2403 Page Rules And Access Control
Page Rules and Access Control
Introduction
While role-based permissions provide a solid foundation for security, sometimes you need more dynamic, conditional access control. Page rules allow you to implement sophisticated, context-aware permissions based on user attributes, data values, and complex conditions. In this article, you'll learn to implement advanced access control that goes beyond simple role assignments.
What Are Page Rules?
Page rules are conditional logic statements that control page access and behavior dynamically. Unlike static role permissions, page rules evaluate conditions in real-time when a user attempts to access a page.
Page Rules vs. Role Permissions
| Feature | Role Permissions | Page Rules |
|---|---|---|
| Basis | User's role | Dynamic conditions |
| When Evaluated | At login | Every page access |
| Complexity | Simple (role = access) | Complex (multiple conditions) |
| Use Case | Basic access control | Conditional access |
| Example | "Managers can access" | "Managers from Sales dept can access" |
When to Use Page Rules
Use page rules when:
- Access depends on user attributes (department, status, etc.)
- Access depends on data values (subscription level, account status)
- Different users within the same role need different access
- Access changes based on time or other dynamic factors
- You need to redirect users based on conditions
- Access depends on relationships (manager of team, owner of record)
Types of Page Rules
Tadabase offers several types of page rules:
1. Access Rules
Control who can access a page based on conditions:
- Allow or deny access
- Evaluated before page loads
- Can redirect to another page if denied
- Show custom error messages
2. Redirect Rules
Automatically redirect users to different pages:
- Based on user attributes
- Based on data conditions
- Conditional routing
- Dynamic navigation
3. Display Rules
Control what's displayed on the page:
- Show/hide components conditionally
- Change page elements based on user
- Dynamic page content
4. Data Filter Rules
Filter data dynamically based on user:
- Show different data to different users
- Based on relationships
- Based on user attributes
Creating Page Rules
Page rules are configured in the Page Builder.
How to Create a Page Rule
- Go to Page Builder
- Select a page
- Click Page Settings (gear icon)
- Go to Page Rules tab
- Click "Add Rule"
- Configure the rule:
- Rule type (Access, Redirect, etc.)
- Conditions
- Actions
- Save
Rule Conditions
Conditions determine when the rule applies. You can use:
- User Fields - Department, Status, Custom User Fields
- Role - User's assigned role
- Connected Records - Records linked to the user
- Date/Time - Current date, time, day of week
- URL Parameters - Values passed in the URL
- Record Values - Data from the current record being viewed
Condition Operators
| Operator | Description | Example |
|---|---|---|
| = | Equal to | Department = "Sales" |
| ≠ | Not equal to | Status ≠ "Inactive" |
| > | Greater than | Credits > 0 |
| < | Less than | Days Left < 7 |
| Contains | Contains text | Email contains "@company.com" |
| Is Empty | Field is blank | Manager is empty |
| Is Not Empty | Field has a value | Subscription is not empty |
Multiple Conditions
You can combine multiple conditions:
- AND - All conditions must be true
- OR - At least one condition must be true
Example: Complex condition
(Role = "Manager" AND Department = "Sales")
OR
(Role = "Admin")This grants access to Sales Managers or any Admin.
Access Rules
Access rules control whether users can view a page.
Example 1: Department-Based Access
Scenario: Only Sales department can access the Sales Dashboard
- Create page rule on "Sales Dashboard" page
- Rule Type: Access Rule
- Condition: Logged In User's Department = "Sales"
- Action if condition fails: Redirect to "Dashboard" page
- Error message: "Access denied. This page is for Sales department only."
Example 2: Subscription Level Access
- Create page rule on "Premium Features" page
- Rule Type: Access Rule
- Condition: Logged In User's Subscription Level = "Premium"
- Action if fails: Redirect to "Upgrade" page
- Error message: "Upgrade to Premium to access this feature."
Example 3: Account Status Check
Scenario: Block inactive users from accessing any pages
- Create page rule on all pages (or use app-level rule)
- Rule Type: Access Rule
- Condition: Logged In User's Account Status = "Active"
- Action if fails: Redirect to "Account Suspended" page
- Error message: "Your account has been suspended. Contact support."
Example 4: Manager Access to Team Data
Scenario: Managers can only access pages for their team
- Create page rule on "Team Details" page
- Rule Type: Access Rule
- Condition: Page Criteria's Team Manager = Logged In User
- Action if fails: Redirect to "Dashboard"
- Error message: "You can only access your own team's page."
Redirect Rules
Redirect rules automatically send users to different pages based on conditions.
Example 1: Role-Based Landing Pages
Scenario: After login, different roles go to different dashboards
- Create redirect rule on "Login Success" page
- Multiple conditions:
- If Role = "Admin" → Redirect to "Admin Dashboard"
- If Role = "Manager" → Redirect to "Manager Dashboard"
- If Role = "Employee" → Redirect to "My Tasks"
- If Role = "Customer" → Redirect to "Customer Portal"
Example 2: Onboarding Flow
Scenario: New users must complete profile before accessing app
- Create redirect rule on all pages (except profile page)
- Condition: Logged In User's Profile Completed = "No"
- Action: Redirect to "Complete Profile" page
- User cannot access app until profile is complete
Example 3: Trial Expiration
Scenario: Redirect users whose trial has expired
- Create redirect rule on all pages
- Condition: Logged In User's Trial End Date < Today
- Action: Redirect to "Subscribe Now" page
- Prevents access until they subscribe
Example 4: Maintenance Mode
Scenario: Show maintenance page to non-admins during updates
- Create redirect rule on all pages
- Condition: Logged In User's Role ≠ "Admin"
- Action: Redirect to "Maintenance" page
- Only admins can access during maintenance
Conditional Access
Conditional access combines multiple factors to determine permissions.
Example 1: Time-Based Access
Scenario: Employees can only access timesheets during business hours
- Create access rule on "Timesheet" page
- Conditions:
- Current Time >= 8:00 AM
- AND Current Time <= 6:00 PM
- AND Day of Week ≠ Saturday
- AND Day of Week ≠ Sunday
- OR Role = "Admin" (admins can always access)
- Action if fails: Show error "Timesheets only available during business hours"
Example 2: Geographic Access
Scenario: Regional managers only see data for their region
- Create access rule on "Regional Reports" page
- Condition: Page Criteria's Region = Logged In User's Region
- Action if fails: Redirect to "Select Region" page
Example 3: Multi-Factor Conditions
Scenario: Finance pages require specific role AND approval status
- Create access rule on "Finance Dashboard"
- Conditions:
- Role = "Finance" OR Role = "Admin"
- AND Background Check = "Approved"
- AND Training Completed = "Yes"
- Action if fails: Redirect with appropriate message
Example 4: Progressive Access
Scenario: Users unlock features as they complete steps
- Create access rules on various feature pages
- Feature 1: Logged In User's Step 1 Completed = "Yes"
- Feature 2: Step 1 AND Step 2 Completed = "Yes"
- Feature 3: All previous steps completed
- Gamification approach to onboarding
Record-Level Permissions
Control access to specific records, not just pages.
What Are Record-Level Permissions?
Record-level permissions control whether users can view or edit individual records based on conditions.
- Different from page permissions (page vs. record)
- Implemented through page rules and filters
- Often combined with ownership (covered in next article)
Example 1: View Own Records Only
Scenario: Employees see only their own expense reports
- Create "My Expenses" page
- Add Table Component
- Filter: Created By = Logged In User
- Users only see records they created
Example 2: Manager Access to Team Records
Scenario: Managers see their team's records
- Create "Team Performance" page
- Add Table Component
- Filter: Employee's Manager = Logged In User
- Managers see only their direct reports' data
Example 3: Department-Based Record Access
Scenario: Users only see records from their department
- Add Table Component
- Filter: Department = Logged In User's Department
- Complete data isolation by department
Example 4: Edit Permissions Based on Status
Scenario: Users can only edit draft records, not submitted ones
- Create Form Component for editing
- Add Display Rule on form
- Show form only if: Record Status = "Draft"
- If status is "Submitted", show read-only details instead
Owner-Based Access
Ownership is a specific type of record-level permission that's so common it deserves special attention. (We'll cover this in depth in Article 6, but here's an introduction.)
What Is Ownership?
Ownership links a record to a specific user, giving that user special permissions for that record.
- Owner can view the record
- Owner can edit the record
- Owner might have delete permissions
- Non-owners cannot see or edit (unless they're admins)
Implementing Basic Ownership
- Add a Connection Field to your table
- Connect to Users table
- Name it "Owner" or "Created By"
- Enable "Auto-fill with logged in user"
- When users create records, they're automatically set as owner
Filtering by Ownership
- Add Table Component
- Add Filter: Owner = Logged In User
- Users only see their own records
Example: Task Management
- My Tasks page - Filter: Assigned To = Logged In User
- Created by Me page - Filter: Created By = Logged In User
- All Tasks page - Only accessible to Managers and Admins
We'll explore ownership in much greater detail in Article 6.
Combining Roles and Page Rules
The most powerful security comes from combining roles with page rules.
Layered Security Approach
- First Layer: Roles - Broad access categories
- Second Layer: Page Rules - Conditional refinements
- Third Layer: Component Permissions - Fine-grained control
- Fourth Layer: Field Permissions - Specific data access
Example: HR System
Roles
- HR Admin
- HR Staff
- Manager
- Employee
Page: Employee Records
Role Permission: HR Admin, HR Staff, Manager
Page Rules:
- If Role = Manager: Filter to show only direct reports
- If Department = "Finance": Can see salary fields
- If Department ≠ "Finance": Salary fields hidden
Result
- HR Admin sees all employees, all fields
- HR Staff (Finance) sees all employees, including salaries
- HR Staff (Other) sees all employees, no salaries
- Managers see only their team, no salaries
- Employees cannot access this page at all
Example: Project Portal
Roles
- Admin
- Project Manager
- Team Member
- Client
Page: Project Details
Role Permission: All roles
Page Rules:
- If Role = Admin: Full access (no restrictions)
- If Role = Project Manager: Access only if Project Manager = Logged In User
- If Role = Team Member: Access only if Team includes Logged In User
- If Role = Client: Access only if Client = Logged In User
Component Visibility
- Budget section: Visible to Admin, PM only
- Internal notes: Visible to Admin, PM, Team only (not Client)
- Client files: Visible to all roles
Result
- Each user sees only projects they're involved with
- Different users see different information on the same project
- Secure multi-party collaboration
Dynamic Navigation
Page rules affect navigation - users only see links to pages they can access.
How Navigation Works with Page Rules
- Menu items automatically hide if user can't access the page
- Page rules are evaluated for each menu item
- Navigation adapts to each user's permissions
- Creates personalized experience
Example: Role-Based Menu
| Menu Item | Admin | Manager | Employee | Customer |
|---|---|---|---|---|
| Dashboard | ✓ | ✓ | ✓ | ✓ |
| My Work | ✓ | ✓ | ✓ | - |
| Team Dashboard | ✓ | ✓ | - | - |
| Reports | ✓ | ✓ | - | - |
| My Orders | - | - | - | ✓ |
| User Management | ✓ | - | - | - |
| Settings | ✓ | - | - | - |
Each user sees a clean menu with only the items they can access.
Advanced Page Rule Examples
Here are sophisticated real-world implementations:
Example 1: Multi-Tenant Data Isolation
Scenario: SaaS app with complete data isolation between companies
- Users table has "Company" connection field
- All data tables have "Company" connection field
- Page rule on ALL pages:
- Condition: Page Criteria's Company = Logged In User's Company
- OR: Role = "Super Admin" (can see all companies)
- Every page automatically filters to user's company
- Complete isolation between tenants
Example 2: Approval Workflow with Permissions
Scenario: Expense approval with different permissions per stage
Expense Status States
- Draft
- Submitted
- Manager Approved
- Finance Approved
- Paid
- Rejected
Page Rules on Expense Details Page
- Edit Button: Show if Status = "Draft" AND Owner = Logged In User
- Submit Button: Show if Status = "Draft" AND Owner = Logged In User
- Manager Approve Button: Show if Status = "Submitted" AND Employee's Manager = Logged In User
- Finance Approve Button: Show if Status = "Manager Approved" AND Role = "Finance"
- Mark Paid Button: Show if Status = "Finance Approved" AND Role = "Finance"
Result
- Each user sees only appropriate actions
- Workflow enforced through permissions
- Status progression controlled
Example 3: Hierarchical Organization Access
Scenario: Users can see data for their level and below in org chart
- Users table has "Manager" field (connection to Users)
- Creates hierarchical structure
- Page rule filters:
- Show records where Employee = Logged In User
- OR Employee's Manager = Logged In User
- OR Employee's Manager's Manager = Logged In User (for directors)
- Each level sees their branch of the organization
Example 4: Educational Platform with Progressive Unlock
Scenario: Courses unlock as students complete prerequisites
- Courses table has "Prerequisites" field (connection to Courses)
- Users have "Completed Courses" field (connection to Courses)
- Page rule on Course Detail pages:
- Access granted if: Course's Prerequisites are ALL in User's Completed Courses
- OR: Role = "Admin" or "Instructor"
- Students can only access courses they're ready for
- Enforces learning path
Testing Page Rules
Page rules require thorough testing because they're dynamic.
Testing Strategy
- Create Test Users with Different Attributes
- Different roles
- Different departments
- Different status values
- Different relationships (manager, team member, etc.)
- Test Each Condition Path
- When condition is true
- When condition is false
- When multiple conditions combine
- Test Edge Cases
- Empty/null values
- Multiple relationships
- Boundary conditions
- Test Redirects
- Do redirects work correctly?
- Are error messages clear?
- Can users escape redirect loops?
Common Testing Scenarios
Scenario 1: Access Denied
- Create user who should NOT have access
- Try to access protected page
- Verify proper redirect or error
- Verify page doesn't appear in navigation
Scenario 2: Conditional Access Granted
- Create user who SHOULD have access
- Verify they can access the page
- Verify correct data is displayed
- Verify correct components are visible
Scenario 3: Attribute Change
- User initially has access
- Change user attribute (department, role, etc.)
- Verify access changes accordingly
- Test immediately (cache issues?)
Scenario 4: Record-Level Access
- Create records owned by different users
- Log in as each user
- Verify each sees only appropriate records
- Try to access other users' records directly via URL
Page Rule Best Practices
Follow these guidelines for effective page rules:
1. Start Simple
- Begin with role-based permissions
- Add page rules only when needed
- Don't over-complicate initially
- Iterate based on real needs
2. Document Complex Rules
- Comment why each rule exists
- Document expected behavior
- Create flow diagrams for complex scenarios
- Keep documentation updated
3. Avoid Redirect Loops
- Ensure there's always an accessible page
- Test redirect chains carefully
- Provide fallback pages
- Consider default landing pages
4. Provide Clear Error Messages
- Tell users WHY they can't access
- Provide next steps ("Contact your manager")
- Use friendly, non-technical language
- Don't expose security details
5. Optimize Performance
- Page rules are evaluated on every page load
- Keep conditions simple
- Avoid complex calculations in rules
- Use indexed fields in conditions
6. Maintain Consistency
- Use similar logic across pages
- Standardize condition patterns
- Reuse successful patterns
- Create rule templates
7. Plan for Exceptions
- Always allow admin override
- Consider emergency access
- Plan for null/empty values
- Handle edge cases gracefully
8. Test Thoroughly
- Test every condition path
- Test with real user scenarios
- Test after every change
- Have others test (fresh perspective)
Summary
In this article, you learned:
- What page rules are - Dynamic, conditional access control
- Types of page rules - Access, redirect, display, and filter rules
- Creating page rules - How to configure conditions and actions
- Access rules - Controlling who can view pages
- Redirect rules - Routing users dynamically
- Conditional access - Complex, multi-factor permissions
- Record-level permissions - Controlling access to individual records
- Owner-based access - Permissions based on record ownership
- Combining approaches - Using roles and page rules together
- Testing and best practices - Ensuring rules work correctly
Page rules transform static role-based permissions into dynamic, context-aware security. Combined with roles, they enable you to build sophisticated access control that adapts to your exact business requirements.
In the next article, you'll learn about user components - building the interfaces users interact with for login, signup, profiles, and authentication.
Next: User Components - Building Authentication and Profile Interfaces
Hands-On Exercise (To Be Added)
Exercise placeholders will include practical activities such as:
- Creating access rules based on user departments
- Setting up redirect rules for different roles
- Implementing record-level permissions with filters
- Creating conditional access based on subscription level
- Testing page rules with different user scenarios
- Building a hierarchical access system
Knowledge Check (To Be Added)
Quiz questions will test understanding of:
- Difference between page rules and role permissions
- When to use page rules vs. roles
- How to create conditional access rules
- Record-level vs. page-level permissions
- Best practices for page rules
- Testing strategies for dynamic permissions
We'd love to hear your feedback.