Row-level Permission

info

This feature is currently in Beta. Please share your feedback and suggestions to Holistics team.

What is Row-level Permission (RLP)

Row-level Permission (RLP) is one of the three types of permission control that Holistics supports. RLP allows you to control which record users can retrieve from the database.

You can apply RLP in the following cases in Holistics:

  • Embedded Analytics: Embed dashboards inside your own web application to provide your customers with curated analytics capability.
  • Shareable Link: Share your dashboards via public links.
  • Email / Slack Schedules: Schedule email dashboards to be sent to your employees, customers, or partners.
  • Row-level Permission for Reporting: restrict what data users can see when logging in to Holistics

In general, you need to set up filters in Dashboards or permission settings in Datasets to control how users retrieve data when viewing or exploring data Holistics. See more details of RLP in use in each scenario below:

RLP in Embedded Analytics

Embedded Analytics allows you to deliver analytics to your clients, investors, or managers by embedding Holistics dashboards within your own applications. Visit Embedded Analytics Permission Settings to setup RLP in Embedded Analytics.

RLP in Shareable Links

RLP in Shareable Links allows you to control which data the public viewers can retrieve from your shareable links.

When you share a dashboard, in a Shareable Link Creation modal, you can set up RLP by mapping the appropriate dataset fields' with the data values you want to filter.

Consider our below use case, when you want to only show a merchant manager the data they are entitled to, map the merchant name (such as Anderson LLC) with Merchant Name field in the Dataset below.

Learn more about Shareable Link Permission Settings.

RLP in Email / Slack Schedules

RLP in Email Schedules allows you to set some static filters to control what data users can see when they recieve your email.

Learn more about Email Schedules

RLP in Reporting

With RLP in reporting, you can control which record values your users can retrieve from a specific dataset or dashboard.

General concept of RLP in Reporting

There are two main concepts to set up RLP in Reporting:

  • Users/User Groups Attributes: user's metadata that allows admins to manage and use in Dataset's Row-level Permission. For more information about User Attributes, visit User Attributes docs.
  • Dataset Permission Settings: Each Dataset has its own Permission Settings where you can add Permission Rules. Each Permission Rule is a dataset condition that restricts the data results generated from that dataset. You can also reference User Attributes in Permission Rules to restrict the dataset result according to the User Attribute values of the viewing users.

info

Please note that Permission Rules can be only applied to explorers and business users, not admins, and analysts who have access to the dataset's data warehouse.

To test your Permission Rules, use View and Edit as feature to impersonate your users.

To understand more about how RLP in Reporting works with real use-case, please follow the sample use-case below.

Sample use-case 1

In this case, let's say you already have a data structure like the one below, each admin manages a few merchants and has an account in Holistics, and you want them to see only the data from the merchants they are managing.

Invite Merchant Admins to Holistics

Firstly, you need to invite your admins to Holistics with the same emails in your database.

For mass import, you can check out our API for inviting users (coming soon).

Setup Permission Rules in Dataset

To set up permission settings that matches the requirement above for any dataset, both admins and merchant models have to be linked and included in that same dataset.

Open the Dataset you want to setup, select Permission Settings, add a permission rule like the one below

Users (admin) > Email: macthes User attribute h_email

From now on, whenever your admins login to Holistics, any results generated from this dataset will be filtered by their email addresses (which are being used as Holistics account name).

Test Your Permission Rules

To make sure your permission rules work properly, use View and edit as under App Settings to test with each account.

For example, we impersonate user Aalund Dani, and the result returns only the data of the merchants that are linked to Aalund.

Sample use-case 2

  • An international eCommerce company that has multiple stores located in 6 countries (Vietnam, Indonesia, Malaysia, Singapore, Philippines, United States). For each country, you have one regional manager and many merchant managers.
  • You want to build a reporting system that:
    • A CEO can see any data from all stores in all countries.
    • Each regional manager should only see merchants relevant to their region
    • Each merchant manager can only see data they are entitled to.

For example, this is our expected result:

To setup this RLP system, please follow these steps below:

  1. Setup User Attributes

    1.1. Setup User Attribute for each merchant manager

    1.2 Setup User Attribute for Country managers and APAC manager

    1.3 Setup User Attribute for CEO

  2. Setup Permission Settings in Dataset

  3. Test permission settings

1. Add a new User Attribute

1.1 Setup User Attribute for each merchant manager manually

Starting with a merchant manager, who can only see data of their merchant.

Firstly, you need to create a new attribute.

  • Navigate to the user management page and click Attributes.

  • Click Add or manage Attribute to open User Attribute management modal.
  • Click Add new User Attribute, enter the attribute name (merchant in this case)
  • Click Save

Note: h_email is a system user attribute, which cannot be modified and has h_ as its prefix to distinguish with custom user attributes.

After being defined, merchant's value of each user will be Inherited from groups by default. To allow this [email protected] to see only data of King Inc later in dataset, you need to change the input type to manual input, set this attribute's value to King Inc, and click Save.

An attribute will be created globally for all users and groups. The default value of this attribute for other users will be Inherited from groups, which is empty.

1.2 Setup for Country Managers & Regional managers

In this example, we want to achieve these 2 requirements

  • For all country managers can only see the data that are relevant to their country. For example: [email protected], [email protected], and [email protected] can see data of all merchants in Vietnam.
  • For the APAC manager [email protected], who manages Asia-Pacific countries, he will be able to see data of all merchants ins Vietnam, Singapore, Malaysia, Indonesia, and Philippines.

To achieve that, let's try another approach by leveraging Group User Attributes.

In Group Management view, we create Vietnam group, define a new User Attribute country, set Vietnam as its value.

Then navigate back to Users Management, and add all Vietnam Managers to this group.

Create groups Singapore, Malaysia, Indonesia, and Philippines to manage other managers.

To set up for APAC Manager, you just need to add [email protected] to all the groups above. The country attribute value of APAC Manager will be inherited from these groups by default.

1.3 Setup for CEO

Since we haven't set up value for User Attributes country and merchant of CEO, their default values are inherited from groups that are empty.

To allow the CEO's account to see all merchants in all countries, change country and merchant User Attributes values to All, it will override any group value.

2. Add Permission Rules in Dataset

Navigate to the Dataset you want to setup permission settings, open Permission Settings modal. Click Add permission to create a new row-level permission rule.

Map Merchant Name from Data Model Merchants to User Attribute merchant, Country Name in Data Model Countries to User Attribute country.

From now on, when users log in to Holistics, data from all dashboards and widgets that are created from this dataset will always be restricted with the value they are allowed to see from the setup above.

info

Please note that Permission Rules can be only applied to explorers and business users, not admins, and analysts who have access to the dataset's data warehouse.

3. Test Your Permission Rules

To make sure your permission rules work properly, use View and edit as under App Settings to test with each account.