Home
Documentation
Start typing to search…

User Management Fundamentals

Overview

User management in Knack allows you to control who can access your application, what they can see, and what actions they can perform. Understanding how users, roles, and permissions work together is essential for building secure, personalized applications that serve different types of users with different needs.

This guide explains the core concepts of user management in Knack, how the system works, and when to use different approaches to control access to your application.

What is User Management?

User management encompasses all the features and settings that control access to your Knack application. At its core, user management answers three fundamental questions:

Who can access my app? This is controlled through user accounts and authentication (login systems). You decide whether your app is open to the public, requires users to create accounts, or is restricted to users you manually add.

What can they see? This is controlled through page-level protection and role-based access. You can create different sections of your app for different types of users, ensuring that each user sees only the content relevant to them.

What can they do? This is controlled through permissions, field rules, and element-level settings. You can restrict certain actions (like editing or deleting records) to specific users or roles while allowing others only to view information.

Together, these controls allow you to build applications that serve multiple audiences—customers, employees, managers, administrators—each with their own personalized experience and appropriate level of access.

Key Concepts

User Accounts

A user account represents an individual person who can log in to your application. Each user account has:

Email address: The unique identifier for the account. Users log in with their email address, and no two accounts can share the same email.

Password: The credential that authenticates the user. Knack handles password security automatically, including encryption and secure storage.

Profile information: Additional data about the user, such as name, phone number, organization, or any custom fields you add to your user table.

Account status: Whether the account is active, pending approval, or suspended.

User accounts are stored in special tables called user role tables. Unlike regular data tables, user role tables have built-in authentication capabilities that allow users to log in and access protected content.

User Roles

A user role defines a category or type of user in your application. Roles allow you to group users with similar access needs and apply permissions consistently across that group.

Examples of user roles:

  • Customers (external users who purchase products or services)
  • Employees (internal staff who manage operations)
  • Managers (supervisors who oversee teams and view reports)
  • Administrators (power users who configure the application)

Each role is represented by its own user role table in your app's data structure. When you create a user account, you're actually creating a record in one of these role tables, which automatically assigns that user to that role.

Roles determine which pages users can access and what data they can see. For example, you might create a "Customer Portal" page that only users in the Customers role can access, while creating an "Admin Panel" page that only Administrators can access.

Page-Level Protection

Page-level protection controls who can access entire pages or sections of your application. When you protect a page with a login, you're creating a boundary that requires authentication and, optionally, specific role membership.

Protected pages work hierarchically: When you protect a parent page, all child pages underneath it inherit that protection. Users must log in once to access the protected parent page, and they can then navigate freely among all child pages without needing to authenticate again.

Visual indicators: Protected pages display a lock icon in the Pages panel, making it easy to see which parts of your app require authentication.

Page-level protection is your first line of defense for controlling access. It ensures that entire sections of your app remain secure and accessible only to authorized users.

Element-Level Permissions

While page-level protection controls who can access a page, element-level permissions control what users can do with the data on that page. These permissions are configured at the individual element level (forms, tables, details, etc.) and can be customized based on the logged-in user.

Common element-level permissions:

  • View only: Users can see data but cannot edit or delete it
  • Edit own records: Users can modify records they created or that are connected to them
  • Edit all records: Users can modify any record, regardless of who created it
  • Delete records: Users can remove records from the database

Element-level permissions allow you to create sophisticated access control where different users on the same page have different capabilities. For example, on a project management page, team members might be able to edit only their own tasks, while managers can edit all tasks for their team.

Data Filtering and Connections

Data filtering ensures that users see only the records relevant to them, even when multiple users share the same page. This is accomplished through connections between user role tables and data tables, combined with source filters on elements.

How it works: When you connect a data table (like Tasks or Invoices) to a user role table (like Customers), you create a relationship that links specific records to specific users. You can then configure elements to display only records connected to the logged-in user.

Example: In a customer portal, each customer should see only their own invoices, not invoices belonging to other customers. By connecting the Invoices table to the Customers table and filtering the invoices table element to show only records connected to the logged-in customer, you ensure data privacy and personalization.

Data filtering is essential for multi-user applications where data privacy and personalization are important.

How User Management Works

Understanding the flow of user management helps you design effective access control for your application.

The Authentication Flow

When a user attempts to access a protected page, Knack follows this process:

  1. User navigates to a protected page: The user clicks a link or enters a URL for a page that requires authentication.

  2. Knack checks authentication status: If the user is not logged in, Knack redirects them to the login page associated with that protected page.

  3. User provides credentials: The user enters their email address and password (or uses single sign-on if configured).

  4. Knack verifies credentials: Knack checks the email and password against the user role table. If the credentials are valid, authentication succeeds.

  5. Knack checks role permissions: If the page is restricted to specific roles, Knack verifies that the user's role is allowed to access the page.

  6. Access granted or denied: If all checks pass, the user is granted access to the page and can navigate freely among child pages. If any check fails, the user sees an access denied message or remains on the login page.

This process happens seamlessly in the background, providing security without disrupting the user experience.

The Role Assignment Process

Users are assigned to roles when their accounts are created. The method of assignment depends on how user accounts are created in your app:

Manual account creation: When you (or another administrator) manually add a user through the Builder or a form, you create a record in a specific user role table, automatically assigning that user to that role.

Self-registration: When users create their own accounts through a registration form, they are automatically assigned to the role associated with that registration page. You can configure whether new registrations are immediately active or require administrator approval.

Multiple roles: If your application requires users to have multiple roles, you can create user records in multiple role tables using the same email address. When the user logs in, they may be prompted to choose which role they want to use for that session, or you can use a single accounts table with a role field to manage multiple roles more flexibly.

The Permission Evaluation Process

When a logged-in user views a page with elements that have permissions configured, Knack evaluates those permissions in real-time:

  1. User loads the page: The page and its elements are rendered based on the user's role and connection to data.

  2. Element permissions are checked: For each element (form, table, details), Knack checks the configured permissions against the logged-in user's role and connection to records.

  3. Actions are enabled or disabled: Edit buttons, delete options, and form fields are shown or hidden based on the user's permissions.

  4. Data is filtered: Tables and details display only the records the user is permitted to see, based on source filters and connections.

This dynamic evaluation ensures that permissions are enforced consistently and that users see only what they're authorized to access.

Benefits and Use Cases

User management in Knack enables a wide range of application types and use cases:

Customer Portals

Create self-service portals where customers can log in to view their orders, submit support requests, pay invoices, and access resources. Each customer sees only their own data, ensuring privacy and personalization.

Key features:

  • Self-registration with optional approval
  • Data filtering to show only customer-owned records
  • Secure access to sensitive information (invoices, account details)
  • Personalized dashboards and notifications

Internal Business Applications

Build apps for your team where employees can manage projects, track tasks, submit timesheets, and collaborate on work. Different departments or roles can have access to different sections of the app.

Key features:

  • Manual user creation for controlled access
  • Role-based pages for different departments (Sales, Support, Operations)
  • Hierarchical permissions (managers see all team data, employees see only their own)
  • Audit trails showing who made changes

Membership and Community Platforms

Create platforms where members can register, create profiles, interact with content, and participate in forums or events. Different membership tiers can have different levels of access.

Key features:

  • Open registration with email verification
  • Multiple membership levels (Free, Premium, VIP)
  • Content access based on membership tier
  • Member directories and profiles

Partner and Vendor Portals

Provide external partners or vendors with secure access to submit information, view shared data, and collaborate on projects without giving them access to internal systems.

Key features:

  • Restricted registration (by invitation or approval)
  • Data isolation (each partner sees only their own projects)
  • Secure document sharing and collaboration
  • Activity tracking and reporting

User Management Approaches

Knack offers flexibility in how you structure user management. The approach you choose depends on your application's complexity and requirements.

Single Role, All Users Equal

When to use: Simple applications where all users have the same access and capabilities.

How it works: Create one user role table (e.g., "Members"). All users are added to this table and have access to the same pages and data. You might still use data filtering to ensure users see only their own records.

Example: A personal task manager where all users can create and manage their own tasks but don't interact with other users' data.

Multiple Roles, Distinct Access

When to use: Applications serving different types of users with different needs.

How it works: Create multiple user role tables (e.g., "Customers," "Employees," "Admins"). Each role has access to different pages and sees different data. This is the most common approach for business applications.

Example: A customer portal where Customers access a self-service portal, Employees manage customer requests, and Admins configure the system.

Hierarchical Roles with Inheritance

When to use: Organizations with clear hierarchies where higher-level users need to see data from lower-level users.

How it works: Create role tables that represent organizational levels (e.g., "Employees," "Managers," "Executives"). Use connections and source filters to allow higher-level roles to see data from users they manage.

Example: A sales CRM where Sales Reps see their own deals, Sales Managers see all deals for their team, and Executives see all deals company-wide.

Dynamic Roles with Field-Based Permissions

When to use: Applications where user capabilities change frequently or depend on multiple factors.

How it works: Use a single user table with fields that define permissions (e.g., a "Role" field with options like "Admin," "Manager," "User"). Use page rules and conditional logic to show or hide elements based on these fields.

Example: A project management app where users can be assigned different roles on different projects (Project Manager on Project A, Team Member on Project B).

Important Considerations

Security Best Practices

User management provides powerful access control, but it's important to implement it correctly:

Never rely on visual hiding for security: Page rules and conditional formatting can hide elements from view, but they don't prevent access to the underlying data. Always use proper page-level protection and permissions to secure sensitive information.

Use role-based access, not individual permissions: Rather than configuring permissions for individual users, assign users to roles and configure permissions at the role level. This makes management easier and reduces the risk of errors.

Regularly audit user accounts: Periodically review your user accounts to remove inactive users, update role assignments, and ensure that access levels remain appropriate.

Test with real user accounts: Always test your access control by logging in with accounts from each role to verify that permissions work as intended.

Performance Considerations

As your user base grows, keep these performance factors in mind:

Large user tables: User role tables with thousands of records perform well, but complex source filters and connections can slow down page loads. Optimize your data structure and use indexes where appropriate.

Frequent permission checks: Pages with many elements that check permissions may load more slowly. Consider simplifying your permission structure or breaking complex pages into multiple simpler pages.

Data filtering at scale: Filtering large datasets to show only records connected to the logged-in user is efficient, but avoid overly complex connection chains that require multiple database queries.

User Experience Considerations

Effective user management should be invisible to users when it works correctly:

Clear navigation: Users should easily understand which sections of the app they can access. Use descriptive page names and organize navigation logically.

Helpful error messages: When users can't access a page or perform an action, provide clear messages explaining why and what they can do instead.

Consistent experience: Ensure that permissions and access control work consistently across your app. Users should not be confused by inconsistent behavior.

Onboarding and guidance: Help new users understand how to use your app and what they can do. Consider welcome messages, tooltips, or guided tours for first-time users.

Getting Started with User Management

To implement user management in your Knack application:

  1. Define your user types: Identify the different types of users who will access your app and what each type needs to do.

  2. Create user role tables: Set up user role tables for each user type, adding any custom fields needed for profile information.

  3. Design your page structure: Plan which pages each role should access and how pages should be organized hierarchically.

  4. Implement page protection: Protect pages with logins and configure role-based access restrictions.

  5. Configure element permissions: Set up permissions on forms, tables, and other elements to control what users can do with data.

  6. Set up data filtering: Create connections between user role tables and data tables, then configure source filters to show users only relevant records.

  7. Test thoroughly: Log in with accounts from each role and verify that access control works as intended.

  8. Document your structure: Maintain clear documentation of which roles have access to which pages and what permissions each role has.

Related Articles

  • How to Create a Login-Protected Page
  • How to Configure Registration Settings for Protected Pages
  • How to Manage User Role Access to Protected Pages
  • How to Set Up Single Sign-On for Protected Pages
  • Protected Pages Best Practices
  • Troubleshooting Protected Pages
  • Understanding User Roles and Permissions
  • How to Filter Data by Logged-In User
  • How to Create User Registration Forms

Updated about 1 month ago