Domino Apps provide built-in security features that control what users can access and interact with from your App.
Each App adopts the permissions of the current viewer by default. This determines what the user can access from the App, including Datasets, Data Sources, and project files.
If the SecureIdentityPropagationToAppsEnabled feature flag is disabled, the App runs with the App creator’s permissions instead.
You can also identify individual users who interact with the App, enabling personalized experiences and permission-aware behavior.
App security and identity has complete details about identity propagation, authentication headers, and JWT tokens.
By default, Apps mount NetApp Volumes and Datasets that the App creator can access, which means viewers can inherit permissions to data they wouldn’t normally have.
To enforce viewer-specific permissions, use the dominodatalab-data SDK. The SDK routes access through Domino’s API and applies the viewer’s actual permissions.
Before you begin, verify with your Domino administrator that SecureIdentityPropagationToAppsEnabled is enabled. Administrators can disable direct mounting entirely to prevent permission inheritance.
-
In Publish Domino App on the Data menu, select Mount NetApp Volumes to App file system.
-
In your App code, use:
-
The
domino-usernameheader, or -
The decoded JWT token
-
-
Use the
dominodatalab-dataPython or R SDK to read, write, and download volume files based on the viewer’s identity.
This setup lets you serve a single App to multiple users while tailoring data access according to Domino’s role-based permissions.
-
Apps security and identity has complete details about identity propagation, authentication headers, and JWT tokens.
-
Persist data using Datasets or external storage to make your Apps more dynamic and interactive.
-
Create and Publish an App has instructions on creating and publishing your Apps, customizing the App’s URL, and sharing Apps with authorized users.