Object access permissions
Permission differentiation in DataLens is implemented at the directory and object level. Available operations depend on the assigned access permissions.
If you create or copy a directory or an object, its permissions are inherited from the parent directory at the moment of creation or copying. Note that access permissions do not change automatically when objects are subsequently moved.
You can grant users access to a directory or any service object:
Note
To control access to individual fields or their values, use RLS. This will allow you, for example, to display different information for different users on a single dashboard.
Permissions can be granted to individual users or the All group that includes users who passed authentication. Users can also request permissions on their own via the request form. For more information, see Requesting permissions.
You can grant the following permissions to objects and directories in DataLens:
Execute
A user with the Execute permission for a connection can make requests to it but cannot create datasets. Regardless of the dataset permissions, the user cannot access a list of tables in a dataset or view the SQL subquery the dataset is based on.
A user with the Execute permission for a dataset can run queries against it but cannot create or edit charts or view the dataset.
Warning
You can grant the Execute access permission only for connections and datasets.
Granting users the Execute permission allows you to:
-
Reduce the number of requests to the source, thereby reducing the load on the connection source.
-
Better control what data can be shown from a dataset. You can hide some source fields so that users cannot view all fields.
-
Restrict the creation of subqueries to the source database. A user with the
Executepermission cannot write subqueries.
Read
A user with the Read permission can view dashboards, widgets, datasets, and directories.
Warning
The Read permission does not allow copying datasets, because they contain the RLS settings. A user can only copy datasets if granted the Write or Admin permission.
Write
A user with the Write permission can edit dashboards, widgets, connections, datasets, and directories.
The Write permission includes everything included in the Read permission.
Admin
A user with the Admin permission can edit available objects and directories, as well as change permissions. The directory administrator can assign permissions for all nested directories and objects.
The Admin permission includes everything included in the Write permission.
Table of permissions
| Access object Action |
Execute | Read | Write | Admin |
|---|---|---|---|---|
| Directory | ||||
| Viewing a directory | N/A | |||
| Editing a directory | N/A | |||
| Renaming a directory | N/A | |||
| Moving a folder | N/A | |||
| Deleting a directory | N/A | |||
| Editing access permissions | N/A | |||
| Connection | ||||
| Make requests to a connection |
||||
| Create a dataset over a connection |
||||
| View connection parameters |
||||
| Editing a connection | ||||
| Moving a connection | ||||
| Deleting a connection | ||||
| Editing access permissions | ||||
| Dataset | ||||
| Make requests to a dataset |
||||
| Create a chart on a dataset |
||||
| Viewing a dataset | ||||
| Editing a dataset | ||||
| Copying a dataset | ||||
| Moving a dataset | ||||
| Deleting a dataset | ||||
| Editing access permissions | ||||
| Chart | ||||
| Viewing a chart | N/A | |||
| Editing a chart | N/A | |||
| Copying a chart | N/A | |||
| Deleting a chart | N/A | |||
| Moving a chart | N/A | |||
| Editing access permissions | N/A | |||
| Granting public access | N/A | |||
| Dashboard | ||||
| Viewing a dashboard | N/A | |||
| Editing a dashboard | N/A | |||
| Copying a dashboard | N/A | |||
| Deleting a dashboard | N/A | |||
| Moving a dashboard | N/A | |||
| Editing access permissions | N/A | |||
| Granting public access | N/A |
Note
You cannot duplicate (copy) a folder and a connection with any permissions.
Object access audit
The Business service plan users can get access logs to DataLens objects (view, edit, delete). To get the logs, contact support.