Role-based Access Control (RBAC)
  • 11 Apr 2022
  • 5 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

Role-based Access Control (RBAC)

  • Dark
    Light
  • PDF

Overview

In this article we will discuss the typical workflow for a Preset Administrator in terms of onboarding a new user and providing access to data.

There are two types of users in a Preset Team:

  • Administrator
    • Manage access to Teams and Team Members.
    • Manage access to Workspaces.
    • Has access to all information in workspaces.
    • Create new teams.
    • Create new workspaces.
    • Connect to a database.
  • User
    • Connect to a team based on an invitation.
    • Access to a workspace based on provided permissions.

Workflow for RBAC

In terms of role-based access control, Administrators typically perform the following functions in Preset:

  1. Invite a user to a team;
  2. Give a user access to a workspace;
  3. Add a user to a data access role; and,
  4. Control data access with row level security.

Workflow

Let's explore each of these four workflow steps below.


Invite a User to a Team

Log on to Preset as an Administrator.

When logged on as an Admin, you will have access to the Team Settings gear icon on the Preset Manager screen.

Let's start by selecting the settings gear icon for a team:

Select_Team_Settings

The Team Settings screen appears. On this screen you can change the name of the team.

To navigate to the team member management features, select the Members & Invites tab.

RBAC_Team_Settings_Screen

In the Invite panel, enter the e-mail address of a prospective team member and then select Send.

RBAC_Send_Invite

Invitations that are not yet accepted appear in the Pending Invites panel.

RBAC_Pending_Invite

When an e-mail invitation is accepted, by default, the user is assigned the role of User.

After acceptance, you can change the role to Administrator by selecting Admin in the drop-down menu under the Role column header.

RBAC_Change_Role

To learn more about inviting and managing users, please see Invite Others to your Team.


Give a User Access to a Workspace

Workspace roles enable Administrators to assign more granular control over access to Preset features based on a combination of established workspace roles and configurable data access roles. Workspace roles are assigned to members of a workspace.

From the Team Settings screen, select Back to Workspaces to return to the Preset Manager screen.

To assign a workspace role, select the vertical ellipsis icon in a workspace card and, in the sub-menu, select Edit Workspace Roles.

RBAC_Edit_Workspace_Roles

The Workspace Roles screen appears.

Under the Workspace Role column header, modify a user's workspace role as needed.

RBAC_Select_Workspace_Role

Access rights for roles are as follows:

Role Feature Access Data Access Data Role Management
Workspace Admin All All Yes
Primary Contributor All All No
Limited Contributor All, based on Data Access Role Restricted No
Viewer Published Charts and Dashboards, based on Data Access Role Restricted No
Dashboard Viewer Published Dashboards, based on Data Access Role Restricted No
No Access None None No

About User Groups

If you have integrated Okta SSO with Preset, then an additional tab option appears called User Groups.

User Groups enable Admins to create segments of users (or workspace members) and then assign a user role to all members of that group at both the team and the workspace level.

Please see SCIM with Okta to learn more about how to integrate Okta SSO with Preset, along with how to use the User Groups feature.


Add a User to a Data Access Role

As the name implies, Data Access Roles are used as a mechanism to control user access to data.

The levels of data access coverage include:

Wide Access Coverage

  • All database access
  • All dataset access
  • All query access

Access Coverage of Specific Datasources

  • Database Access: Databases defined on Sources / Databases.
  • Schema Access: Schemas available on the Databases defined on Source / Databases.
  • Dataset Access: Data set defined on Sources / Tables.

Granular Coverage of Data Within a Dataset

  • Combine with Row Level Security to control access to specific data in specific datasets based on role.

Please note that Workspace Admins are the only users that can create, modify, or delete a role.

Navigate to Data Access Roles

In the Toolbar, hover your cursor over Settings and then select Data Access Roles.

Select_Data_Access_Roles

The Data Access Roles screen appears.

RBAC_Data_Access_Roles_Screen

Add a Data Access Role

Select the plus icon to add a new access record.

Data_Access_Roles2

The Add Data Access Role screen appears.

In the Name field, enter a memorable name for the data access role.

In the Users field, select one or more users to assign to the data access role.

Lastly, in the Permissions field, select one or more data access permissions to associate with the role or leave this field blank if using Row Level Security to create more granular data access.

Types of Permissions

  • All database access
  • All dataset access
  • All query access
  • Database access on
  • Schema access on <database.schema>
  • Dataset access on <database.table>

RBAC_Add_New_Data_Access_Role1

When done, select Save.


Control Data Access with Row Level Security

Row Level Security (RLS) is a powerful feature that enables you to exert a granular level of control over who can query—and view—specific data in selected datasets. This level of query-based access control empowers organizations to align data access permissions (via roles) with larger-scale business initiatives.

For example, a company's dataset may be available to all members of an internal team, but external clientele should only have access to limited or restricted data.

Navigate to Row Level Security

To access row level security, in the Toolbar, hover your cursor over Settings and then select Row level security.

Select_Row_Level_Security

The Row level security filter screen appears.

RBAC_RLS_Screen

Add a Row Level Security Filter

The concept of RLS is to create filters that are assigned to data access roles. We can then control which users have access to filtered data by assigning users to specific roles.

The two types of row level security filters are:

  • Base Filter: Base filters are applied to all queries except for the roles defined in the filter (i.e., an exclusionary filter).
  • Regular Filter: Regular filters are simply applied to the specified data access role (i.e., an inclusionary filter). These are used to fine tune query access via Data Access Roles.

To add a row level security filter, select the plus icon.

The Add Row level security filter screen appears.

RBAC_Add_RLS_Filter

At this stage, we strongly encourage you to read our Row Level Security (RLS) walkthrough article and/or watch our walkthrough video where we demonstrate the usage of RLS filters and how they integrate with data access roles to give you granular control over your data in Preset.


Was this article helpful?