If opting for route 2, the user can view entities via:
Shared with Me
Inbox
Admin created Universal Space, where views are created to display the Restricted Space > Accessible Database containing entities to which they have access.
Smart Section
Issue with viewing shared items in “Shared with Me”
There is no structure or filtering; it is simply a long list of shared items.
It is not visible on the side navigation
Entity is not searchable
Issue with viewing shared items in “Inbox”
It is congested
Gets lost after some time
Issue with viewing shared items in “Admin created Universal Space, where views are created to display the Restricted Space > Accessible Database containing entities to which they have access.”
You have to configure and maintain a space specifically for displaying shared/assigned items.
Users are not notified when they are added to an entity that is behind a restricted space.
Issue with viewing shared items in “Smart Section”
The structure starts at entity-level (Section > Entity) rather than Space > Folder > Entities or Views
There is no true organization functionality in the way you have with Spaces
Many entities in a section can be overwhelming on the sidebar
e.g.
We have a “Team Projects” space. We don’t necessarily want or need other team members to see all the details of other projects or tasks not relevant or assigned to them/their team.
Solely navigating related tasks via “Shared with Me” or “Inbox” is not viable. Instead, we create a “Home” space and provide access to all members. Then, we add “Project Board” and “Task Board”. From there, we give access to “Project Board > Tasks” and “Project Board > Projects” to relevant members as “Submitters”. “Created by” is the Owner and “Assignee” is an “Editor”. In theory, this works but presents other issues.
Maintainability. We have to manage another space purely to share restricted views from another space.
Redundancy. Some views are unnecessary for all members, so we need to create other Spaces to split views between them. For example, “Expense Report” is only for Field Technicians. We don’t want to put that in “Home” since other team members do not submit Expenses, and we don’t want other Technicians to see expense reports unrelated to them. Therefore, we need to create another universal space.
It is not visible in the Side Navigation and “People” entity. Since we are not allowing access to the “Space—Team Projects,” it is hidden in the Side navigation and from their People profile
Ideally, we can give users access to a space and only allow them to view entities that they are related to. Additionally, we can enable Submitter and Editor capabilities (but still only view their own). This would:
Improve manageability and privacy and reduce the need for restricted, universal spaces.
Enable visibility in Side Navigation and People Entity
When I last spoke with @antoniokov, this wasn’t on the map any time soon, so I figured I’d put in a formal request here to see if any other users need it.
We’re thinking about improvements to sidebar navigation to address this (and other issues).
You’re right that the left menu is not as useful for users who only have db/entity access as it should be.
It also appears that when hiding space but allowing access to a database within, users are not notified when they are added to the “People” field despite selecting “Notify people when they’re added.”
I mean that when they are linked to an entity and gain access. They do not have access to the “Space” but they do have explicit access to the “Database” as a “Submitter” and an “Editor” under Assignee field.
For now, we can circumvent this issue by creating an automation rule to notify the user, however, we need to build this out for each restricted Space/Database.
I think it makes sense to extend all of the native features related to database access to a user who has access to said database, even if they don’t have access to the entire space (e.g., the ability to view the space stripped of inaccessible databases and receive assignee notifications).
Another issue is jumping back and forth between “Space Share” and “Database Share”. Can we not merge the two? I think it would be ideal to “Extend” access from the Space to the Databases from one page.
I’m not aware of how Fibery handles restrictions, but assuming Fibery checks first if a user has access to a Space and determines visibility and notifications, maybe there should be a permission category (e.g. Editor) called “Limited” that can be used to apply when a user should not have full access of a Space but only select more databases within. In the main Share Space modal, it can also show that the user has “Limited” accessibility.
This would be incredibly helpful for us too. We have a geographic structure to our teams/spaces as these local teams are tight knit and collaborate a lot, but they don’t collaborate on everything. We’ve made do with the single space, but our sensitive info is kept outside of Fibery for this reason.
Within the space, we assign people to certain departments (a database), and then related each department to its meetings, docs, projects, etc. It would be great if there were a way to limit these various entities to people assigned to the related department. Or even more granular permission/access control would be acceptable.
Edit: I would vote for this, but I’ve already used up all my votes!
I think it would be better to define parent roles with sub-capabilities. Viewer, Commenter, and Editor should not be the starting point or overall role but rather the capability of a parent.
e.g.
Creator: Can do anything
Manager: Can do stuff with select spaces/databases and create new ones
Member: Can do stuff with related entities and ‘optionally’ create new ones
Ideally, space permissions could look something like:
I also noticed that you cannot use “groups” to manage database access.
I think it would be helpful if share settings were consolidated into one panel for ease of management. This further supports my earlier input regarding extending share capabilities from the “Share Space” panel rather than on each database. This way, you can easily see in a space from the panel if a user has access to, say, two databases and their capabilities.
Why not just use “Access Templates” to control access to the Space and Capabilities therein? Alternatively, if you’re using “Entity Based Access Templates,” they can override Space permissions on a per-entity basis and only be visible in “Shared with Me” and “Inbox.”
At the moment, Fibery access control is already quite complicated. Allowing users to customise access levels for spaces would add complexity which may not be warranted.
BTW, with respect to the title of this topic, I think it is unlikely that Fibery will support access control which involves ‘restrictions’.
Fibery’s permission model is fundamentally ‘additive’, that is to say, a user gets the capabilities based on the most permissive access that has been granted (for space, database or entity). So if a user has been granted edit access at the space level, there is no way to inhibit that at the entity level.
I think at the moment the biggest challenge arises when an admin/creator wants to grant a user some level of access to the views within a space, but not necessarily grant access to any/all of the databases in that space.
(whereas the opposite is possible)
In this case, it would seem that the solution is to separate the databases into a different space leaving the views accessible in the original.
I suppose the next best thing is the upcoming revamped side navigation structure. This way, we can organize views in a more cohesive and useful fashion.
Additionally, there is some bugginess around notifications of shared databases connected to the “People” field and hopefully that can be addressed.
I’m confused. The original topic is about sharing (or not) of entities.
The ability of users to see views and how they are organised in the left menu is unrelated to entity access.
The original post is about giving access to a Space but not allowing them to view all entities (only theirs).
The goal is to allow users to navigate to the branded Space (e.g. Team Projects) and see only their assigned entities (not others).
As of now, the only way to accomplish this, requires you to create “views” in a completely separate Space (e.g. Home or Team Projects #2" which contain “views”, which display the entities from the inaccessible parent Space but otherwise accessible child Database. Additionally, because the restricted parent Space is not accessible, native assignee notifications do not appear to work out-of-the-box and require you to configure an automated notification and “Watch” action when the linking a user to the entity, within the accessible Database but inaccessible Space.
This is cumbersome. It would be ideal if we could simply “restrict” users from seeing other entities (e.g. Projects, Tasks) in a Space, and we don’t have to create workaround Spaces and Views to accomplish this functionality. All views created in a the parent Space would automatically be visible (only showing assigned entities) and don’t need to be duplicated and added to a separate Space with access. However, you’re saying that is likely not going to happen.
So, I’m am trying to find the bright side… which is, “at least we can organize the views (i.e. access to the entities from the restricted Space) the way we want to”.
It still means we have to configure views in other areas to display the restricted Space’s entities, but at least there will be more flexibility in the way we can display them, “hopefully”.
Not sure if that provides more clarity. Feel free to correct me if I am missing something.
Have you considered using a smart section showing the entities (Projects or whatever) so that each user sees in the left sidebar (only) the Projects that they have access to?
This screenshot shows our current setup, where we have “Smart Sections” displaying projects and tasks. This setup works well for accessing the entities directly, but the limitation is in adding view types (like Kanban, Timeline, Table, List, Map) directly within these sections. So while we can view the entities themselves, we can’t easily navigate between the associated views within the same section.
Thanks for clarifying.
If you’re suggesting we set up an entity that functions as an access point for various views, how would you approach that?
Would you be referring to something like this layout?
If so, the challenge we still face is the limited flexibility in structuring the “Projects” section in the sidebar – specifically, the inability to display different views directly within the section. This is the constraint I mentioned regarding views like Kanban, Timeline, Table, List, Map, etc., which we hope might be addressed with the upcoming sidebar restructure.
I think the core issue I’m trying to highlight is that navigation in Fibery often feels challenging or overwhelming for users (especially non-technical or advanced users). My original suggestion aimed at addressing this broader usability concern by enhancing the structure and ease of access within the sidebar, while also making it more convenient for admins to protect and share entities within a Space.
Maybe we are misunderstanding each other, but you can add any views you like to any entity in a smart folder (as well as docs/wbs) and the views can be mirrored if that is useful to you.
And as I said before if another (non-Admin) user has only access to Project A, they will not see all the rest.
This is a great feature, but it doesn’t quite address my initial point.
My goal is to have Project A, Project B, etc., appear within a view at the Space level.
In your solution, the setup begins at the entity level, which makes it confusing to find a clear entry point to views like “All Tasks” (e.g., Projects & Tasks (Space) > Tasks Due Today (View)). Additionally, this is only an applicable solution if we’re using Smart Sections. Imagine we have 100 tasks. We may not want to use Smart Sections and have the left menu showing 100 entities, all utilizing mirrored views.
Ideally, users would navigate to a Space called “Team Projects,” select their desired view, and only then see Project A and Project B (their assigned projects) displayed within the view itself—not in the left menu.
Maybe this is not a necessary function to Fibery team but I think this discussion gives enough context, and perhaps others will add their input over time.
You don’t need to show all Tasks in the smart section. For example, you can add a filter to your smart section so that only those ‘Tasks assigned to Me’ are shown, and each user will not see 100s, just the ones that are relevant to them.
But overall, I think the solution to create a space (or spaces) to accommodate what you think are useful views for various team members who otherwise have no ‘entry point’ is the best option.
We have no plans on the horizon to make views individually access-controlled so space-level granularity is the best you can do.
Of course, you could encourage people to pin useful views as Favourites, so they don’t have to open a space with lots of views they don’t need.
I’m saying, what if there are 100 tasks relevant to said user.
I understand that. Hopefully others will express their thoughts and over time this may change.
Having lots of views in a Space was never our concern. Ideally, they have access to all views, in a Space, but only see entities related to them, as my initial post suggests.