Access management
Access to Yandex DataLens is managed from the Yandex.Cloud console.
To grant access, assign a user the datalens.instances.user role.
Permission differentiation in the service is implemented at the object and directory level.
You can grant users permission to each object and directory. They determine what operations are allowed.
You can grant users access to a directory or any service object:
- Connections
- Datasets
- Charts
- Dashboards
Users can also request permission on their own via the request form. For more information, see Request permissions.
Adding users
To add a user and grant them access to DataLens:
-
Open the Access management page for the selected cloud. If necessary, switch to another cloud.
-
On the Users and roles page, click Add user in the upper-right corner.
-
Enter the user's Yandex email address.
-
Click Add. When a new user is added to the cloud, they're automatically assigned the cloud member role:
resource-manager.clouds.member. -
Select the user to assign the role to, click
, and choose Configure roles. -
To add a role for a cloud, click
in the Roles for the cloud section. To add a role for a folder, select the folder and click Assign role in the Roles for folders section.
-
Choose
datalens.instances.userfrom the list.
For more information about assigning roles in Yandex.Cloud, see Roles.
Permissions
You can assign the following permissions to objects and folders in DataLens:
Execute
A user with the Execute permission can make requests to available connections and datasets.
It doesn't let the user view connections or datasets.
Warning
You can only grant the Execute permission for a connection and dataset.
Read
A user with the Read permission can view dashboards, widgets, datasets, and directories.
Write
A user with the Write permission can edit dashboards, widgets, connections, datasets, and directories.
The Write permission includes everything under the Read permission.
Admin
A user with the Admin permission can edit available objects and directories, as well as edit permissions.
The Admin permission includes everything under the Write permission.
Table of permissions
| Access object Action |
Execute | Read | Write | Admin |
|---|---|---|---|---|
| Directory | ||||
| View directories | N/A | ✔ | ✔ | ✔ |
| Edit directories | N/A | - | ✔ | ✔ |
| Edit permissions | N/A | - | - | ✔ |
| Connections | ||||
| Make requests to a connection |
✔ | ✔ | ✔ | ✔ |
| Create a dataset over a connection |
- | ✔ | ✔ | ✔ |
| View connection parameters |
- | ✔ | ✔ | ✔ |
| Edit connections | - | - | ✔ | ✔ |
| Edit permissions | - | - | - | ✔ |
| Datasets | ||||
| Make requests to a dataset |
✔ | ✔ | ✔ | ✔ |
| Create charts on a dataset |
✔ | ✔ | ✔ | ✔ |
| View datasets | - | ✔ | ✔ | ✔ |
| Edit datasets | - | - | ✔ | ✔ |
| Edit permissions | - | - | - | ✔ |
| Charts | ||||
| View charts | N/A | ✔ | ✔ | ✔ |
| Edit charts | N/A | - | ✔ | ✔ |
| Edit permissions | N/A | - | - | ✔ |
| Dashboards | ||||
| View dashboards | N/A | ✔ | ✔ | ✔ |
| Edit dashboards | N/A | - | ✔ | ✔ |
| Edit permissions | N/A | - | - | ✔ |
Row-level security (RLS)
In a dataset, you can restrict data access at the row level using Row-level security (RLS).
You can restrict access to any dataset dimension.
Using RLS, you can restrict data access for users within a single dataset. For example, you can restrict access for different customers.
Each user can be granted rights to an unlimited number of measure values.
Restrictions are set in the access configuration and look like this:
'[value 1]': [user 1], [user 2]
'[value 2]': [user 3]
'[value 3]': [user 1], [user 2], [user 3]
If RLS is configured, any query to a dataset passes through the following filter:
where [dimension] in ([value 1], [value 2]... [value N])
Warning
If you have set permissions at the row level, make sure to apply the Execute permission for the dataset. In this case, nobody can edit row permissions or open the data preview window.