Skip to main content

Row-level Permission (As-code)

Coming Soon

Row-level Permission as-code is an upcoming feature and is not yet available.

If you need to set up Row-level Permission in Holistics, please refer to the current documentation here: Row-level Permission.

Introduction

Row-level Permission allows you to grant filtered access for your users, so each user only sees the data they are permitted to view. For example, if you have a team of salespeople managing different countries, you can ensure each person only sees sales data relevant to their assigned country.

With Row-level Permission, you can easily control and secure data access at a granular level, making sure sensitive information is only visible to the right people.

General Setup

With ​Row-level Permissions as code, you define permission rules directly in your dataset configuration. These rules can reference user attributes, such as region, role, or vendor assignment. By doing so, you can automatically filter the data each user sees based on their user attributes.

a. Create User Attribute

First, define user attributes in the Holistics UI under User Attributes management. For example, you might create a region or vendor_id attribute:

User Attributes management

b. Define Row-level Permission in the Dataset as-code

Reference these user attributes in your dataset permission rules:

Dataset ecommerce {
  permission regional_access {
    field: ref('order', 'user_d')
    operator: 'is'
    value: H.current_user.region // user attribute
  }
  permission vendor_access {
    field: ref('product', 'vendor_id')
    operator: 'matches_user_attribute'
    value: 'vendor_id' // user attribute
  }
}
  • H.current_user.<attribute> references the current user's attribute value.
  • The matches_user_attribute operator checks if the field matches the user's attribute.

Typical Use Case

Suppose you run an international e-commerce company with regional managers for each country. You want each manager to only see data for their assigned region.

Step 1: Create a user attribute called region and assign the appropriate value to each manager in the User Attributes management screen.

Step 2: In your dataset code, define a permission rule that filters data by the user's region:

Dataset ecommerce {
  permission regional_access {
    field: ref('order', 'region')
    operator: 'is'
    value: H.current_user.region
  }
}

Now, when a manager logs in, they will only see data for their assigned region—enforced automatically at the dataset level.

Caveats

  • Admin and Analyst Access: With Row-level Permission as-code, both Admins and Analysts can view and modify row-level permissions directly in the code, regardless of their data source permissions.
  • Development Workspace Limitation: Row-level Permission as-code cannot be tested while in the Development Workspace. Permissions will only take effect after the dataset is published to production.

By defining row-level permissions as code, you gain full control, auditability, and flexibility over your data access policies—making your analytics workflow more robust and secure.

Let us know what you think about this document :)