Object access permissions
DataLens access control is implemented at the object and the directory level.
You can grant users permission to each object and directory. These permissions determine which operations are allowed. If you created or copied a directory or object, they will have the same permissions as their new parent directory.
You can grant users access to a directory or any service object:
Note
To control access to individual fields or their values, use RLS. This will allow you, for example, to display different information for different users on a single dashboard.
Permissions can be granted to individual users or the All group that includes users who passed authentication. Users can also request permissions on their own via the request form. For more information, see Requesting permissions.
You can grant the following permissions to objects and directories in DataLens:
Execute
A user with the Execute
permission for a connection can make requests to it but cannot create datasets. Regardless of the dataset permissions, the user cannot access a list of tables in a dataset or view the SQL subquery the dataset is based on.
A user with the Execute
permission for a dataset can run queries against it but cannot create or edit charts or view the dataset.
Warning
You can grant the Execute
access permission only for connections and datasets.
Granting users the Execute
permission allows you to:
-
Reduce the number of requests to the source, thereby reducing the load on the connection source.
-
Better control what data can be shown from a dataset. You can hide some source fields so that users cannot view all fields.
-
Restrict the creation of subqueries to the source database. A user with the
Execute
permission cannot write subqueries.
Read
A user with the Read
permission can view dashboards, widgets, datasets, and directories.
Warning
The Read
permission does not allow copying datasets, because they contain the RLS settings. A user can only copy datasets if granted the Write
or Admin
permission.
Write
A user with the Write
permission can edit dashboards, widgets, connections, datasets, and directories.
The Write
permission includes everything included in the Read
permission.
Admin
A user with the Admin
permission can edit available objects and directories, as well as change permissions.
The Admin
permission includes everything included in the Write
permission.
Table of permissions
Access object Action |
Execute | Read | Write | Admin |
---|---|---|---|---|
Directory | ||||
Viewing a directory | N/A | |||
Editing a directory | N/A | |||
Renaming a directory | N/A | |||
Deleting a directory | N/A | |||
Editing access permissions | N/A | |||
Connection | ||||
Running queries to a connection |
||||
Creating a dataset based on a connection |
||||
Viewing connection parameters |
||||
Editing a connection | ||||
Deleting a connection | ||||
Editing access permissions | ||||
Dataset | ||||
Running queries to a dataset |
||||
Creating a chart based on a dataset |
||||
Viewing a dataset | ||||
Editing a dataset | ||||
Copying a dataset | ||||
Deleting a dataset | ||||
Editing access permissions | ||||
Chart | ||||
Viewing a chart | N/A | |||
Editing a chart | N/A | |||
Copying a chart | N/A | |||
Deleting a chart | N/A | |||
Editing access permissions | N/A | |||
Granting public access | N/A | |||
Dashboard | ||||
Viewing a dashboard | N/A | |||
Editing a dashboard | N/A | |||
Copying a dashboard | N/A | |||
Deleting a dashboard | N/A | |||
Editing access permissions | N/A | |||
Granting public access | N/A |
Note
You cannot duplicate (copy) a folder and a connection with any permissions.
Object access audit
A DataLens user can get access logs for DataLens objects (view, edit, delete).
To get the logs, contact support