- 03 Nov 2023
- 3 Minutes to read
Data Access Roles at Preset
- Updated on 03 Nov 2023
- 3 Minutes to read
In this article we will look at data access roles and how they operate in coordination with workspace roles and row level security to provide a wide range of access control in Preset.
Data access begins with workspace roles, which are broadly responsible for determining whether a user has restricted access or not.
Restricted access is configured using data access roles, which are used to configure either wide access coverage (e.g., all databases) or access to specific datasources.
Lastly, Preset's row level security feature enables organizations to achieve granular data control by configuring which data access roles can query & view data within datasets.
Let's have a closer look at how data access roles play an integral part in how access is managed.
At the highest level, data access is controlled at the workspace level. Within a workspace, a user's access permissions fall into one of four categories:
|Full Admin access||Workspace Admin|
|Full non-Admin access||Primary Contributor|
|Data access role-based access||Secondary Contributor, Limited Contributor, Viewer, or Dashboard Viewer|
|No access||No access|
The roles of Workspace Admin, Primary Contributor, and No access are all fairly self-explanatory. The user has either admin access, full non-admin access, or no access whatsoever, respectively.
The three data access role-based options, however, enable organizations to access Preset's built-in functionality around role-based access permissions and, potentially, use row-level security to achieve granular control at the data-in-dataset level.
First, though, let's learn about workspace roles and the specific access they provide.
Workspace role definitions are as follows:
|Role||Feature Access||Data Access||Data Role Management|
|Secondary Contributor||Limitedbased on Data Access Role. Can create physical datasets.||Restricted||No|
|Limited Contributor||Limited based on Data Access Role. Can only create virtual datasets.||Restricted||No|
|Viewer||Published Charts and Dashboards, based on Data Access Role||Restricted||No|
|Dashboard Viewer||Published Dashboards, based on Data Access Role||Restricted||No|
Further details about which functionalities are available to each Workspace Role can be found on this article.
Data restriction (via data access roles) is possible for the following workspace roles:
Secondary Contributorshave access to all data within a workspace, but is subject to data restrictions as defined by a data access role. This role grants data access restricted dataset write access to the users. For example, they can create physical datasets from databases or schemas they have access to, they can edit datasets if they are the owner, they can create and manage alerts/reports, and they can upload CSVs if CSV upload is enabled the database they have access to.
Similar to the Secondary Contributor, this user role has access to all data within a workspace, but is subject to data restrictions as defined by a data access role. Limited Contributors can't create physical datasets from databases and schemas, and they can't upload CSVs to databases. However, they can create virtual datasets and charts/dashboards using the data they have access to.
This user role only has access to visualizations (charts and dashboards) that are published, and is also subject to any defined data access role-based restrictions. For example, an external marketing agency may be given view access to published visualizations from a specified dataset.
This user role only has access to dashboards that are published, and is also subject to any defined data access role-based restrictions. For example, a potential business partner is given view access rights to a quarterly product sales dashboard used in a presentation by your company.
All of the roles above are assigned to specific users in Preset Manager on the Workspace Roles screen (see Give a User Access to a Workspace to learn more).
So, what are data access roles?
Data Access Roles
Data access roles work by creating a role in Preset, assigning user(s), and then assigning access to datasources for that role.
Levels of Data Access Coverage
- All database access
- All dataset access
- All query access
For more granular data access, Workspace Admins can manage what users can use when creating charts or see when viewing dashboards and charts.
- Database Access: Databases defined on Sources / Databases, used for Secondary Contributors, Limited Contributors, Viewers, and Dashboard Viewers.
- Schema Access: Schemas available on the Databases defined on Source / Databases used forSecondary Contributors, Limited Contributors, Viewers, and Dashboard Viewers.
- Dataset Access: Dataset defined on Sources / Tables, used forSecondary Contributors, Limited Contributors, Viewers and Dashboard Viewers.
Data access roles are defined on the Edit Data Access Role screen (see Add a User to a Data Access Role to learn more).
Note that Workspace Admins are the only users that can create, modify, or delete a role.