I’m experiencing an issue with Access Templates and permission propagation in my workspace.
I have asked the Claude instance inside to describe it in a useful way after it validated my configuration:
Background:
I have a Department database with a collection field: Projects [Master Space/Projects]: Collection(Master Space/Projects)
I have a Projects database with a direct reference field: Department [Master Space/Department]: Master Space/Department
The relation is bidirectional and data is populated:
Each Department lists its Projects in the collection field.
Each Project points to its Department.
All records are correctly linked (see sample data below).
Problem:
In the Access Templates editor for Department, when I try to extend access, the Projects field does not appear as an option (the “+” is greyed out or the list is empty).
The “Automatically link departments to projects” option is greyed out, but I understand this is expected since data is already populated.
Sample Data:
Department “IT” has these Projects:
AI Possibilities for productivity and Service
Renew Salary/Comp Survey & Study
(…etc.)
Project “AI Possibilities for productivity and Service” points to Department “IT”.
Similar for other Departments and Projects.
What I Need:
I want to use Access Templates to extend access from Department to Projects (for tooltips, previews, and row-level security).
According to the documentation and my schema, this should work, but the option is missing in the UI.”
Can you help me resolve this, or let me know if this is a bug or a limitation**?**
The question is: to whom do you want to extend access?
Are you talking about allowing someone who has access to the IT Department to automatically get access to its Projects? If so, how are you currently sharing the IT Department?
Is it by manually sharing the IT Department?
Or do you have a User relation to the Department, by which you can share it?
Perhaps the Department acts as a user group?
Yes that is the current setup:
If someone is in the IT department, they can now only see Projects that are also in the IT department. They do not have any database access beyond what’s granted from that relationship.
It is not from the manual sharing. Like, it works for access, but the tooltips describing the fields don’t populate because they don’t have access to the actual database (per Claude).
*Additional info*
I have a User relation to Department - the Department database has a Users collection field, and users have a Departments field linking them to their department(s)
This is how the current access control works (not manual sharing)
What I want to achieve with Access Templates:
Extend access from Department → Projects so users get direct View permissions on Projects (enabling tooltips) while keeping the same row-level security (they still only see their Department’s Projects)
The technical issue:
In Access Templates for Department, when I click “+” to extend access, the “Projects” collection field doesn’t appear as an option, even though the Department ↔ Projects relation exists and is populated
As far as I can tell, you should be sharing Departments with users via the User field. And if you also want to share Projects, you can just click the Extend button and they will get access to the items linked to the Department.
No custom access templates is needed if this is enough.
Note however, that if you want the access to propagate differently, e.g. view+update capability for the Department but only view capability for the linked Projects, or if you don’t want to propagate to every linked item (including Projects and Meetings) then you will need a custom access template.
Here is a video that I hope explains what I mean:
Of course, you need to consider that any Space-level access or specific Entity-level access could potentially override the database level access.
Do you mean that the button is not there, or that it cannot be pressed, or that pressing it does nothing?
Is your relationship between Departments and Projects many-to-many?
I don’t see how it could be. My confidence level is improved by the fact that it doesn’t show up in the list of available user groups to invite when I go to another group and try to add a user or group access.
Projects is not, Departments is. However, I think I need Departments to remain a group in order for my access controls to work unless there is a better way. At the moment, I think that it’s set so that if a user and a project share a department, that’s what gives them access.
I’m not sure what you mean by this. If a User is connected to a Department, they are (indirectly) connected to the Department’s Projects.
The whole point of access controls in Fibery is that you can grant a user access to a Department and its Projects without needing a direct relation between Users and Projects.
Do you need to grant Users specific access to other spaces/databases/entities based on their membership of a Department?
That is the intention. I originally wasn’t aware of the new pro feature that allowed access control like this and so I had created a project database for every department since I thought that I had to allow access at the database level. I discovered this and was able to delete all others and then share based on department membership. For scaling, I had intended Department to be how all other types of database access is granted.
Basically:
If entity = related to X Deparment
and User = also Related to X Department
Then, access is granted as well as whatever sub relationships (like tasks under projects)
Projects sharing tasks is working right now like this.
Yep, this is exactly the use case for custom access templates, whereby you define what access should be granted for a user who is linked to (i.e. member of) a department, with respect to the entities linked (directly or indirectly) to that department, e.g. view linked projects, edit tasks linked to those projects, view+comment on notes linked to those tasks, and so on.
Right, but how do I solve the issue of the tooltips not coming up since people don’t have access to the actual database? A workaround could be a document, but i’m trying to simplify it as much as possible. When they mouse over columns, they don’t populate for any except admins that have access to the actual databases.
