I’m not sure I understand.
If a user does not have any access to a database, he/she can be granted access to a specific entity (and its related entities) at whatever level you want, including view-only. Isn’t this ‘visibility restrictions’?
Entity-level access does already exist.
The detail you quoted to refers to being able to grant in batch to a group of users (as opposed to granting to a single-user at-a-time basis). See later in this comment.
Wrt your proposed scenario, here’s what I imagine the databases/entities might look like, and what you would want to do with permissions (as currently possible):
Relations:
Team → Projects
Projects ↔ Financials
Team entities:
Team A
Team B
Project entities:
Project X (Team A)
Project Y (Team A)
Project Z (Team B)
Financial entities:
Financial 1 (Project X)
Financial 2 (Project Y)
Financial 3 (Project X and Project Y)
Financial 4 (Project X and Project Z)
For an admin, this would look like this in a table view:
The space(s) where these databases are stored should be configured with no access for any users.
Now, you would need to define two custom access templates:
Now you need to grant access accordingly, using the Share button on each Team entity. So if Freddie is CFO for Team A, and Mary is only a team member, this is what that would look like:
When this is all done, this is what Freddie sees when he signs in and looks at Team A:
(he is able to see Team A and the related Projects, and can edit the related Financials)
Meanwhile, this is what Mary sees:
(she is able to see Team A, edit the related Projects, but has no insight into the Financials)
If it helps, you can create a space (with no databases) where you can add useful views, e.g.
what Freddie sees:
what Mary sees:
I believe this gets what you want. What do you think?
And this functionality can be scaled to achieve almost any role-based access permissions you might want.
Future
There are still some nice-to-haves which are not yet possible, but should be possible soon:
- granting access automatically based on relations, e.g. you don’t have to configure entity-sharing every time a new person joins the company, you just link them to the entity:
(this would also include automatically granting access to the user who is the ‘Created By’ user)
-
entity-sharing based on membership of group, e.g. you don’t grant ‘Finance officer’ access to just Freddie, but rather to a set of users who are part of a role group
-
more configurable database-level permissions, e.g. allowing users to create new entities, see just the ones they have created, but not allowing them to edit entities (including ones they have created).
This could be useful for example for bug reporting, so a user can post a bug report and follow it’s progress, but nothing more.
If you think there is something missing, let us know.