Embedded Analytics - Permission Settings
Introduction
Permission Settings is where you enforce data access control on your embedded dashboard viewers. The current mechanism that Holistics use for this setting is Row-level Permission (RLP).
Row-level Permission explained
For example, you have an embedded dashboard for your multi-national E-commerce company which shows sales for all the stores worldwide. Without RLP, no matter which manager signs in and views the report, they all see the same data.
Now the company CEO has decided that each country manager should only see the sales for the stores they manage. RLP allows the CEO to restrict data based on the area they manage.
By applying the RLP on the name field of the model country, whenever your country managers login, the condition country.name = 'their_country' is applied to all queries generated by the embedded dashboard, so that they can only see data that linked to their country.
General structure of Permission Settings code
You can generate Permission Settings code interactively within the Embedded Analytics Sandbox:
In general, the generated code with have this structure:
permissions = {
"row_based": [
{
"path": {
"dataset": "dataset_name"
"model": "model_name"
"field": "field_name"
},
"operator": "expected_operator",
"modifier": null,
"values": [
"your_expected_value"
]
}
]
}
row_based property is an array with multiple permission rules, each rule is the combination of path, operator, modifier and values which construct the condition to restrict data of a particular field.
- path: define the exact field on which the condition will be applied. Since our row-level-permission in applied on dataset level, the path needs include dataset unique name, data model name and field name.
- operator: specify the comparison type (IS, IS NOT...) for the field.
- modifier (optional): only available for some of the operators in Date filter (for example, next, last X days/months/years.)
- values: the only values accepted by the field comparison
While you can write the embed code from scratch, we recommend using our Embedded Analytics Sandbox to retrieve the exact field path to use in your RLP settings.
How to restrict data access based on users
Below is a sample code of permission settings to ensure:
- General Manager can see data from all countries.
- Vietnam Manager can only see data from
Vietnam. - Consultant can only see stores in
Ha Noi.
country = []
cities = []
if (current_user().email == "[email protected]") {
country = ['Vietnam']
} else if (current_user().email = "[email protected]") {
country = ['Vietnam']
cities = ['Ha Noi']
}
permissions = {
row_based: [
{
path: {
"dataset": "ecommerce"
"model": "ecommerce_countries"
"field": "country_name"
},
operator: 'is',
values: country
},
{
path: {
"dataset": "ecommerce"
"model": "ecommerce_cities"
"field": "city_name"
},
operator: 'is',
values: cities
},
]
}
FAQs
Why do permissions have different datasets from what we originally selected?
This happens because the dataset was renamed.
- The UI on the left displays the title of the dataset that has been renamed. The code on the right uses the Dataset’s unique name.
- The Dataset’s unique name is auto-generated when the dataset is created. we don't update Dataset’s unique name to avoid breaking existing embed payloads.
What are the difference between Permission Settings and Control Settings?
Although it seems that both Permission Settings and Controls Settings have the ability to restrict user's access to data, in reality they serve two different purposes.
Please read more about the distinction between the two settings in the Security documentation page.