Object access permissions
Permission differentiation in DataLens is implemented at the directory and object level. The available operations depend on what access permissions were assigned.
If you create or copy a directory or object, the permissions for them are inherited from the parent directory at the time of creation or copying. Note that access permissions do not change automatically when you move the objects later.
You can grant users access to a directory or any service object:
Note
To control access to individual fields or their values, use RLS. This will allow you, for example, to display different information for different users on a single dashboard.
Permissions can be granted to individual users or the All group that includes users who passed authentication. Users can also request permissions on their own via the request form. For more information, see Requesting permissions.
You can grant the following permissions to objects and directories in DataLens:
Execute
A user with the Execute permission for a connection can make requests to it but cannot create datasets. Regardless of the dataset permissions, the user cannot access a list of tables in a dataset or view the SQL subquery the dataset is based on.
A user with the Execute permission for a dataset can run queries against it but cannot create or edit charts or view the dataset.
Warning
You can grant the Execute access permission only for connections and datasets.
Granting users the Execute permission allows you to:
-
Reduce the number of requests to the source, thereby reducing the load on the connection source.
-
Better control what data can be shown from a dataset. You can hide some source fields so that users cannot view all fields.
-
Restrict the creation of subqueries to the source database. A user with the
Executepermission cannot write subqueries.
Read
A user with the Read permission can view dashboards, widgets, datasets, and directories.
Warning
The Read permission does not allow copying datasets, because they contain the RLS settings. A user can only copy datasets if granted the Write or Admin permission.
Write
A user with the Write permission can edit dashboards, widgets, connections, datasets, and directories.
The Write permission includes everything included in the Read permission.
Admin
A user with the Admin permission can edit available objects and directories, as well as change permissions. The directory administrator can assign permissions for all nested directories and objects.
The Admin permission includes everything included in the Write permission.
Table of permissions
| Access object Action |
Execute | Read | Write | Admin |
|---|---|---|---|---|
| Directory | ||||
| Viewing a directory | N/A | |||
| Editing a directory | N/A | |||
| Renaming a directory | N/A | |||
| Moving a folder | N/A | |||
| Deleting a directory | N/A | |||
| Editing access permissions | N/A | |||
| Connection | ||||
| Make requests to a connection |
||||
| Create a dataset over a connection |
||||
| View connection parameters |
||||
| Editing a connection | ||||
| Moving a connection | ||||
| Deleting a connection | ||||
| Editing access permissions | ||||
| Dataset | ||||
| Running queries to a dataset |
||||
| Create a chart on a dataset |
||||
| Viewing a dataset | ||||
| Editing a dataset | ||||
| Copying a dataset | ||||
| Moving a dataset | ||||
| Deleting a dataset | ||||
| Editing access permissions | ||||
| Chart | ||||
| Viewing a chart | N/A | |||
| Editing a chart | N/A | |||
| Copying a chart | N/A | |||
| Deleting a chart | N/A | |||
| Moving a chart | N/A | |||
| Editing access permissions | N/A | |||
| Granting public access | N/A | |||
| Dashboard | ||||
| Viewing a dashboard | N/A | |||
| Editing a dashboard | N/A | |||
| Copying a dashboard | N/A | |||
| Deleting a dashboard | N/A | |||
| Moving a dashboard | N/A | |||
| Editing access permissions | N/A | |||
| Granting public access | N/A | |||
| Report 1 | ||||
| Viewing a dashboard | N/A | |||
| Editing a dashboard | N/A | |||
| Copying a dashboard | N/A | |||
| Deleting a dashboard | N/A | |||
| Moving a dashboard | N/A | |||
| Editing access permissions | N/A |
1 This feature is only available with the Business service plan.
Note
You cannot duplicate (copy) a folder and a connection with any permissions.
Object access audit
The Business service plan users can get access logs to DataLens objects (view, edit, delete). To get the logs, contact support.