Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex DataLens
    • Overview
    • Adding users
    • DataLens roles
    • Access to data rows
    • Public access
  • Audit Trails events

In this article:

  • Configuring RLS at the dataset level
  • User access
  • Access for user groups
  • Wildcards and quotation marks in RLS configuration
  • Configuring RLS at the data source level
  • How to change permissions to a row in a dataset
  1. Access management
  2. Access to data rows

Row-level security (RLS)

Written by
Yandex Cloud
Improved by
Dmitry A.
Updated at April 21, 2025
  • Configuring RLS at the dataset level
    • User access
    • Access for user groups
    • Wildcards and quotation marks in RLS configuration
  • Configuring RLS at the data source level
  • How to change permissions to a row in a dataset

With RLS (row-level security), you can restrict data access for users or user groups within a single dataset. For example, you can introduce data access control for different customers.

Warning

  • When using RLS, restrict access to the connection by using the Execute permission. This will prevent changes to row access permissions and restrict access to opening the preview window and creating a new dataset from the connection.

  • RLS supports access control for string values only.

  • The RLS limits apply to whole rows, not just the fields used to configure access control.

You can introduce row-level access control either in a dataset or a data source.

Configuring RLS at the dataset levelConfiguring RLS at the dataset level

You can control access to any dataset dimension. Each user or user group can be granted permissions for an unlimited number of measure values.

With RLS, a query to a dataset passes through the following filter:

where dimension in (value_1, value_2 ... value_N)

User accessUser access

For users, access control is based on the access configuration which looks like this:

'value_1': user_1, user_2
'value_2': user_3
'value_3': user_1, user_2, user_3

For example, to configure user-login access to all rows with the first-company value in the Company name field, set the following configuration:

'first-company': user-login@yandex.ru

To configure access for multiple users, list their accounts in the access configuration separated by commas:

'first-company': user-login-1@yandex.ru, user-login-2@yandex.ru, user-login-3@yandex.ru

Access for user groupsAccess for user groups

For user groups, access control is based on the access configuration which looks like this:

'value_1': @group:group_1_name
'value_2': @group:group_1_name, @group:group_2_name

The configuration specifies the group name rather than its identifier. If a group is renamed, you will need to update its RLS configuration accordingly.

For example, to configure group-name user group access to all rows with the first-company value in the Company name field, set the following configuration:

'first-company': @group:group-name

To configure access for multiple user groups, list them in the access configuration separated by commas:

'first-company': @group:group-name-1, @group:group-name-2, @group:group-name-3

You can configure access for users and groups at the same time:

'first-company': user-login-1@yandex.ru, user-login-2@yandex.ru, @group:group-name-1, @group:group-name-2

Wildcards and quotation marks in RLS configurationWildcards and quotation marks in RLS configuration

You can define values, users, and group names using wildcard characters:

  • User_1, user_2, and group_1_name can access all the field's values

    *: user_1, user_2, @group:group_1_name
    

    For example, to configure access to all rows with any value in the Company name field, set the following configuration:

    *: user-login-1@yandex.ru, @group:group-name-1
    
  • value_1 is available to all users and groups

    'value_1': *
    

    For example, to allow all users to access all rows with the first-company value in the Company name field, set the following configuration:

    'first-company': *
    

Quotes in values are set using double quotes:

'value in ''quotes''': user_1, user_2

For example, to set quotation marks for the first-company "Example" company name in the Company name field, specify the following configuration:

'first-company ''Example''': user-login-1@yandex.ru, @group:group-name-1

You can also use the " character:

'first-company "Example"': user-login-1@yandex.ru, @group:group-name-1

Configuring RLS at the data source levelConfiguring RLS at the data source level

Configuring RLS at the dataset level requires editing the datatset every time the RLS settings change.

To avoid this, you can move the row-level security logic to the data source side:

  1. Add a new field for storing user IDs to the source data. All requests to the source will be filtered by this field.

    To view your ID, follow this link. If you need another user's ID, ask them to open this link and pass the ID to you.

  2. For each row of source data, specify the ID of the user who is allowed to access this row. If multiple users must have access to the same row, you can move the access control logic to a separate table and join it to the main table at the dataset level.

  3. In the dataset, enter userid:userid in the ID field under the RLS settings. The userid variable can be used together with the regular RLS type in the dataset:

    'value_1': user_1, user_2
    'value_2': user_3
       userid:userid
    

Note

You can transfer the RLS logic to the source side for sources where the data structure can be changed. In Yandex Metrica and AppMetrica, the data structure is closed, so this method is unavailable.

How to change permissions to a row in a datasetHow to change permissions to a row in a dataset

To configure access permissions to data rows:

In the dataset
In the source
  1. Open the dataset.

  2. Navigate to the Fields tab.

  3. On the right side of the row, click and select Access permissions.

  4. Enter the value of the field and users in the specified format and click Save.

    'value_1': user_1, user_2
    'value_2': user_3
    

    For example, to configure access to all rows with the first-company value in the Company name field:

    'first-company': login-to-access-your-row-data@yandex.ru
    
  5. Save the dataset.

  1. Add a field to the source that will store user IDs and be used for filtering. You can add this field to a new table and join it using the JOIN operator.
  2. Add the field to the dataset.
  3. Open the dataset.
  4. On the right side of the row, click and select Access permissions.
  5. In the access permissions settings, add userid:userid to the field and click Save.
  6. Save the dataset.
Example

Let's create a dashboard based on sales data by four regions (West, East, North, and South). Regional managers should only have access to their own data, while the company's CEO, to all data.

1. Let's define user IDs.
2. In the source, create an additional table named MANAGER_ID, where the region correlates with the user ID. If multiple regions are available for the same ID, list all unique pairs:

REGION MANAGER_NAME MANAGER_ID
West Arkady 19287318273912873
East Vasily 92877912837318927
North Olga 02993284928374346
South Dmitry 10836293849237642
West Maxim 71726123712891283
East Maxim 71726123712891283
North Maxim 71726123712891283
South Maxim 71726123712891283

3. Let's add the table to the dataset.
4. JOIN them based on the REGION field.
5. Based on the MANAGER_ID field, customize RLS and add userid:userid.

To change the access control settings, update the data in the source table.

Was the article helpful?

Previous
Requesting permissions
Next
Public access
Yandex project
© 2025 Yandex.Cloud LLC