Object access permissions
DataLens access control is implemented at the object and the directory level.
You can grant users permission to each object and directory. These permissions determine which operations are allowed. If you created or copied a directory or object, they will have the same permissions as their new parent directory.
You can grant users access to a directory or any service object:
Note
To control access to individual fields or their values, use RLS. This will allow you, for example, to display different information for different users on a single dashboard.
Permissions can be granted to individual users or the All group that includes users who passed authentication. Users can also request permissions on their own via the request form. For more information, see Requesting permissions.
You can grant the following permissions to objects and directories in DataLens:
Execute
A user with the Execute permission for a connection can make requests to it but cannot create datasets. Regardless of the dataset permissions, the user cannot access a list of tables in a dataset or view the SQL subquery the dataset is based on.
A user with the Execute permission for a dataset can run queries against it but cannot create or edit charts or view the dataset.
Warning
You can grant the Execute access permission only for connections and datasets.
Granting users the Execute permission allows you to:
-
Reduce the number of requests to the source, thereby reducing the load on the connection source.
-
Better control what data can be shown from a dataset. You can hide some source fields so that users cannot view all fields.
-
Restrict the creation of subqueries to the source database. A user with the
Executepermission cannot write subqueries.
Read
A user with the Read permission can view dashboards, widgets, datasets, and directories.
Warning
The Read permission does not allow copying datasets, because they contain the RLS settings. A user can only copy datasets if granted the Write or Admin permission.
Write
A user with the Write permission can edit dashboards, widgets, connections, datasets, and directories.
The Write permission includes everything included in the Read permission.
Admin
A user with the Admin permission can edit available objects and directories, as well as change permissions. The directory administrator can assign permissions for all nested directories and objects.
The Admin permission includes everything included in the Write permission.
Table of permissions
| Access object Action |
Execute | Read | Write | Admin |
|---|---|---|---|---|
| Directory | ||||
| Viewing a directory | N/A | |||
| Editing a directory | N/A | |||
| Renaming a directory | N/A | |||
| Moving a folder | N/A | |||
| Deleting a directory | N/A | |||
| Editing access permissions | N/A | |||
| Connection | ||||
| Making queries to a connection |
||||
| Creating a dataset based on a connection |
||||
| Viewing parameters parameters |
||||
| Editing a connection | ||||
| Moving a connection | ||||
| Deleting a connection | ||||
| Editing access permissions | ||||
| Dataset | ||||
| Making queries to a dataset |
||||
| Creating a chart based on a dataset |
||||
| Viewing a dataset | ||||
| Editing a dataset | ||||
| Copying a dataset | ||||
| Moving a dataset | ||||
| Deleting a dataset | ||||
| Editing access permissions | ||||
| Chart | ||||
| Viewing a chart | N/A | |||
| Editing a chart | N/A | |||
| Copying a chart | N/A | |||
| Deleting a chart | N/A | |||
| Moving a chart | N/A | |||
| Editing access permissions | N/A | |||
| Granting public access | N/A | |||
| Dashboard | ||||
| Viewing a dashboard | N/A | |||
| Editing a dashboard | N/A | |||
| Copying a dashboard | N/A | |||
| Deleting a dashboard | N/A | |||
| Moving a dashboard | N/A | |||
| Editing access permissions | N/A | |||
| Granting public access | N/A |
Note
You cannot duplicate (copy) a folder and a connection with any permissions.
Object access audit
The Business service plan users can get access logs to DataLens objects (view, edit, delete). To get the logs, contact support.