Upcoming changes to access control within Kissflow
In the next two weeks, we're rolling out critical changes to how access control functions within Kissflow.
The issue: Kissflow currently manages access control via user types, inadvertently granting some users more access than intended. For instance, a User Admin, whose primary function was to manage users, also had access to billing data.
The solution: Moving from user types to user roles will ensure more granular and accurate access control of your Kissflow users.
Note:
All existing user types will be automatically mapped to the corresponding user roles. Ex: Super Admin to Super Admin, User Admin to User Admin.
Whatβs changing?
Optional role assignment: Unlike before, where every user was assigned one of the four user types, role assignment will now be optional.
Multiple role assignment: Users can have multiple roles assigned to them. For example, if you want a User Admin to have access to the billing page, you can assign them the Billing Admin role in addition to their User Admin role.
New roles and updated permissions:
Introducing IAM Admin and App Store Admin roles.
IAM Admin: Manages access control and is responsible for security and user provisioning.
App Store Admin: Can install apps from the App Store.
Shifting some permissions from User Admin to IAM Admin.
Note:
No permission changes exist for the Billing Admin and Super Admin roles.
Updated permission list
Permission/Role |
IAM Admin |
Existing User Admin |
New User Admin |
View/Update account details |
β |
β |
β |
View Account Owner |
β |
β |
β |
View/Customize account |
β |
β |
β |
View/Update mobile branding |
β |
β |
β |
View/Update connected domains |
β |
β |
β |
View/Update format settings |
β |
β |
β |
Manage weekends |
β |
β |
β |
View/Update holidays |
β |
β |
β |
View/Update geo-location settings |
β |
β |
β |
Chat settings |
β |
β |
β |
File upload settings |
β |
β |
β |
View/Update account security |
β |
β |
β |
Notification settings |
β |
β |
β |
View/Update flow settings |
β |
β |
β |
Add/Update user |
β |
β |
β |
Update user role |
β |
β |
β |
Activate user |
β |
β |
β |
Deactivate user |
β |
β |
β |
2FA enrollment |
β |
β |
β |
Reset password |
β |
β |
β |
Resend verification email |
β |
β |
β |
Delete user |
β |
β |
β |
Export user data |
β |
β |
β |
View user data |
β |
β |
β |
SCIM IdP |
β |
β |
β |
Configure SCIM IdP |
β |
β |
β |
Sync SCIM IdP |
β |
β |
β |
Enable SCIM IdP |
β |
β |
β |
View group |
β |
β |
β |
Create group |
β |
β |
β |
Update group |
β |
β |
β |
Delete group |
β |
β |
β |
Update group role |
β |
β |
β |
Update members |
β |
β |
β |
User management logs |
β |
β |
β |
Group management logs |
β |
β |
β |
Account management logs |
β |
β |
β |
Install Apps |
β |
β |
β |
Enquire |
β |
β |
β |
View App Store (and Apps) |
β |
β |
β |
Create Service Account |
β |
β |
β |
View Service Account |
β |
β |
β |
View/Edit App environment |
β |
β |
β |
Manage App environment users |
β |
β |
β |
Roles in user groups
You will have the ability to add roles to user groups. Every user and sub-group within a parent group will inherit the roles assigned to the parent group
Deprecation of UserType field
As we transition to roles, the UserType field will be deprecated and replaced with a Roles field. This may affect instances where UserType field was previously used.
Impact and actions required
Component |
Impact |
Required action |
Advanced filter |
The filter will remain but wonβt function correctly |
Clear the Advanced filter |
Basic filter |
The filter will remain but wonβt function correctly |
Clear the Basic filter |
Form field |
The UserType field will not be populated correctly |
Remove the field UserType from the form |
Analytics report |
The report will not function properly |
Remove UserType from the report/query |
Integration |
Conditional step - The condition will always be evaluated as false Field mapping - A null value will be passed instead of the actual User type |
Remove the field UserType for both instances |
Developer APIs |
Create a user - Roles will replace User Type in the response. Get user list - Roles will replace User Type in Query parameters and API response. |
Replace any existing APIs that you have preconfigured |
These changes won't affect how roles within Processes, Boards, Datasets, and Applications work. We will roll out these changes around the second week of October, 2023.
If you're looking forward to this upcoming change, go ahead and like this topic. If you have any questions or queries about it, please comment below, and we'll be happy to assist you.
FAQ
I have used fields such as User Field and User.FirstName in my form. Do I need to fix them?
No. You must only remove the field User.userType from your forms and integrations.