV" button to export the current users as a CSV file.
- Import CSV. Click the "Import CSV" button to import the contents of a CSV file as users. The imported users are added in addition to what users may have been present before the import.
- Show tags. Select which tag fields are shown in the user management interface.
- Edit tags. Edit the tags for each user. Each tag is a string, set in the user management interface. For instance, tag number 1 can be accessed in the app by defining an input with ui-string
tag1. Note the absence of a space between "tag" and "1". The tag inputs are hidden from the user, but can be used by the logic of your application through Excel formulas. See the reference guide for more information.
Here, Molnify interprets asterisks * as wildcards, so e.g. *@domainname.com would match any email address which ends in "@domainname.com".
Realms
If your application has Realms enabled, then the user management interface will show an additional column, "Realm". A user needs an entry for each realm which they are given access to. E.g. if the manager "test@test.com" were to be given access to the realms "A" and "B", then the table should contain two rows:
| Role | Realm | |
|---|---|---|
| test@test.com | manager | A |
| test@test.com | manager | B |
Metadata
As an alternative to DBUsers, you can manage your application's users directly in your spreadsheet. You do this by setting the metadata Users. Its value should be either a range of cells containing email addresses, or a comma-separated list of email addresses.
This example restricts access to your application to the users with email addresses defined in Users!A2:A200.
Similarly, the metadata Managers and SuperUsers can be used to define manager- and superUser-access to your application.
Here, Molnify interprets asterisks * as wildcards, so e.g. *@domainname.com would match any email address which ends in "@domainname.com".
SSO
SSO, or Single Sign-On, is an authentication process that allows a user to access multiple applications or services with a single set of login credentials (such as a username and password). Molnify can be configured so that logging in to your website through e.g. Microsoft Azure would log in the user to your Molnify application as well.
This is a feature which is set up and enabled for your app on request. Contact us for more information.
Token Authentication
Token Authentication allows you to sign in your users to your Molnify application without having to go through the process of having your users creating accounts on Molnify or having to integrate SSO solutions. With Token Authentication enabled, you will generate a link to your application on your server, which the user then uses to access the application. Molnify then decodes the link, and creates a user for the duration of the user's session.
This is a feature which is set up and enabled for your app on request. Contact us for more information.
Choosing user management
With several options for user management to choose from, which is the best choice for your application? We have compiled the following table to give an indication of what we consider the best choice. If you feel unsure, feel free to contact us to discuss the alternatives. We are here to help!
| Use-case | Recommendation |
|---|---|
| The list of users will change frequently, OR each user has a set of data associated with it, OR managers of the application should be able to add/update/remove regular users. | Database |
| The list of users will not change frequently, OR managers of the application must not be able to add/update/remove regular users. | Metadata |
| The users will be logged in to a company-wide user management system, such as Google or Microsoft AD. | SSO |
| The users will be directed to the Molnify application from an external system, on which they will log in. | Token Authentication |