Basics of Data Permissions: Use Cases
This article will review the basics of data permissions and how it works in the GoodData platform. Data permissions control what data a user can access in their GoodData workspace. This is incredibly useful for many of our clients as a single workspace can host a variety of users who need different data permissions applied.
Let’s start by describing an example of an application of data permissions. Imagine you have sales analytics in a GoodData workspace for a single client. Your clients have different sales regions (i.e. East and West) and a sales manager from one sales region cannot view the sales from another region. To solve this, we can apply data permissions on the users based on sales region.
Data Permissions Filter Rows
Data permissions in GoodData are row-level filters. This means that users can only see relevant data records with their assigned data permission. Similar to a dashboard filter, think of the data permissions as a user specific filtered view of their workspace. In the sales example, let’s say we have two different sales managers Sally and Stella. Sally manages the East sales team and Stella manages the West sales team. As long as the data permissions are set correctly, the GoodData platform will securely ensure that they don’t see sales relevant to the sales teams that are not their own.
Sales Fact Table Data:
| Sales Representative | Region | Sales Amount | Sale Date |
| Arnold | East | $100 | 2021-01-01 |
| Janet | East | $500 | 2021-01-01 |
| John | West | $300 | 2021-01-01 |
| Andrew | West | $250 | 2021-01-01 |
| Nancy | North | $200 | 2021-01-01 |
| Lee | South | $150 | 2021-01-01 |
In this example, the data permission conditions would be as follows:
| Input | |
| User | Region |
| sally@sales.com | East |
| stella@sales.com | West |
| Result |
| User Filter |
| Region = ‘East’ |
| Region = ‘West’ |
With these data permissions set in GoodData, Sally will only see the data records in green where Region = ‘East’ and Stella will only see the data records in blue where Region = ‘West’.
Multiple Users Can Have the Same Permissions
Now that we understand what data permissions are, let’s explore the extent of configuration options with these filters on the GoodData platform. You can assign the same permission to multiple users. To show this in practice, let’s say that Sally has a colleague named Drew who also manages sales in the East. Both Sally and Drew will be assigned the same permission object of Region = ‘East’.
| Input | |
| User | Region |
| sally@sales.com | East |
| stella@sales.com | West |
| drew@sales.com | East |
| Result |
| User Filter |
| Region = ‘East’ |
| Region = ‘West’ |
| Region = ‘East’ |
With these data permissions set, both Sally and Drew will only see data records as shown above in green where Region = ‘East’.
Setting Multiple Attribute Permissions to Users
If there are multiple attribute filters that should be applied to a user, you can apply multiple data permission objects to a user. An important note is that the multiple permission objects will be applied using an AND operator. Let’s say Sally’s colleague Drew manages a team in the East but he also manages a team that focuses on the Technology Industry. Drew can have two different data permission objects assigned to his user, and the platform will recognize that Drew should view only data related to Region = ‘East’ AND Industry = ‘Technology’. Additionally, if teammate Frank should access regions North and South, their permissions can be set to view Regions North and South.
| Input | ||
| User | Region | Industry |
| sally@sales.com | East | |
| stella@sales.com | West | |
| drew@sales.com | East | Technology |
| frank@sales.com | North, South | |
| Result |
| User Filter |
| Region = ‘East’ |
| Region = ‘West’ |
| Region = ‘East’ AND Industry = ‘Technology’ |
| Region IN (‘North’,’South’) |
Now let’s look at what each use will have access to:
| Sales Representative | Region | Industry | Sales Amount | Sale Date |
| Arnold | East | Technology | $100 | 2021-01-01 |
| Janet | East | Healthcare | $500 | 2021-01-01 |
| John | West | Technology | $300 | 2021-01-01 |
| Andrew | West | Healthcare | $250 | 2021-01-01 |
| Nancy | North | Technology | $200 | 2021-01-01 |
| Lee | South | Healthcare | $150 | 2021-01-01 |
With the permissions set, Drew will have access to the orange rows, Sally will have access to the orange and green rows, Stella will have access to the blue rows, and Frank will have access to the yellow rows.
So far, we have discussed what will happen to restrict the data for certain users, but what if a user needs access to all of the data? If a user should see all data records in a workspace, simply do not assign a permission to them. This way, the platform won’t assign any filtering criteria to the user.
Restriction by Datasets in the LDM
One important note is that data permissions are row level filters that follow the relationships defined in the Logical Data Model (LDM). If there are datasets that are not mapped to the filtered attributes, these datasets will remain unfiltered for the end user. For example, in the sales model let’s say there is a separate fact table to track the performance of the sales reps. If the fact table does not have any relationship to the Industry and Region attributes, the end users will be able to see all records in this table.
The tables in the LDM that are outlined in red will not be filtered by the user filters because they do not have any direct relationship to the filter attributes (Region and Industry). It is important to design your LDM with these data filter attributes in mind so that the necessary mappings are in place to filter the data your use case requires.