How to control document access via group membership?

Situation:

  • we are using grist omnibus with Microsoft AD
  • we have multiple work spaces with multiple documents (>10)
  • our AD users are organized into groups
  • access (+role) to a document should depend on AD group membership

Complication:

  • grist doesn’t seem to have a concept of “group membership” or group based access?
  • users have to be added manually to each and every document

What are the potential solutions?

We’d consider changing our setup to different authentication provider etc. if required. Please suggest everything you can think of.

initial remedy ideas:

  1. Automate adding/remove users per document (RPA or write grist backenddatabase?)

  2. Document access rules

  • are again “per” document, but maybe that could be easier to automate. Have a script to push group membership per user into the document as a table, have access rules work with those memberships
  • Is there a way to sync access rules across documents?
  1. Pull request for grist to have “groups” as a concept
  • sounds ambitious :wink: does somebody know if something is on the roadmap? How likely is it to achieve?
  1. Use forward headers
  • control access rights completely outside grist?

I’m wondering if there was something more advanced implemented on Enterprise cloud regarding capabilities of utilising existing access rights on Microsoft Entra ID (Active Directory)?