Managing access at the data row level (RLS)
Using RLS (row-level security), you can restrict data access for users within a single dataset. For example, you can restrict access for different customers.
Warning
-
When using RLS, restrict access to the connection by using the
Execute
permission. This will prevent changes to row access permissions and restrict access to opening the preview window and creating a new dataset from the connection. -
RLS supports access control for string values only.
You can restrict data access at the row level both in a dataset and data source.
Configuring RLS at the dataset level
You can restrict access to any dataset dimension. Each user can be granted rights to an unlimited number of measure values.
Restrictions are set in the access configuration and look like this:
'value_1': user_1, user_2
'value_2': user_3
'value_3': user_1, user_2, user_3
For example, to configure user access to the first-company
value in the Company name
field, specify the following configuration:
'first-company': login-to-access-your-row-data@yandex.ru
To configure access for multiple users, list their accounts separated by commas in the access configuration:
'first-company': login1-to-access-your-row-data@yandex.ru, login2-to-access-your-row-data@yandex.ru, login3-to-access-your-row-data@yandex.ru
Values and users can be defined using wildcard characters:
-
User_1
anduser_2
can access any values of the field*: user_1, user_2
For example, to configure user access to all the values in the
Company name
field, specify the following configuration:
*: login1-to-access-your-row-data@yandex.ru, login2-to-access-your-row-data@yandex.ru
-
Value_1
is available to all users'value_1': *
For example, to enable access for all users to the
first-company
value in theCompany name
field, specify the following configuration:'first-company': *
Quotes in values are set using double quotes:
'value in ''quotes''': user_1, user_2
For example, to set quotation marks for the first-company "Example"
company name in the Company name
field, specify the following configuration:
'first-company ''Example''': login1-to-access-your-row-data@yandex.ru, login2-to-access-your-row-data@yandex.ru
You can also use the "
character:
'first-company "Example"': login1-to-access-your-row-data@yandex.ru, login2-to-access-your-row-data@yandex.ru
With RLS, a query to a dataset passes through the following filter:
where dimension in (value_1, value_2 ... value_N)
Configuring RLS at the data source level
Configuring RLS at the dataset level requires editing the dataset every time the RLS settings change.
To avoid this, you can transfer the logic of access control at the row level to the data source:
-
Add a new field for storing user IDs to the source data. All requests to the source will be filtered by this field.
To view your ID, follow this link
. If you need another user's ID, ask them to open this link and pass the ID to you. -
For each row of source data, specify the ID of the user who is allowed to access this row. If multiple users should have access to the same row, you can move the access control logic to a separate table and join it to the main table at the dataset level.
-
In the dataset field with the IDs in the RLS settings, enter
userid:userid
. Theuserid
variable can be used together with the regular RLS type in the dataset:'value_1': user_1, user_2 'value_2': user_3 userid:userid
Note
You can transfer the RLS logic to the source side for sources where the data structure can be changed. In Yandex Metrica and AppMetrica, the data structure is closed, so this method is unavailable.
How to change permissions to a row in a dataset
To configure permissions for a data row value:
-
Open the dataset.
-
On the right side of the row, click
-
Enter the value of the field and users in the specified format and click Save.
'value_1': user_1, user_2 'value_2': user_3
For example, to configure access to the
first-company
value for theCompany name
field:'first-company': login-to-access-your-row-data@yandex.ru
-
Save the dataset.
- Add a field to the source that will store user IDs and be used for filtering. You can add this field to a new table and join it using the
JOIN
operator. - Add the field to the dataset.
- Open the dataset.
- On the right side of the row, click
- In the permission settings, add
userid:userid
to the field and click Save. - Save the dataset.
Let's create a dashboard based on sales data by four regions (West, East, North, and South). Regional managers should only have access to their own data, while the company's CEO, to all data.
1. Let's define user IDs.
2. In the source, create an additional table named MANAGER_ID
with the region related to the user ID. If multiple regions are available for the same ID, list all unique pairs:
REGION | MANAGER_NAME | MANAGER_ID |
---|---|---|
West | Arkady | 19287318273912873 |
East | Vasily | 92877912837318927 |
North | Olga | 02993284928374346 |
South | Dmitry | 10836293849237642 |
West | Maxim | 71726123712891283 |
East | Maxim | 71726123712891283 |
North | Maxim | 71726123712891283 |
South | Maxim | 71726123712891283 |
3. Let's add the table to the dataset.
4. To do this, make a JOIN
by the REGION
field.
5. Then set up RLS by the MANAGER_ID
field and add userid:userid
.
To change the access control settings, update the data in the source table.