Using Domain Groups for Application Access Control

If your app users are all part of a corporate domain, you can use domain security groups to control access to an AppSheet app.

The advantage of this approach is that access control decisions can be made at one spot rather than in each app. For example, if there is a domain security group called 'Admins', you can set up your app to only be accessible to members of this group. As specific employees are added or removed from the group, their access to the app dynamically changes as well.

Using domain groups requires a corporate plan. Further, the app creator account needs to have permissions to read the list of groups from the domain and to read the membership of individual groups. To set this up:

  1. In the Account page, go to the Auth Domains tab and add a new auth source. AppSheet currently supports Google Domains with support for Microsoft Active Directory coming soon. By adding an auth source, you are giving AppSheet permissions to read the list of groups and the group membership for any domains that your account has access to.
  2. In the app editor, go to the Security tab and the Domain Integration pane. Enable the option to require domain authentication. You will then need to choose the domain auth source (what you added in step 1), the domain name (eg: mycompany.com) and the group name (eg: Admins)
  3. Save your changes

Your app is now accessible to anyone explicitly on the user whitelist and additionally to anyone in the domain security group chosen. It would be a recommended good practice to remove users from the whitelist and manage security entirely through the domain security group.

Configure Google Domains to enable API access

You may need to first configure your Google domain to enable API access. To do so,

  • Log in to the admin account for your Google domain (or G-Suite domain)
  • Select Security. If you do not see Security listed, select More controls and then select Security from the options shown in the gray box.
  • Select API reference, and then select the checkbox to Enable API access
  • Save your changes.

 

 

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.