Yandex.Cloud
  • Services
  • Why Yandex.Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Yandex DataLens
  • Getting started
  • Use cases
    • All use cases
    • Visualizing data from a CSV file
    • Visualizing data from a ClickHouse database
    • Visualizing data from Yandex.Metriсa
    • Visualizing data from Yandex.Metrica Logs API
    • Publishing a chart with a map from a CSV file to DataLens Public
    • Visualizing data from AppMetrica
    • Visualizing geodata from a CSV file
  • Step-by-step instructions
    • All instructions
    • Working with connections
      • Creating a ClickHouse connection
      • Creating a connection to a CSV file
      • Creating a MySQL connection
      • Creating a PostgreSQL connection
      • Creating an MS SQL Server connection
      • Creating an Oracle Database connection
      • Creating a Yandex.Metrica API connection
      • Creating a Yandex.Metrica Logs API connection
      • Creating an AppMetrica connection
      • Managing connection access
    • Working with datasets
      • Create dataset
      • Creating a data field
      • Creating a calculated data field
      • Updating fields in datasets
      • Dataset materialization
      • Managing dataset access
      • Managing access to data rows
    • Working with charts
      • Creating a line chart
      • Creating an area chart
      • Creating a pie chart
      • Creating a column chart
      • Creating a bar chart
      • Creating a map
      • Creating a table
      • Creating a pivot table
      • Publishing a chart
      • Managing chart access
    • Working with dashboards
      • Creating dashboards
      • Adding charts to dashboards
      • Adding selectors to dashboards
      • Publishing dashboards
      • Managing dashboard access
    • Working with permissions
      • Granting permissions
      • Deleting permissions
      • Request permissions
  • Concepts
    • Overview
    • Connections
    • Data types
    • Datasets
      • Overview
      • Data model
      • Dataset settings
    • Charts
    • Dashboards
    • Using Markdown in DataLens
    • DataLens Public
    • Calculated fields
    • Marketplace
    • Backups in DataLens
    • Quotas and limits
  • Access management
    • Managing access to DataLens
    • Managing access at the data row level
  • Pricing policy
  • Function reference
    • All Functions
    • Aggregate functions
      • Overview
      • ALL_CONCAT
      • ANY
      • ARG_MAX
      • ARG_MIN
      • AVG
      • AVG_IF
      • COUNT
      • COUNTD
      • COUNTD_APPROX
      • COUNTD_IF
      • COUNT_IF
      • MAX
      • MEDIAN
      • MIN
      • QUANTILE
      • QUANTILE_APPROX
      • STDEV
      • STDEVP
      • SUM
      • SUM_IF
      • TOP_CONCAT
      • VAR
      • VARP
    • Date/Time functions
      • Overview
      • DATEADD
      • DATEPART
      • DATETRUNC
      • DAY
      • DAYOFWEEK
      • HOUR
      • MINUTE
      • MONTH
      • NOW
      • SECOND
      • TODAY
      • WEEK
      • YEAR
    • Geographical functions
      • Overview
      • GEOCODE
      • GEOINFO
      • TOPONYM_TO_GEOPOINT
      • TOPONYM_TO_GEOPOLYGON
    • Logical functions
      • Overview
      • CASE
      • IF
      • IFNULL
      • ISNULL
      • ZN
    • Text markup functions
      • Overview
      • BOLD
      • ITALIC
      • MARKUP
      • URL
    • Mathematical functions
      • Overview
      • ABS
      • ACOS
      • ASIN
      • ATAN
      • ATAN2
      • CEILING
      • COS
      • COT
      • DEGREES
      • DIV
      • EXP
      • FLOOR
      • GREATEST
      • LEAST
      • LN
      • LOG
      • LOG10
      • PI
      • POWER
      • RADIANS
      • ROUND
      • SIGN
      • SIN
      • SQRT
      • SQUARE
      • TAN
    • Operators
      • Overview
      • AND
      • Addition and concatenation (+)
      • BETWEEN
      • Comparison
      • Division (/)
      • IN
      • IS FALSE
      • IS TRUE
      • LIKE
      • Modulo (%)
      • Multiplication (*)
      • NOT
      • Negation (-)
      • OR
      • Power (^)
      • Subtraction (-)
    • String functions
      • Overview
      • ASCII
      • CHAR
      • CONCAT
      • CONTAINS
      • ENDSWITH
      • FIND
      • ICONTAINS
      • IENDSWITH
      • ISTARTSWITH
      • LEFT
      • LEN
      • LOWER
      • LTRIM
      • REGEXP_EXTRACT
      • REGEXP_EXTRACT_NTH
      • REGEXP_MATCH
      • REGEXP_REPLACE
      • REPLACE
      • RIGHT
      • RTRIM
      • SPACE
      • SPLIT
      • STARTSWITH
      • SUBSTR
      • TRIM
      • UPPER
      • UTF8
    • Time series functions
      • Overview
      • AGO
      • AT_DATE
    • Type conversion functions
      • Overview
      • BOOL
      • DATE
      • DATETIME
      • DATETIME_PARSE
      • DATE_PARSE
      • DB_CAST
      • FLOAT
      • GEOPOINT
      • GEOPOLYGON
      • INT
      • STR
    • Window functions
      • Overview
      • AVG
      • AVG_IF
      • COUNT
      • COUNT_IF
      • LAG
      • MAVG
      • MAX
      • MCOUNT
      • MIN
      • MMAX
      • MMIN
      • MSUM
      • RANK
      • RANK_DENSE
      • RANK_PERCENTILE
      • RANK_UNIQUE
      • RAVG
      • RCOUNT
      • RMAX
      • RMIN
      • RSUM
      • SUM
      • SUM_IF
    • Function Availability
  • Questions and answers
  1. Access management
  2. Managing access to DataLens

Managing access to DataLens

  • User roles
  • Adding users
    • Add a user with a Yandex account
    • Add federated users
  • Object permissions
    • Execute
    • Read
    • Write
    • Admin
  • Table of permissions
  • Object access audit

Access to Yandex DataLens is managed from the Yandex.Cloud console.
To grant a user access, assign them a DataLens role.

Permission differentiation in the service is implemented at the object and directory level.
You can grant users permission to each object and directory. They determine what operations are allowed. By default, objects inherit the access rights of the parent folder.

You can grant users access to a directory or any service object:

  • Connections
  • Datasets
  • Charts
  • Dashboards

Users can also request permission on their own via the request form. For more information, see Request permissions.

User roles

Let you define user permissions in a DataLens instance:

  • datalens.instances.user — A DataLens user with the rights to create, read, and update objects based on object permissions.
  • datalens.instances.admin — The DataLens instance administrator. The role is automatically assigned to the instance creator. The administrator has the datalens.instances.user rights and can also change the service plan and pay for the paid content in Cloud Marketplace.

User roles are assigned in the Yandex.Cloud console.

Adding users

You can add users with a Yandex account and federated users.

Add a user with a Yandex account

To add a user and grant them access to DataLens:

  1. Open the Access management page for the selected cloud. If necessary, switch to another cloud.

  2. On the Users and roles page, click Add user in the upper-right corner.

  3. Enter the user's Yandex email address.

  4. Click Add. When a new user is added to the cloud, they're automatically assigned the cloud member role: resource-manager.clouds.member.

    Note

    It may take several hours before the username of the added user appears in the form for granting permissions.

  5. Select the user to assign the role to, click , and choose Configure roles.

  6. To add a role for a cloud, click in the Roles for the cloud section.

    To add a role for a folder, select the folder and click Assign role in the Roles for folders section.

  7. Choose datalens.instances.user or datalens.instances.admin from the list.

Add federated users

To add federated users, you need to know the users' Name IDs returned by the Identity Provider (IdP) server with the successful authentication response. This is usually the user's primary email address. If you don't know what the server returns as the Name ID, contact the administrator who configured authentication for your federation.

  1. Add federated users:

    Management console
    CLI
    API

    To add identity federation users to the cloud:

    1. Open the Access management page for the selected cloud. If necessary, switch to another cloud.

    2. Click the arrow next to the Add user button.
    3. Select Add federated users.
    4. Select the identity federation to add users from.
    5. List the Name IDs of users, separating them with line breaks.

    If you don't have the Yandex.Cloud command line interface yet, install and initialize it.

    The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

    1. View a description of the add user command:

      $ yc iam federation add-user-accounts --help
      
    2. Add users by listing their Name IDs separated by a comma:

      $ yc iam federation add-user-accounts --name my-federation \
        --name-ids=alice@example.com,bob@example.com,charlie@example.com
      

    To add identity federation users to the cloud:

    1. Create a file with the request body (for example, body.json). In the request body, specify the array of Name IDs of users you want to add:

      {
        "nameIds": [
          "alice@example.com",
          "bob@example.com",
          "charlie@example.com"
        ]
      }
      
    2. Send the request by specifying the Federation ID in the parameters:

      $ curl -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer <IAM token>" \
        -d '@body.json' \
        https://iam.api.cloud.yandex.net/iam/v1/saml/federations/<federation ID>:addUserAccounts
      
  2. Select the user to assign the role to, click , and choose Configure roles.

  3. To add a role for a cloud, click in the Roles for the cloud section.

    To add a role for a folder, select the folder and click Assign role in the Roles for folders section.

  4. Choose datalens.instances.user from the list.

For more information about assigning roles in Yandex.Cloud, see Roles.

Object permissions

You can assign the following permissions to objects and folders in DataLens:

Execute

A user with the Execute permission can make requests to available connections and datasets.
It doesn't let the user view connections or datasets.

Warning

You can only grant the Execute permission for a connection and dataset.

Read

A user with the Read permission can view dashboards, widgets, datasets, and directories.

Write

A user with the Write permission can edit dashboards, widgets, connections, datasets, and directories.

The Write permission includes everything under the Read permission.

Admin

A user with the Admin permission can edit available objects and directories, as well as edit permissions.

The Admin permission includes everything under the Write permission.

Table of permissions

Access object
Action
Execute Read Write Admin
Directory
View directories N/A ✔ ✔ ✔
Edit directories N/A - ✔ ✔
Delete directories N/A - - ✔
Edit permissions N/A - - ✔
Connections
Make requests
to a connection
✔ ✔ ✔ ✔
Create a dataset
over a connection
- ✔ ✔ ✔
View
connection parameters
- ✔ ✔ ✔
Edit connections - - ✔ ✔
Delete connections - - - ✔
Edit permissions - - - ✔
Datasets
Make requests
to a dataset
✔ ✔ ✔ ✔
Create charts
on a dataset
✔ ✔ ✔ ✔
View datasets - ✔ ✔ ✔
Edit datasets - - ✔ ✔
Delete datasets - - - ✔
Edit permissions - - - ✔
Charts
View charts N/A ✔ ✔ ✔
Edit charts N/A - ✔ ✔
Delete charts N/A - - ✔
Edit permissions N/A - - ✔
Dashboards
View dashboards N/A ✔ ✔ ✔
Edit dashboards N/A - ✔ ✔
Deleting dashboards N/A - - ✔
Edit permissions N/A - - ✔

Object access audit

A DataLens user can get access logs for DataLens objects (view, edit, delete).
To get logs, you can contact technical support.

What's next

  • Granting permissions
  • Deleting permissions
  • Request permissions
  • Managing access to data rows in a dataset
In this article:
  • User roles
  • Adding users
  • Add a user with a Yandex account
  • Add federated users
  • Object permissions
  • Execute
  • Read
  • Write
  • Admin
  • Table of permissions
  • Object access audit
Language
Careers
Privacy policy
Terms of use
© 2021 Yandex.Cloud LLC