Role-Based Access Control (RBAC)
  • 21 Sep 2022
  • 3 Minutes to read
  • Contributors
  • Dark
    Light

Role-Based Access Control (RBAC)

  • Dark
    Light

Role-based Access Control Requirement

Role-based access control is only available for the Professional and Enterprise plans.


Workflow for RBAC

To set up Role Based Access Control, you'll follow this flow:

  1. Invite a user to a team
  2. Add them to a workspace
  3. Add them to a data access role; and,
  4. Control data access with row level security.

Workflow

Inviting users and row level security are covered in separate pages, which are linked in the above list.


Change User Access to a Workspace

Each user's workspace role is set when their invite is sent but can be updated later as needed.

To edit a user's workspace role, select the vertical ellipsis icon in a workspace card and, in the sub-menu, select Edit Workspace Roles.

Select_Edit_Workspace_Roles

The Workspace Roles screen appears.

Under the Workspace Role column header, modify a user's workspace role as needed.

Change_Workspace_Role1

Role details

Workspace role definitions are as follows:

RoleFeature AccessData AccessData Role Management
Workspace AdminAllAllYes
Primary ContributorAllAllNo
Limited ContributorAll, based on Data Access RoleRestrictedNo
ViewerPublished Charts and Dashboards, based on Data Access RoleRestrictedNo
Dashboard ViewerPublished Dashboards, based on Data Access RoleRestrictedNo
No AccessNoneNoneNo

Data restriction (via data access roles) is possible for the following workspace roles:

Limited Contributor
This user role has access to all data within a workspace, but is subject to data restrictions as defined by a data access role. For example, a data scientist hired as a temporary employee for a project may only be able to build charts and dashboards from a specific database.

Viewer
This user role only has access to visualizations (charts and dashboards) that are published, and is also subject to any defined data access role-based restrictions. For example, an external marketing agency may be given view access to published visualizations from a specified database schema.

Dashboard Viewer
This user role only has access to dashboards that are published, and is also subject to any defined data access role-based restrictions. For example, a potential business partner is given view access rights to a quarterly product sales dashboard used in a presentation by your company.

All of the roles above are assigned to specific users in Preset Manager on the Workspace Roles screen (see Give a User Access to a Workspace to learn more).


Navigate to Data Access Roles

In the Toolbar, hover your cursor over Settings and then select Data Access Roles.

Select_Data_Access_Roles

The Data Access Roles screen appears.

RBAC_Data_Access_Roles_Screen

Add a Data Access Role

Select the plus icon to add a new access record.

Data_Access_Roles2

The Add Data Access Role screen appears.

In the Name field, enter a memorable name for the data access role.

In the Users field, select one or more users to assign to the data access role.

Lastly, in the Permissions field, select one or more data access permissions to associate with the role or leave this field blank if using Row Level Security to create more granular data access.

Types of Permissions

  • All database access
  • All dataset access
  • All query access
  • Database access on
  • Schema access on <database.schema>
  • Dataset access on <database.table>

RBAC_Add_New_Data_Access_Role1

When done, select Save.

Levels of Data Access Coverage

Wide Access

  • All database access
  • All dataset access
  • All query access

Specific Datasources

  • Database Access: Databases defined on Sources / Databases, used for Limited Contributors
  • Schema Access: Schemas available on the Databases defined on Source / Databases used for Limited Contributors
  • Dataset Access: Data set defined on Sources / Tables, used for Limited Contributors, Viewers and Dashboard Viewers

Data access roles are defined on the Edit Data Access Role screen (see Add a User to a Data Access Role to learn more).

Note that Workspace Admins are the only users that can create, modify, or delete a role.

Select_DAR_Permissions



Control Data Access with Row Level Security

Row Level Security (RLS) is a powerful feature that enables you to exert a granular level of control over who can query—and view—specific data in selected datasets. This level of query-based access control empowers organizations to align data access permissions (via roles) with larger-scale business initiatives.

You can find more information and a walkthrough on the Row Level Security (RLS) page.


Was this article helpful?