Hi all, I'm having an issue managing permissions on an API access token for a specific case. We want to provide an API access token that only allows view and export access to data available in a particular workspace. To do so we have done the following: • Created a user that only has access to that workspace • Gave the user self create token permissions • This token should only let them view data available in a workspace. However, for a drill down visualization that has filters within that workspace, it seem like once exported it does not retain the filters and exposes data outside of the filters set for that workspace. Is there a way to manage permissions in order to prevent this?

As a follow up here: • For example - if Customer A has a dashboard that has specific filters and contains visualizations that are filtered by the overarching dashboard filters and they click any of the visuals to export data - they only see their customer data to download from that visualization • Does this hold true for API exports also? It is assumed that similarly to exporting the drill-down directly from gooddata cloud UX the API export would produce the same export result given the dashboard filters. For context, we operate in a parent child structure where all visuals are created in the parent workspace and then child workspaces (customer workspaces) have their own custom dashboards with the visualizations created in the parent workspace.

Hi Faiza and Max, API tokens are assigned to specific users and it should serve to authenticate via the API to resources and data the user can already access via the API. With this in mind, could you please confirm whether the user can also see the data they are not supposed to see when doing the export via the UI? It may not be the case, but a drill down can certainly lead to a hidden dashboard, note that hiding a dashboard is not a security feature. Currently, only Workspace and User data filters are considered proper features to restrict the data (https://www.gooddata.com/docs/cloud/workspaces/workspace-data-filters/) If further assistance is needed, could you please provide the exact steps to reproduce the issue? For example: how was the filter created? What permissions are assigned to the user? Which endpoint is being used to trigger the export? And how was the drill-down configured?

@Moises Morales Yes, when a user with the same permissions exports the drill down via the UI, they are only able to see data that respects the filters in the workspace. @Max Donsky Can you provide more details on how the filter / drill down was created? In terms of permissions, the user has restricted access to one dashboard within one workspace as well as API token creation permissions. They only have view and export permissions within that workspace. The endpoints being used for export were: • POST /api/v1/actions/workspaces/:workspace_id/export/tabular • GET /api/v1/actions/workspaces/workspace id/export/tabular/export_id

Hi @Faizah Sayyid and @Max Donsky, thank you for the details. Please send your next replies in our internal ticket here so we can keep the communication organized: https://gooddata.zendesk.com/agent/tickets/125213