Basics of Data Permissions: Use Cases

  • 23 March 2021
  • 0 replies
  • 18 views

Userlevel 1

Basics of Data Permissions: Use Cases

 

This article will review the basics of data permissions and how it works in the GoodData platform. Data permissions control what data a user can access in their GoodData workspace. This is incredibly useful for many of our clients as a single workspace can host a variety of users who need different data permissions applied. 

 

Let’s start by describing an example of an application of data permissions. Imagine you have sales analytics in a GoodData workspace for a single client. Your clients have different sales regions (i.e. East and West) and a sales manager from one sales region cannot view the sales from another region. To solve this, we can apply data permissions on the users based on sales region. 

 

Data Permissions Filter Rows

 

Data permissions in GoodData are row-level filters. This means that users can only see relevant data records with their assigned data permission. Similar to a dashboard filter, think of the data permissions as a user specific filtered view of their workspace. In the sales example, let’s say we have two different sales managers Sally and Stella. Sally manages the East sales team and Stella manages the West sales team. As long as the data permissions are set correctly, the GoodData platform will securely ensure that they don’t see sales relevant to the sales teams that are not their own.

 

Sales Fact Table Data:

 

Sales Representative

Region

Sales Amount

Sale Date

Arnold

East

$100

2021-01-01

Janet

East

$500

2021-01-01

John

West

$300

2021-01-01

Andrew

West

$250

2021-01-01

Nancy

North

$200

2021-01-01

Lee

South

$150

2021-01-01


 

In this example, the data permission conditions would be as follows:

 

Input

User

Region

sally@sales.com

East

stella@sales.com

West

 

Result

User Filter

Region = ‘East’

Region = ‘West’

 

With these data permissions set in GoodData, Sally will only see the data records in green where Region = ‘East’ and Stella will only see the data records in blue where Region = ‘West’.

 

Multiple Users Can Have the Same Permissions

 

Now that we understand what data permissions are, let’s explore the extent of configuration options with these filters on the GoodData platform. You can assign the same permission to multiple users. To show this in practice, let’s say that Sally has a colleague named Drew who also manages sales in the East. Both Sally and Drew will be assigned the same permission object of Region = ‘East’.


 

Input

User

Region

sally@sales.com

East

stella@sales.com

West

drew@sales.com

East

 

Result

User Filter

Region = ‘East’

Region = ‘West’

Region = ‘East’

 

With these data permissions set, both Sally and Drew will only see data records as shown above in green where Region = ‘East’.

 

Setting Multiple Attribute Permissions to Users

 

If there are multiple attribute filters that should be applied to a user, you can apply multiple data permission objects to a user. An important note is that the multiple permission objects will be applied using an AND operator. Let’s say Sally’s colleague Drew manages a team in the East but he also manages a team that focuses on the Technology Industry. Drew can have two different data permission objects assigned to his user, and the platform will recognize that Drew should view only data related to Region = ‘East’ AND Industry = ‘Technology’. Additionally, if teammate Frank should access regions North and South, their permissions can be set to view Regions North and South.

 

Input

User

Region

Industry

sally@sales.com

East

 

stella@sales.com

West

 

drew@sales.com

East

Technology

frank@sales.com

North, South

 

 

Result

User Filter

Region = ‘East’

Region = ‘West’

Region = ‘East’ AND Industry = ‘Technology’

Region IN (‘North’,’South’)

 

Now let’s look at what each use will have access to:

 

Sales Representative

Region

Industry

Sales Amount

Sale Date

Arnold

East

Technology

$100

2021-01-01

Janet

East

Healthcare

$500

2021-01-01

John

West

Technology

$300

2021-01-01

Andrew

West

Healthcare

$250

2021-01-01

Nancy

North

Technology

$200

2021-01-01

Lee

South

Healthcare

$150

2021-01-01

 

With the permissions set, Drew will have access to the orange rows, Sally will have access to the orange and green rows, Stella will have access to the blue rows, and Frank will have access to the yellow rows.

 

So far, we have discussed what will happen to restrict the data for certain users, but what if a user needs access to all of the data? If a user should see all data records in a workspace, simply do not assign a permission to them. This way, the platform won’t assign any filtering criteria to the user.

 

Restriction by Datasets in the LDM

 

One important note is that data permissions are row level filters that follow the relationships defined in the Logical Data Model (LDM). If there are datasets that are not mapped to the filtered attributes, these datasets will remain unfiltered for the end user. For example, in the sales model let’s say there is a separate fact table to track the performance of the sales reps. If the fact table does not have any relationship to the Industry and Region attributes, the end users will be able to see all records in this table. 

2zKeDM6iY2BRt94FXOTEq2Yhq9X04gwviprJRJwG8QXU6uy2ht8y8fFyYNaBiyhhV4ABoHQHyR8j6eBvnNKOMhOibXSBuGKZ-wBF4Mq-U2AmFuRMEwkZi8UQ_lW4zpLG5RdJy3o0

 

The tables in the LDM that are outlined in red will not be filtered by the user filters because they do not have any direct relationship to the filter attributes (Region and Industry). It is important to design your LDM with these data filter attributes in mind so that the necessary mappings are in place to filter the data your use case requires.


0 replies

Be the first to reply!

Reply