Domino Apps provide built-in security features that control what users can access and interact with from your App.
Each App adopts the permissions of the current viewer by default. This determines what the user can access from the App, including Datasets, Data Sources, and project files. You can also identify individual users who interact with the App, enabling personalized experiences and permission-aware behavior.
Before you begin, verify with Domino Support that this feature is enabled. If it is disabled, the App runs with the App creator’s permissions instead.
App security and identity has complete details about identity propagation, authentication headers, and JWT tokens.
By default, Apps mount NetApp Volumes and Datasets that the App creator can access, which means viewers can inherit permissions to data they wouldn’t normally have. Contact Domino Support to disable permission inheritance.
To enforce viewer-specific permissions, use the dominodatalab-data SDK. The SDK routes access through Domino’s API and applies the viewer’s actual permissions.
-
In Publish Domino App from the Data menu - choose Mount NetApp Volumes to App file system. This disables direct filesystem access to Volumes and ensures access is routed through Domino’s API.
-
In your App code, use:
-
The
domino-usernameheader, or -
The decoded JWT token
-
-
Use the
dominodatalab-dataPython or R SDK to read, write, and download specific volume files, enforcing access logic based on the requesting user’s identity.
This setup lets you serve a single App to multiple users while tailoring data access according to Domino’s role-based permissions.
-
Apps security and identity has complete details about identity propagation, authentication headers, and JWT tokens.
-
Persist data using Datasets or external storage to make your Apps more dynamic and interactive.
-
Create and Publish an App has instructions on creating and publishing your Apps, customizing the App’s URL, and sharing Apps with authorized users.