2406 Record Ownership

Record Ownership

Introduction

Record ownership is one of the most powerful and commonly used security patterns in Tadabase. It allows you to link records to specific users, ensuring that users can only access and modify their own data. In this article, you'll learn to implement comprehensive ownership-based security for user-specific data access.

What Is Record Ownership?

Record ownership creates a relationship between a record and a user, giving that user special permissions for that specific record.

Ownership Concept

Think of it like owning a file on your computer:

You can view files you own
You can edit files you own
You cannot see files owned by others (unless given permission)
Admins can see and edit all files

How Ownership Works

Link Records to Users - Add a connection field to Users table
Auto-Assign Owner - When user creates record, they become owner
Filter by Owner - Users see only their own records
Restrict Editing - Users can only edit their own records
Admin Override - Admins can see/edit all records

Implementing Basic Ownership

Let's implement ownership step by step.

Step 1: Add Owner Field

Go to Data Builder
Open the table where you want ownership (e.g., "Tasks")
Click "Add Field"
Select "Connection" field type
Name it "Owner" or "Created By"
Connect to: Users table
Connection type: Many to One (many tasks can have one owner)
Enable "Auto-fill with logged in user"
Save

Step 2: Filter by Owner

Create pages that show only owned records:

Create or edit a page (e.g., "My Tasks")
Add a Table Component
Data source: Tasks table
Add a Filter:
- Field: Owner
- Operator: =
- Value: Logged In User
Save

Now users only see tasks they own.

Step 3: Restrict Editing

Ensure users can only edit their own records:

Create or edit a details/form page
Add page rule or component filter:
- Show edit form only if: Owner = Logged In User
- OR Role = Admin (admins can edit everything)
If condition fails, show read-only details or redirect

Step 4: Test Ownership

Create test users (User A, User B, Admin)
Log in as User A, create some records
Log in as User B, verify they don't see User A's records
Create records as User B
Log in as Admin, verify admin sees all records

Ownership Patterns

Different ways to implement ownership for various scenarios.

Pattern 1: Created By

User who created the record owns it permanently.

Implementation

Field: "Created By" (connection to Users)
Auto-fill: Logged in user
Not editable (can't change owner)
Used for: Audit trails, permanent ownership

Example: Expense Reports

Employee creates expense report
They own it permanently
They can edit their expense report
Manager can view/approve but not change owner
Finance processes approved expenses

Pattern 2: Assigned To

Ownership can be transferred/reassigned.

Implementation

Field: "Assigned To" (connection to Users)
Initially auto-filled with logged in user
Editable by managers/admins
Used for: Tasks, tickets, work items

Example: Support Tickets

Customer creates ticket (assigned to themselves)
Support admin assigns to support agent
Agent now owns the ticket
Agent can work on and close ticket
Can be reassigned to another agent if needed

Pattern 3: Multiple Owners

Record can have multiple owners/collaborators.

Implementation

Field: "Team Members" (connection to Users)
Connection type: Many to Many
Can select multiple users
Used for: Projects, shared documents

Example: Projects

Project has multiple team members
All team members can view/edit project
Filter: Team Members includes Logged In User
Collaborative access

Pattern 4: Hierarchical Ownership

Ownership follows organizational hierarchy.

Implementation

Field: "Owner" (connection to Users)
Users table has "Manager" field (connection to Users)
Filter: Owner = Logged In User OR Owner's Manager = Logged In User
Used for: Manager oversight

Example: Sales Pipeline

Sales rep owns their leads
Sales manager sees their team's leads
VP Sales sees all sales leads
Hierarchical visibility

Pattern 5: Department/Group Ownership

Ownership at group level, not individual.

Implementation

Field: "Department" (connection to Departments table)
Filter: Department = Logged In User's Department
All department members can access
Used for: Shared resources, department data

Example: Department Files

Files uploaded by department
All department members can access
Other departments cannot see
Admins see everything

Owner-Only Editing

Restricting edit permissions to owners.

Method 1: Page-Level Restriction

Use page rules to control access to edit pages.

Edit Page Rule

Create edit page for records
Add page rule:
- Condition: Page Criteria's Owner = Logged In User
- OR: Role = Admin
If fails: Redirect to view-only page or show error

Method 2: Component-Level Restriction

Show form only to owners.

Conditional Form Display

Add both Details (read-only) and Form (editable) components to same page
Details component: Always visible
Form component:
- Display rule: Show if Owner = Logged In User OR Role = Admin
- Hide if condition fails
Result: Owners see edit form, others see read-only details

Method 3: Action Link Restriction

Show edit button only to owners.

Conditional Action Links

In table component, add "Edit" action link
Link permissions:
- Show if: Owner = Logged In User
- OR: Role = Admin
Edit button appears only for records user owns

Example: Task Management

My Tasks Page

Table Component:
- Filter: Owner = Logged In User
- Columns: Task Name, Status, Due Date
- Action Links:
  - View (everyone can view their tasks)
  - Edit (only for tasks with Status = "Draft" or "In Progress")
  - Delete (only for tasks with Status = "Draft")

Task Details Page

Page Rule:
- Access: Owner = Logged In User OR Role = Manager/Admin

Components:
- Details Component (always visible)
  - Task Name, Description, Status, Due Date, Owner

- Edit Form (conditional)
  - Display if: Owner = Logged In User AND Status != "Completed"
  - OR: Role = Admin
  - Fields: Task Name, Description, Status, Due Date

Result:
- Owners can edit their open tasks
- Completed tasks are read-only
- Admins can always edit
- Non-owners cannot access the page

Admin Overrides

Admins should always be able to access all records.

Implementing Admin Override

In every ownership filter, include admin exception:

Filter Logic:
(Owner = Logged In User)
OR
(Role = Admin)

Example Filters with Admin Override

Table Filter

Add filter: Owner = Logged In User
Add second filter: Role = Admin
Combine with OR logic
Admins see all records, others see only theirs

Page Rule with Override

Page Access Rule:
Allow access if:
  (Page Criteria's Owner = Logged In User)
  OR
  (Logged In User's Role = Admin)
  OR
  (Logged In User's Role = Manager)

Multiple Override Roles

Sometimes multiple roles need override access:

Admin - Complete override, sees everything
Manager - Sees team's records
Support - Read-only access to all records
Auditor - Read-only access with no editing

Example: Support Access

Filter for Table:
Show records where:
  (Owner = Logged In User)
  OR
  (Role = Admin)
  OR
  (Role = Support)

Form Display Rule:
Show edit form if:
  (Owner = Logged In User)
  OR
  (Role = Admin)

Note: Support can view all but not edit

Allow owners to share records with others.

Implementation

Add field: "Shared With" (connection to Users, Many to Many)
Owner can select users to share with
Filter: Owner = Logged In User OR Shared With includes Logged In User
Shared users have view/edit access

Example: Shared Documents

Document Table Fields:
- Name
- Owner (connection to Users)
- Shared With (connection to Users, many-to-many)

Access Filter:
Show documents where:
  (Owner = Logged In User)
  OR
  (Shared With includes Logged In User)
  OR
  (Role = Admin)

Implementation

Add field: "Share with Department" (yes/no checkbox)
Filter: Owner = Logged In User
OR: (Share with Department = Yes AND Department = Logged In User's Department)
Department-wide sharing

Method 3: Public vs. Private

Implementation

Add field: "Visibility" (dropdown: Private, Team, Public)
Filters based on selection:
- Private: Owner only
- Team: Owner's team/department
- Public: Everyone

Example: Knowledge Base Articles

Article Fields:
- Title
- Content
- Owner
- Visibility (Private/Team/Public)

Filter Logic:
Show if:
  (Visibility = Public)
  OR
  (Visibility = Team AND Department = User's Department)
  OR
  (Visibility = Private AND Owner = Logged In User)
  OR
  (Role = Admin)

Permission Levels

Different access levels for shared records:

Permission	Owner	Shared (Edit)	Shared (View)	Admin
View	✓	✓	✓	✓
Edit	✓	✓	-	✓
Delete	✓	-	-	✓
Share	✓	-	-	✓
Change Owner	✓	-	-	✓

Implementation

Add fields:
- Shared With Edit (connection to Users)
- Shared With View (connection to Users)
Configure permissions based on which field user is in

Transferring Ownership

Allow changing record owners.

When to Allow Transfers

User Leaves - Transfer their records to someone else
Reassignment - Move tasks to different team member
Workload Balancing - Distribute work evenly
Escalation - Move to senior team member

Method 1: Admin Transfer

Implementation

Make "Owner" field editable only by Admin role
In form component, set field permission:
- Field: Owner
- Editable by: Admin only
- Read-only for: Everyone else
Only admins can change owner

Method 2: Manager Transfer

Implementation

Managers can reassign within their team
Form field permission:
- Field: Assigned To
- Editable by: Admin, Manager
- Options limited to manager's team members

Method 3: Self-Transfer

Implementation

Add "Transfer Ownership" action link
Opens form to select new owner
Current owner selects new owner
Updates Owner field
Current owner loses access (unless shared)

Tracking Ownership Changes

Keep audit trail of ownership transfers:

Add fields:
- Previous Owner (connection to Users)
- Ownership Changed Date
- Ownership Changed By
Use record rules to populate when Owner changes
Maintain history of ownership

Complex Ownership Scenarios

Real-world ownership examples.

Scenario 1: Multi-Stage Workflow

Ownership changes as record moves through workflow

Example: Purchase Requests

Employee creates request - Owner: Employee
Manager reviews - Owner: Manager (for approval)
Finance processes - Owner: Finance (for payment)
Completed - Owner: Original employee (for reference)

Implementation

Field: "Current Owner" (changes as status changes)
Field: "Requester" (original employee, never changes)
Field: "Status" (Draft, Pending Approval, Approved, Processing, Completed)
Record rules update owner based on status changes

Scenario 2: Customer Accounts with Rep Assignment

Customers assigned to sales reps, with manager oversight

Structure

Customers table has "Account Owner" (connection to Users)
Users table has "Manager" (connection to Users)
Customers table has "Account Team" (many-to-many to Users)

Access Rules

Account Owner - Full access to their customers
Account Team - Can view and collaborate
Manager - Can see their reps' customers
Admin - Can see all customers

Filter

Show customers where:
  (Account Owner = Logged In User)
  OR
  (Account Team includes Logged In User)
  OR
  (Account Owner's Manager = Logged In User)
  OR
  (Role = Admin)

Scenario 3: Project Hierarchy

Projects with tasks, owner at both levels

Structure

Projects table: Project Owner
Tasks table: Task Owner, Connected to Projects

Access Logic

Project View:
- Project Owner can see project
- OR user owns any task in project
- OR user is on project team
Task View:
- Task Owner can see task
- OR Project Owner can see all tasks in their project

Scenario 4: Tenant-Based Ownership

SaaS application with complete data isolation

Structure

Companies table (tenants)
Users table: Company (connection)
All data tables: Company (connection)

Ownership Layers

Company Level - All users in company see company data
User Level - Within company, users see only their records
Shared Level - Company members can share with each other

Filter

Show records where:
  (Company = Logged In User's Company) [Company-level access]
  AND
  (
    (Owner = Logged In User) [User-level]
    OR
    (Shared With includes Logged In User) [Shared]
    OR
    (Role = Company Admin) [Company admin override]
  )
  OR
  (Role = Super Admin) [Platform admin override]

Covered in detail in next article.

Ownership Best Practices

Follow these guidelines for effective ownership:

1. Always Include Owner Field

Even if not used immediately for filtering
Valuable for audit trails
Can enable ownership features later
Helps with reporting and analytics

2. Auto-Fill Owner

Enable "Auto-fill with logged in user"
Prevents users from creating records for others
Ensures accurate ownership
Reduces errors

3. Separate Created By and Owner

"Created By" - Never changes, audit field
"Owner" / "Assigned To" - Can be transferred
Both are useful for different purposes
Maintain complete history

4. Always Include Admin Override

Every ownership filter should include admin exception
Prevents admins from being locked out
Essential for maintenance and support
Include in all ownership logic

5. Consider Hierarchical Access

Managers typically need to see team's records
Plan org structure carefully
Include in filters where appropriate
Test hierarchy thoroughly

6. Test Thoroughly

Create test users and records
Verify isolation works
Try to access others' records
Test ownership transfers
Test sharing functionality

7. Handle Deleted Users

What happens when owner is deleted?
Reassign their records first
Or use "Inactive" status instead of deleting
Maintain data integrity

8. Document Ownership Rules

Explain ownership logic
Document transfer policies
Clarify admin overrides
Keep documentation updated

Troubleshooting Ownership

Common ownership issues and solutions.

Issue 1: Users See Other Users' Records

Check:

Is filter correctly set? (Owner = Logged In User)
Is filter active? (not accidentally disabled)
Are there other filters overriding?
Is admin viewing? (admin sees all)
Is sharing enabled that you forgot about?

Issue 2: Users Can't See Their Own Records

Check:

Is Owner field populated? (auto-fill working?)
Is filter too restrictive? (multiple AND conditions)
Is user's role allowed to access the page?
Does record actually belong to user?

Issue 3: Owner Field Not Auto-Filling

Check:

Is "Auto-fill with logged in user" enabled in field settings?
Is user logged in when creating record?
Is form component configured correctly?
Is field included in the form?

Issue 4: Admin Can't See All Records

Check:

Is admin override included in filter?
Is role name exactly "Admin"? (case-sensitive)
Is there a page rule blocking access?
Is component visibility set correctly?

Issue 5: Ownership Transfer Not Working

Check:

Is Owner field editable?
Does user have permission to edit Owner field?
Is Owner field in the form?
Are there validation rules preventing the change?

Summary

In this article, you learned:

What ownership is - Linking records to users for access control
Implementing basic ownership - Owner field, filters, and restrictions
Ownership patterns - Created By, Assigned To, Multiple Owners, Hierarchical, Department
Owner-only editing - Restricting modifications to owners
Admin overrides - Ensuring admins can access all records
Sharing and collaboration - Allowing owners to share records
Transferring ownership - Reassigning record owners
Complex scenarios - Multi-stage workflows, hierarchies, projects
Best practices - Guidelines for effective ownership
Troubleshooting - Common issues and solutions

Record ownership is one of the most powerful security patterns in Tadabase. It enables you to build applications where users can only access their own data, creating truly multi-user, secure applications.

In the next article, you'll learn about multi-tenant applications - building SaaS applications that serve multiple companies with complete data isolation.

Next: Multi-Tenant Applications - Building Multi-Company SaaS Applications

Hands-On Exercise (To Be Added)

Exercise placeholders will include practical activities such as:

Implementing basic ownership in a table
Creating owner-filtered pages
Setting up owner-only editing
Implementing admin overrides
Building a sharing system
Testing ownership with multiple users

Knowledge Check (To Be Added)

Quiz questions will test understanding of:

How ownership works
Different ownership patterns
Implementing owner filters
When to use admin overrides
Sharing vs. ownership
Best practices for ownership

How did we do ?

2405 Security Best Practices

2407 Multi Tenant Applications

2000 Welcome To Tadabase Learning Path

2001 Platform Introduction

2002 Account And App Management

2003 Data Structure Fundamentals

2004 Pages And Components Basics

2005 Building Your First App

2006 Phase 1 Summary And Project

2100 Phase 2 Introduction

2101 Text And Personal Fields

2102 Number And Date Fields

2103 Option And Document Fields

2104 Connection Fields And Relationships

2105 Data Components Overview

2106 Working With Table Component

2107 Working With Form Component

2108 List And Card Components

2109 Phase 2 Summary And Project

2200 Phase 3 Introduction

2201 Form Component Mastery

2202 Searching And Filtering

2203 Working With Records

2204 Introduction To Equations

2205 Rollup Fields And Aggregations

2206 Action Links And Details

2207 Advanced Components

2208 Phase 3 Summary And Project

2300 Phase 4 Introduction

2301 Understanding Automation

2302 Table Rules

2303 Record Rules

2304 Action Rules

2305 Scheduled Tasks

2306 Email And Sms Automation

2307 Validation And Business Logic

2308 Phase 4 Summary And Project

2400 Phase 5 Introduction

2401 User Fundamentals

2402 Roles And Permissions

2403 Page Rules And Access Control

2404 User Components

2405 Security Best Practices

2406 Record Ownership

2407 Multi Tenant Applications

2408 Phase 5 Summary And Project

2500 Phase 6 Introduction

2501 Importing Data

2502 Exporting Data

2503 Batch Operations

2504 Logging And Auditing

2505 Data Quality And Validation

2506 Backups And Restore

2507 Advanced Data Structures

2508 Phase 6 Summary And Project

2600 Phase 7 Introduction

2601 Introduction To Pipes

2602 Using Pipes In Components

2603 Webhooks Overview

2604 Incoming Webhooks

2605 Outgoing Webhooks

2606 Rest Api Introduction

2607 Working With Api

2608 Advanced Api Operations

2609 Third Party Integrations

2610 Phase 7 Summary And Project

2700 Phase 8 Introduction

2701 Ai Capabilities And Use Cases

2702 Ai In Forms

2703 Ai In Automation

2704 Ai In Components

2705 Page Level Ai

2706 Ai Prompt Engineering

2707 Phase 8 Summary And Project

2800 Phase 9 Introduction

2801 Css Customization

2802 App Themes

2803 White Labeling And Domains

2804 Plugins Overview

2805 Custom Components

2806 Advanced Styling

2807 Phase 9 Summary And Project