Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
© 2022 Yandex.Cloud LLC
Yandex DataLens
  • Getting started
  • Practical guidelines
    • All tutorials
    • Visualizing data from a CSV file
    • Creating and publishing a chart with a map of Moscow from a CSV file
    • Analyzing a retail chain's sales from a ClickHouse database
    • Analyzing public data on road accidents in Russia
    • Analyzing sales and locations of pizzerias based on data from Clickhouse DB and Marketplace
    • Web analytics with a connection to Yandex Metrica
    • Web analytics with funnels and cohorts calculated based on Yandex Metrica data
    • Mobile app analytics based on AppMetrica data
    • Analyzing Yandex Music podcast statistics (for podcasters)
    • Visualizing data with a QL chart
    • Building customer journey charts based on AppMetrica data
  • Concepts
    • Service overview
    • Connection
    • Data types
    • Datasets
      • Overview
      • Data model
      • Dataset settings
    • Charts
      • Overview
      • Chart types
      • Chart settings
    • Dashboards
    • Combining data
    • Using Markdown in DataLens
    • DataLens Public
    • Aggregations in DataLens
    • Calculated fields
      • Overview
      • Formula syntax
    • Marketplace
    • Backups
    • Caching
    • Quotas and limits
    • Organizations in DataLens
  • Step-by-step instructions
    • All instructions
    • Working with connections
      • Creating a ClickHouse connection
      • Creating a connection to a CSV file
      • Creating a Google Sheets connection
      • Creating a MySQL connection
      • Creating a PostgreSQL connection
      • Creating an MS SQL Server connection
      • Creating an Oracle Database connection
      • Creating a YDB connection
      • Creating a Yandex Metrica API connection
      • Creating an AppMetrica connection
      • Creating a Yandex Cloud Billing connection
      • Creating a Greenplum connection
      • Managing connection access
    • Working with datasets
      • Creating a dataset
      • Combining data from multiple tables
      • Combining data from multiple CSV connections
      • Creating a data field
      • Creating a calculated data field
      • Creating a default filter for new charts
      • Updating fields in datasets
      • Describing a dataset via a source SQL query
      • Dataset materialization
      • Managing dataset access
      • Managing access to data rows
    • Working with charts
      • Creating a line chart
      • Creating an area chart
      • Creating a pie chart
      • Creating a ring chart
      • Creating a column chart
      • Creating a bar chart
      • Creating a scatter chart
      • Creating a map
      • Creating a table
      • Creating a pivot table
      • Creating an indicator
      • Creating a tree chart
      • Creating a QL chart
      • Creating a multi-dataset chart
      • Adding a hierarchy
      • Configuring the navigator
      • Publishing a chart
      • Managing chart access
      • Adding guid as a parameter
    • Working with dashboards
      • Creating dashboards
      • Adding charts to dashboards
      • Adding selectors to dashboards
      • Creating an alias
      • Deleting an alias field
      • Publishing dashboards
      • Managing dashboard access
      • Dashboard auto-update
    • Working with permissions
      • Granting permissions
      • Deleting permissions
      • Request permissions
    • Working with DataLens Marketplace
      • Adding a product from Marketplace
      • Removing a product from Marketplace
      • Creating and using a connector (for partners)
    • Working with organizations
      • Switching between DataLens instances
  • Access management
    • Managing access to DataLens
    • Managing access at the data row level
  • Pricing policy
  • Function reference
    • All Functions
    • Aggregate functions
      • Overview
      • ALL_CONCAT
      • ANY
      • ARG_MAX
      • ARG_MIN
      • AVG
      • AVG_IF
      • COUNT
      • COUNTD
      • COUNTD_APPROX
      • COUNTD_IF
      • COUNT_IF
      • MAX
      • MEDIAN
      • MIN
      • QUANTILE
      • QUANTILE_APPROX
      • STDEV
      • STDEVP
      • SUM
      • SUM_IF
      • TOP_CONCAT
      • VAR
      • VARP
    • Array functions
      • Overview
      • ARRAY
      • ARR_STR
      • CONTAINS
      • COUNT_ITEM
      • GET_ITEM
      • SLICE
      • STARTSWITH
      • UNNEST
    • Date/Time functions
      • Overview
      • DATEADD
      • DATEPART
      • DATETRUNC
      • DAY
      • DAYOFWEEK
      • HOUR
      • MINUTE
      • MONTH
      • NOW
      • QUARTER
      • SECOND
      • TODAY
      • WEEK
      • YEAR
    • Geographical functions
      • Overview
      • GEOCODE
      • GEOINFO
      • TOPONYM_TO_GEOPOINT
      • TOPONYM_TO_GEOPOLYGON
    • Logical functions
      • Overview
      • CASE
      • IF
      • IFNULL
      • ISNULL
      • ZN
    • Mathematical functions
      • Overview
      • ABS
      • ACOS
      • ASIN
      • ATAN
      • ATAN2
      • CEILING
      • COS
      • COT
      • DEGREES
      • DIV
      • EXP
      • FLOOR
      • GREATEST
      • LEAST
      • LN
      • LOG
      • LOG10
      • PI
      • POWER
      • RADIANS
      • ROUND
      • SIGN
      • SIN
      • SQRT
      • SQUARE
      • TAN
    • Operators
      • Overview
      • AND
      • Addition and concatenation (+)
      • BETWEEN
      • Comparison
      • Division (/)
      • IN
      • IS FALSE
      • IS TRUE
      • LIKE
      • Modulo (%)
      • Multiplication (*)
      • NOT
      • Negation (-)
      • OR
      • Power (^)
      • Subtraction (-)
    • String functions
      • Overview
      • ASCII
      • CHAR
      • CONCAT
      • CONTAINS
      • ENDSWITH
      • FIND
      • ICONTAINS
      • IENDSWITH
      • ISTARTSWITH
      • LEFT
      • LEN
      • LOWER
      • LTRIM
      • REGEXP_EXTRACT
      • REGEXP_EXTRACT_NTH
      • REGEXP_MATCH
      • REGEXP_REPLACE
      • REPLACE
      • RIGHT
      • RTRIM
      • SPACE
      • SPLIT
      • STARTSWITH
      • SUBSTR
      • TRIM
      • UPPER
      • UTF8
    • Text markup functions
      • Overview
      • BOLD
      • ITALIC
      • MARKUP
      • URL
    • Time series functions
      • Overview
      • AGO
      • AT_DATE
    • Type conversion functions
      • Overview
      • BOOL
      • DATE
      • DATETIME
      • DATETIME_PARSE
      • DATE_PARSE
      • DB_CAST
      • FLOAT
      • GEOPOINT
      • GEOPOLYGON
      • INT
      • STR
    • Window functions
      • Overview
      • AVG
      • AVG_IF
      • COUNT
      • COUNT_IF
      • FIRST
      • LAG
      • LAST
      • MAVG
      • MAX
      • MCOUNT
      • MIN
      • MMAX
      • MMIN
      • MSUM
      • RANK
      • RANK_DENSE
      • RANK_PERCENTILE
      • RANK_UNIQUE
      • RAVG
      • RCOUNT
      • RMAX
      • RMIN
      • RSUM
      • SUM
      • SUM_IF
    • Function Availability
  • Tutorial on functions
    • Aggregate functions
    • Window functions
    • LOD expressions and filtering in aggregate functions
  • Public materials
    • Educational projects
    • Webinars and conferences
    • Articles and publications
    • Public dashboards and charts
  • Troubleshooting
    • Questions and answers
    • DataLens errors
  1. Access management
  2. Managing access to DataLens

Managing access to DataLens

Written by
Yandex Cloud
  • User roles
  • Adding a user
    • Add a user with a Yandex account
    • Add federated users
  • Object permissions
    • Execute
    • Read
    • Write
    • Admin
  • Table of permissions
  • Object access audit

Access to Yandex DataLens is regulated by assigning permissions:

  • To a DataLens instance at the enterprise level: using the organization's service.
  • To a DataLens instance at the cloud folder level: via the Yandex Cloud console.

To grant a user access, assign them a DataLens role.

DataLens access control is implemented at the object and the folder level.
You can grant users permission to each object and directory. They determine which operations are allowed. If you created or copied a directory or object, they will have the same permissions as their new parent folder.

You can grant users access to a directory or any service object:

  • Connection
  • Datasets
  • Charts
  • Dashboards

Users can also request permissions on their own via the request form. For more information, see Request permissions.

User roles

Roles enable you define user permissions in a DataLens instance:

  • datalens.instances.user — A DataLens user with permissions to create, read, and update objects based on object permissions.
  • datalens.instances.admin— The DataLens instance administrator. The role is automatically assigned to the instance creator. An administrator has datalens.instances.user permissions. They have access to DataLens settings.

User roles are assigned:

  • To a DataLens instance at the enterprise level: using the organization's service.
  • To a DataLens instance at the cloud folder level: via the Yandex Cloud console.

Adding a user

You can add users with a Yandex account as well as federated users.

Add a user with a Yandex account

To add a user and grant them access to DataLens:

To an organization
To a cloud
  1. Make sure you are authorized in Yandex Cloud as an administrator or owner of the organization (your user holds the admin or owner role for the organization). In the top left-hand corner, click and select Resources and management → Manage organization services or click the link.

  2. In the top right-hand corner, click Add user. In the resulting window, enter the email address of a Yandex user and click Add. The new user will appear in the list of organization users.

    Warning

    At this time, you can only add a user with a Yandex account. Other accounts are not supported.

  3. Assign this user a role for accessing DataLens:

      1. Select a user to assign a role to.
      2. Click .
      3. Select Configure access.
    1. In the Configure access rights window, click Add role. Choose the datalens.instances.user role from the list.
    2. Click Save. The user will gain access to DataLens.
  1. Open the Users and roles page for the selected cloud. If necessary, switch to another cloud.

  2. On the Users and roles page, click Add user in the upper-right corner.

  3. Enter the user's Yandex email address.

  4. Click Add. When a new user is added to the cloud, they're automatically assigned the cloud member role: resource-manager.clouds.member.

    Note

    It may take several hours before the username of the added user appears in the form for granting permissions.

    1. Select a user to assign a role to.
    2. Click .
    3. Select Configure access.
  5. To add a cloud role, click in the Roles for cloud section.

    To add a role for a folder, select the folder and click Assign role in the Roles for folders section.

  6. Choose datalens.instances.user or datalens.instances.admin from the list.

Add federated users

To add federated users, you need to know the users' Name IDs returned by the Identity Provider (IdP) server with the successful authentication response. This is usually the user's primary email address. If you don't know what the server returns as the Name ID, contact the administrator who configured authentication for your federation.

Add federated users to an organization

To add federated users to an organization and grant them access to DataLens:

  1. Add federated users:

    Management console
    CLI
    API
    1. Make sure you are authorized in Yandex Cloud as an administrator or owner of the organization (your user holds the admin or owner role for the organization). In the top left-hand corner, click and select Resources and management → Manage organization services or click the link.
    2. In the upper-right corner, click on the arrow next to the Add user button. Select Add federated users.
    3. Select the identity federation to add users from.
    4. List the Name IDs of users, separating them with line breaks.
    5. Click Add. This will give the users access to the organization.

    If you don't have the Yandex Cloud command line interface yet, install and initialize it.

    The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

    1. View a description of the add user command:

      yc organization-manager federation saml add-user-accounts --help
      
    2. Add users by listing their Name IDs separated by a comma:

      yc organization-manager federation saml add-user-accounts --name my-federation \
         --name-ids=alice@example.com,bob@example.com,charlie@example.com
      
    1. Create a file with the request body (for example, body.json). In the request body, specify the array of Name IDs of users you want to add:

      {
         "nameIds": [
           "alice@example.com",
           "bob@example.com",
           "charlie@example.com"
         ]
      }
      
    2. Send the request by specifying the Federation ID in the parameters:

      $ curl -X POST \
         -H "Content-Type: application/json" \
         -H "Authorization: Bearer <IAM token>" \
         -d '@body.json' \
         https://organization-manager.api.cloud.yandex.net/organization-manager/v1/saml/federations/<federation ID>:addUserAccounts
      
  2. Assign roles to users for DataLens access:

      1. Select a user to assign a role to.
      2. Click .
      3. Select Configure access.
    1. In the Configure access rights window, click Add role. Choose the datalens.instances.user role from the list.
    2. Click Save. The user will gain access to DataLens.

Add federated users to a cloud

To add federated users to a cloud and grant them access to DataLens:

  1. Add federated users:

    Management console
    CLI
    API

    To add identity federation users to the cloud:

    1. Open the Users and roles page for the selected cloud. If necessary, switch to another cloud.

    2. Click the arrow next to the Add user button.
    3. Select Add federated users.
    4. Select the identity federation to add users from.
    5. List the Name IDs of users, separating them with line breaks.

    If you don't have the Yandex Cloud command line interface yet, install and initialize it.

    The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

    1. View a description of the add user command:

      $ yc iam federation add-user-accounts --help
      
    2. Add users by listing their Name IDs separated by a comma:

      $ yc iam federation add-user-accounts --name my-federation \
        --name-ids=alice@example.com,bob@example.com,charlie@example.com
      

    To add identity federation users to the cloud:

    1. Create a file with the request body (for example, body.json). In the request body, specify the array of Name IDs of users you want to add:

      {
        "nameIds": [
          "alice@example.com",
          "bob@example.com",
          "charlie@example.com"
        ]
      }
      
    2. Send the request by specifying the Federation ID in the parameters:

      $ curl -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer <IAM token>" \
        -d '@body.json' \
        https://iam.api.cloud.yandex.net/iam/v1/saml/federations/<federation ID>:addUserAccounts
      
    1. Select a user to assign a role to.
    2. Click .
    3. Select Configure access.
  2. To add a cloud role, click in the Roles for cloud section.

    To add a role for a folder, select the folder and click Assign role in the Roles for folders section.

  3. Choose datalens.instances.user from the list.

For more information about assigning roles in Yandex Cloud, see Roles.

Object permissions

Permissions can be assigned to individual users or the All group that includes users who passed authentication.

You can assign the following permissions to objects and directories in DataLens:

  • Execute
  • Read
  • Write
  • Admin

Execute

A user with the Execute permission for a connection can make requests to it, but can't create datasets. Regardless of dataset permissions, the user can't access a list of tables in a dataset or view the SQL subquery that the dataset is based on.

A user with Execute access to a dataset can run queries against the dataset but is unable to create or edit charts or view the dataset.

Warning

You can only grant the Execute permission for connections and datasets.

Granting users the Execute permission lets you:

  • Reduce the number of requests to the source, thereby reducing the load on the connection source.

  • Better control what data can be shown from a dataset. You can hide some source fields so that users can't view all fields.

  • Restrict the creation of subqueries to the source database. A user with the Execute permission can't write subqueries.

Read

A user with the Read permission can view dashboards, widgets, datasets, and directories.

Warning

The Read permission doesn't allow copying datasets, because they contain RLS settings. A user can only copy datasets if granted the Write or Admin permission.

Write

A user with the Write permission can edit dashboards, widgets, connections, datasets, and directories.

The Write permission includes everything included in the Read permission.

Admin

A user with the Admin permission can edit available objects and directories, as well as change permissions.

The Admin permission includes everything included in the Write permission.

Table of permissions

Access object
Action
Execute Read Write Admin
Directory
View directories N/A ✔ ✔ ✔
Edit directories N/A - ✔ ✔
Delete directories N/A - - ✔
Edit permissions N/A - - ✔
Connection
Make requests
to a connection
✔ ✔ ✔ ✔
Create a dataset
over a connection
- ✔ ✔ ✔
View
connection parameters
- ✔ ✔ ✔
Edit connections - - ✔ ✔
Delete connections - - - ✔
Edit permissions - - - ✔
Dataset
Make requests
to a dataset
✔ ✔ ✔ ✔
Create charts
on a dataset
- ✔ ✔ ✔
View datasets - ✔ ✔ ✔
Edit datasets - - ✔ ✔
Delete datasets - - - ✔
Edit permissions - - - ✔
Chart
View charts N/A ✔ ✔ ✔
Edit charts N/A - ✔ ✔
Delete charts N/A - - ✔
Edit permissions N/A - - ✔
Grant public access N/A - - ✔
Dashboard
View dashboards N/A ✔ ✔ ✔
Edit dashboards N/A - ✔ ✔
Delete dashboards N/A - - ✔
Edit permissions N/A - - ✔
Grant public access N/A - - ✔

Object access audit

A DataLens user can get access logs for DataLens objects (view, edit, delete).
To retrieve logs, please contact technical support.

What's next

  • Granting permissions
  • Deleting permissions
  • Request permissions
  • Managing access to data rows in a dataset

Was the article helpful?

Language / Region
© 2022 Yandex.Cloud LLC
In this article:
  • User roles
  • Adding a user
  • Add a user with a Yandex account
  • Add federated users
  • Object permissions
  • Execute
  • Read
  • Write
  • Admin
  • Table of permissions
  • Object access audit