Skip to main content

Inviting your team

On Rowy, you can collaborate with your team members using fine granular permission controls. Rowy uses role-based access controls through Firestore Security Rules and custom claims in Firebase Authentication.

If interested, you can read more about:

Custom claims 
Firestore Security Rules 

Inviting users and assigning roles

'ADMIN' users can invite their team members/other users to gain access to data on Rowy. Access can be give at table level or field level using "User Management" section or Firebase Admin SDK.

Rowy Run required

To use User Management, make sure you have setup Rowy via Option 1 guided process. If prompted, setup Rowy Run in the Rowy UI. If you are using the manual installation process, follow the instructions in the Firebase Admin SDK tab above.

Set user roles in User Management

In User Management, you can set the roles of users who have already signed in to your Rowy project. You can write any custom role and set your table roles accordingly.

Screenshot of invite
user modal

Invite users in User Management

You can also invite a user who hasn’t signed in to your Rowy project in User Management.

Click Invite User and enter the user’s email address and set their roles. Rowy Run will create a new Firebase Authentication user with those details. We’ll send them an email inviting them to sign up to your Rowy project.

Invite URL

By default, the invite URL sent in the email assumes you’ve deployed Rowy on rowy.app. If you’re self-hosting Rowy, this link will not work for your users.

Screenshot of invite
user modal

Write Firestore Security Rules with user roles

You can set Firestore Security Rules in the Firebase Console 

If you’re not familiar with writing Firestore Security Rules, read the Firebase guide 

Required rules

Required

Rowy configuration is stored in the _rowy_ collection on Firestore. Your users will need read access to this collection and admins will need write access. The following rules add those permissions.

rules_version = '2'
service cloud.firestore {
match /databases/{database}/documents {

// Allow admins to read and write all documents
match /{document=**} {
allow read, write: if hasAnyRole(["ADMIN", "OWNER"]);
}

// Rowy: Allow signed in users to read Rowy configuration and admins to write
match /_rowy_/{docId} {
allow read: if request.auth != null;
allow write: if hasAnyRole(["ADMIN", "OWNER"]);
match /{document=**} {
allow read: if request.auth != null;
allow write: if hasAnyRole(["ADMIN", "OWNER"]);
}
}
// Rowy: Allow users to edit their settings
match /_rowy_/userManagement/users/{userId} {
allow get, update, delete: if isDocOwner(userId);
allow create: if request.auth != null;
}
// Rowy: Allow public to read public Rowy configuration
match /_rowy_/publicSettings {
allow get: if true;
}

// Rowy: Utility functions
function isDocOwner(docId) {
return request.auth != null && (request.auth.uid == resource.id || request.auth.uid == docId);
}
function hasAnyRole(roles) {
return request.auth != null && request.auth.token.roles.hasAny(roles);
}

}
}

Table rules

Write table rules that match the roles you set in your table settings. The following are examples of different table rules, using the helper functions in the required rules above.
Read more about how to write rules 

Set Firestore Security Rules in the Firebase Console 

Example: Collection open to public

match /openToPublic/{docId} {
allow read: if request.auth != null;
allow write: if hasAnyRole(["ADMIN", "EDITOR"]);
}

Example: Collection and subcollections open to public

match /openToPublicWithSubcollections/{document=**} {
allow read: if request.auth != null;
allow write: if hasAnyRole(["ADMIN", "EDITOR"]);
}

Example: User data

match /users/{docId} {
allow create: if request.auth != null;
allow get, update, delete: if isDocOwner();
}

Example: Admin-only

match /adminOnly/{docId} {
allow read, write: if hasAnyRole(["ADMIN", "EDITOR"]);
}