Role-Based Access Control (RBAC)

Workflow for RBAC

To set up Role Based Access Control, you'll follow this flow:

1. Invite a user to a team
2. Add them to a workspace
3. Add them to a data access role; and,
4. Control data access with row level security.

Inviting users and row level security are covered in separate pages, which are linked in the above list.

Change User Access to a Workspace

Each user's workspace role is set when their invite is sent but can be updated later as needed.

To edit a user's workspace role, select the vertical ellipsis icon in a workspace card and, in the sub-menu, select Edit Workspace Roles.

The Workspace Roles screen appears.

Under the Workspace Role column header, modify a user's workspace role as needed.

Role details

Workspace role definitions are as follows:

Data restriction (via data access roles) is possible for the following workspace roles:

Limited Contributor
This user role has access to all data within a workspace, but is subject to data restrictions as defined by a data access role. For example, a data scientist hired as a temporary employee for a project may only be able to build charts and dashboards from a specific database.

Viewer
This user role only has access to visualizations (charts and dashboards) that are published, and is also subject to any defined data access role-based restrictions. For example, an external marketing agency may be given view access to published visualizations from a specified database schema.

Dashboard Viewer
This user role only has access to dashboards that are published, and is also subject to any defined data access role-based restrictions. For example, a potential business partner is given view access rights to a quarterly product sales dashboard used in a presentation by your company.

All of the roles above are assigned to specific users in Preset Manager on the Workspace Roles screen (see Give a User Access to a Workspace to learn more).

Navigate to Data Access Roles

In the Toolbar, hover your cursor over Settings and then select Data Access Roles.

The Data Access Roles screen appears.

Add a Data Access Role

Select the plus icon to add a new access record.

The Add Data Access Role screen appears.

In the Name field, enter a memorable name for the data access role.

In the Users field, select one or more users to assign to the data access role.

Lastly, in the Permissions field, select one or more data access permissions to associate with the role or leave this field blank if using Row Level Security to create more granular data access.

Types of Permissions

• All database access
• All dataset access
• All query access
• Database access on
• Schema access on <database.schema>
• Dataset access on <database.table>

When done, select Save.

Levels of Data Access Coverage

Wide Access

• All database access
• All dataset access
• All query access

Specific Datasources

• Database Access: Databases defined on Sources / Databases, used for Limited Contributors
• Schema Access: Schemas available on the Databases defined on Source / Databases used for Limited Contributors
• Dataset Access: Data set defined on Sources / Tables, used for Limited Contributors, Viewers and Dashboard Viewers

Data access roles are defined on the Edit Data Access Role screen (see Add a User to a Data Access Role to learn more).

Note that Workspace Admins are the only users that can create, modify, or delete a role.

Control Data Access with Row Level Security

Row Level Security (RLS) is a powerful feature that enables you to exert a granular level of control over who can query—and view—specific data in selected datasets. This level of query-based access control empowers organizations to align data access permissions (via roles) with larger-scale business initiatives.

You can find more information and a walkthrough on the Row Level Security (RLS) page.