Contents x
    Role-Based Access Control (RBAC)
    • 23 May 2023
    • 4 Minutes to read
    • Print
    • Dark
      Light
    Contents

    Role-Based Access Control (RBAC)

    • Updated on 23 May 2023
    • 4 Minutes to read
    • Print
    • Dark
      Light
    Article Summary

    Role-based Access Control Requirement

    Role-based access control is only available for the Professional and Enterprise plans.

    Workflow for RBAC

    To set up Role Based Access Control, you'll follow this flow:

    1. Invite a user to a team
    2. Add them to a workspace
    3. Add them to a data access role; and,
    4. Control data access with row level security.

    Workflow

    Inviting users and row level security are covered in separate pages, which are linked in the above list.

    Role Details

    Workspace role definitions are as follows:

    FeatureWorkspace AdminPrimary ContributorSecondary ContributorLimited ContributorViewerDashboard Viewer
    DashboardsRead, Write AccessRead, Write* AccessRestricted Read*, Write* Access
    		Restricted Read*, Write* AccessRestricted Read* AccessRestricted Read* Access
    ChartsRead, Write AccessRead, Write* AccessRestricted Read*, Write* Access
    		Restricted Read*, Write* AccessRestricted Read* AccessNo
    Drill to DetailYesYesYesYesYesNo
    Database ConnectionsRead, Write AccessRead AccessRead Access
    		Read AccessNoNo
    DatasetsRead, Write AccessRead, Write AccessRead,Restricted Write* Access
    		Read, Write** AccessNoNo
    SQL LabRead, Write AccessRead, Write AccessRestricted Read*, Write* Access
    		Restricted Read*, Write* AccessNoNo
    Alerts and ReportsRead, Write AccessRead, Write AccessRead, Write Access
    		NoNoNo
    Annotation LayersRead, Write AccessRead, Write AccessNo
    		NoNoNo
    CSS TemplatesRead, Write AccessRead, Write AccessNo
    		NoNoNo
    Data Access ManagementRead, Write AccessNoNoNoNoNo

    * Restricted read access is controlled by the data access roles. Restricted write access is controlled by data access roles when the user is creating the content from scratch, and it is controlled by content ownership when the user is editing the content.

    ** Limited Contributors are able to create virtual datasets from the SQL Lab (in case they have access to the DB). They can't create physical datasets.


    Data restriction (via data access roles) is possible for the following workspace roles:

    Secondary Contributor

    Secondary Contributorshave access to all data within a workspace, but is subject to data restrictions as defined by a data access role. This role grants data access restricted dataset write access to the users. For example, they can create physical datasets from databases or schemas they have access to, they can edit datasets if they are the owner, they can create and manage alerts/reports, and they can upload CSVs if CSV upload is enabled the database they have access to. 

    Limited Contributor
    Similar to the Secondary Contributor, this user role has access to all data within a workspace, but is subject to data restrictions as defined by a data access role. Limited Contributors can't create physical datasets from databases and schemas, and they can't upload CSVs to databases. However, they can create virtual datasets and charts/dashboards using the data they have access to. 

    Viewer
    This user role only has access to visualizations (charts and dashboards) that are published, and is also subject to any defined data access role-based restrictions. For example, an external marketing agency may be given view access to published visualizations from a specified dataset. 

    Dashboard Viewer
    This user role only has access to dashboards that are published, and is also subject to any defined data access role-based restrictions. For example, a potential business partner is given view access rights to a quarterly product sales dashboard used in a presentation by your company.

    All of the roles above are assigned to specific users in Preset Manager on the Workspace Roles screen (see Invite Others to your Team to learn more).

    Change User Access to a Workspace

    Each user's workspace role is set when their invite is sent but can be updated later as needed.

    To edit a user's workspace role, select the vertical ellipsis icon in a workspace card and, in the sub-menu, select Edit Workspace Roles.

    Select_Edit_Workspace_Roles

    The Workspace Roles screen appears.

    Under the Workspace Role column header, modify a user's workspace role as needed (see Role Details to learn more).

    Navigate to Data Access Roles

    In the Toolbar, hover your cursor over Settings and then select Data Access Roles.

    Select_Data_Access_Roles

    The Data Access Roles screen appears.

    RBAC_Data_Access_Roles_Screen

    Add a Data Access Role

    Select the plus icon to add a new access record.

    Data_Access_Roles2

    The Add Data Access Role screen appears.

    In the Name field, enter a memorable name for the data access role.

    In the Users field, select one or more users to assign to the data access role.

    Lastly, in the Permissions field, select one or more data access permissions to associate with the role or leave this field blank if using Row Level Security to create more granular data access.

    Types of Permissions

    • All database access
    • All dataset access
    • All query access
    • Database access on
    • Schema access on <database.schema>
    • Dataset access on <database.table>

    RBAC_Add_New_Data_Access_Role1

    When done, select Save.

    Levels of Data Access Coverage

    Wide Access

    • All database access
    • All dataset access
    • All query access

    Specific Datasources

    • Database Access: Databases defined on Sources / Databases, used for Secondary and Limited Contributors
    • Schema Access: Schemas available on the Databases defined on Source / Databases used for Secondary and Limited Contributors
    • Dataset Access: Data set defined on Sources / Tables, used for Limited Contributors, Viewers and Dashboard Viewers

    Data access roles are defined on the Edit Data Access Role screen (see Add a User to a Data Access Role to learn more).

    Note that Workspace Admins are the only users that can create, modify, or delete a role.

    Select_DAR_Permissions

    Control Data Access with Row Level Security

    Row Level Security (RLS) is a powerful feature that enables you to exert a granular level of control over who can query—and view—specific data in selected datasets. This level of query-based access control empowers organizations to align data access permissions (via roles) with larger-scale business initiatives.

    You can find more information and a walkthrough on the Row Level Security (RLS) page.


    Role Details

    Was this article helpful?
    What's Next