Managing access to DataLens
Access to Yandex DataLens is regulated by assigning permissions:
- To a DataLens instance at the enterprise level: using the organization's service.
- To a DataLens instance at the cloud folder level: via the Yandex Cloud console.
To grant a user access, assign them a DataLens role.
DataLens access control is implemented at the object and the folder level.
You can grant users permission to each object and directory. They determine which operations are allowed. If you created or copied a directory or object, they will have the same permissions as their new parent folder.
You can grant users access to a directory or any service object:
- Connection
- Datasets
- Charts
- Dashboards
Users can also request permissions on their own via the request form. For more information, see Request permissions.
User roles
Roles enable you define user permissions in a DataLens instance.
User roles are assigned:
- To a DataLens instance at the enterprise level: using the organization's service.
- To a DataLens instance at the cloud folder level: via the Yandex Cloud console.
datalens.creator
The datalens.creator
role provides access to DataLens with a permission to create objects. The user can view or edit objects if they have the relevant roles.
The role does not provide the permission to view folders in the cloud.
After you assign a service role, you can grant the user permissions to objects and directories in DataLens.
datalens.admin
This datalens.admin
role allows you to access DataLens as a DataLens instance administrator. Administrators are granted permissions to all objects and directories in DataLens.
The role does not provide the permission to view folders in the cloud.
After you assign a service role, you can grant the user permissions to objects and directories in DataLens.
datalens.instances.user
The datalens.instances.user
role provides access to DataLens.
After you assign a service role, you can grant the user permissions to objects and directories in DataLens.
For more information about managing access to DataLens, see Managing access to DataLens.
Currently, this role can only be assigned for working with a folder or a cloud.
datalens.instances.admin
This datalens.instances.admin
role allows you to access DataLens as a DataLens instance administrator. Administrators are granted permissions to all objects and directories in DataLens.
An administrator has datalens.instances.user
permissions. They have access to DataLens settings.
After you assign a service role, you can grant the user permissions to objects and directories in DataLens.
Currently, this role can only be assigned for working with a folder or a cloud.
Note
The datalens.instances.user
and datalens.instances.admin
roles also provide the permission to view folders in the cloud. Instead of them, we recommend using the datalens.creator
and datalens.admin
roles, respectively.
Adding a user
You can add users with a Yandex account as well as federated users.
Add a user with a Yandex account
To add a user and grant them access to DataLens:
-
Make sure you are authorized in Yandex Cloud as an administrator or owner of the organization (your user holds the
admin
orowner
role for the organization). In the top left-hand corner, click -
In the top right-hand corner, click Add user. In the resulting window, enter the email address of a Yandex user and click Add. The new user will appear in the list of organization users.
Warning
At this time, you can only add a user with a Yandex account. Other accounts are not supported.
-
Assign this user a role for accessing DataLens:
-
Open the Configure permissions window:
- On the left-hand panel, select a cloud.
- Go to Access rights.
- Find the required user in the list. Assigned roles are specified in the Roles column.
-
In the Configure access rights window, click
datalens.instances.user
role from the list. -
Click Save. The user will gain access to DataLens.
-
-
Open the Users and roles page for the selected cloud. If necessary, switch to another cloud.
-
On the Users and roles page, click Add user in the top-right corner.
-
Enter the user's Yandex email address.
-
Click Add. When a new user is added to the cloud, they are automatically assigned the cloud member role:
resource-manager.clouds.member
.Note
It may take a few hours before the username of the added user appears in the form for granting permissions.
-
Open the list of user roles:
- On the left-hand panel, select a cloud.
- Go to Access rights.
- Find the required user in the list. Assigned roles are specified in the Roles column.
-
To add a cloud role, click
section. To add a role for a folder, select the folder and click Assign role in the Roles for folders section.
-
Choose
datalens.instances.user
ordatalens.instances.admin
from the list.
Add federated users
To add federated users, you need to know the users' Name IDs returned by the Identity Provider (IdP) server with the successful authentication response. This is usually the user's primary email address. If you don't know what the server returns as the Name ID, contact the administrator who configured authentication for your federation.
Add federated users to an organization
To add federated users to an organization and grant them access to DataLens:
-
Add federated users:
Management consoleCLIAPI- Make sure you are authorized in Yandex Cloud as an administrator or owner of the organization (your user holds the
admin
orowner
role for the organization). In the top left-hand corner, click - In the top-right corner, click the arrow next to the Add user button. Select Add federated users.
- Select the identity federation to add users from.
- List the Name IDs of users, separating them with line breaks.
- Click Add. This will give the users access to the organization.
If you don't have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the
--folder-name
or--folder-id
parameter.-
View a description of the add user command:
yc organization-manager federation saml add-user-accounts --help
-
Add users by listing their Name IDs separated by a comma:
yc organization-manager federation saml add-user-accounts --name my-federation \ --name-ids=alice@example.com,bob@example.com,charlie@example.com
-
Create a file with the request body, e.g.,
body.json
. In the request body, specify the array of Name IDs of users you want to add:{ "nameIds": [ "alice@example.com", "bob@example.com", "charlie@example.com" ] }
-
Send the request by specifying the Federation ID in the parameters:
$ curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer <IAM token>" \ -d '@body.json' \ https://organization-manager.api.cloud.yandex.net/organization-manager/v1/saml/federations/<federation ID>:addUserAccounts
- Make sure you are authorized in Yandex Cloud as an administrator or owner of the organization (your user holds the
-
Assign roles to users for DataLens access:
-
Open the list of user roles:
- On the left-hand panel, select a cloud.
- Go to Access rights.
- Find the required user in the list. Assigned roles are specified in the Roles column.
-
In the Configure access rights window, click
datalens.instances.user
role from the list. -
Click Save. The user will gain access to DataLens.
-
Add federated users to a cloud
To add federated users to a cloud and grant them access to DataLens:
-
Add federated users:
Management consoleCLIAPITo add identity federation users to the cloud:
-
Open the Users and roles page for the selected cloud. If necessary, switch to another cloud.
- Click the arrow next to the Add user button.
- Select Add federated users.
- Select the identity federation to add users from.
- List the Name IDs of users, separating them with line breaks.
If you don't have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the
--folder-name
or--folder-id
parameter.-
View a description of the add user command:
yc iam federation add-user-accounts --help
-
Add users by listing their Name IDs separated by a comma:
yc iam federation add-user-accounts --name my-federation \ --name-ids=alice@example.com,bob@example.com,charlie@example.com
To add identity federation users to the cloud:
-
Create a file with the request body (for example,
body.json
). In the request body, specify the array of Name IDs of users you want to add:{ "nameIds": [ "alice@example.com", "bob@example.com", "charlie@example.com" ] }
-
Send the request by specifying the Federation ID in the parameters:
curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer <IAM token>" \ -d '@body.json' \ https://iam.api.cloud.yandex.net/iam/v1/saml/federations/<federation ID>:addUserAccounts
-
-
Open the list of user roles:
- On the left-hand panel, select a cloud.
- Go to Access rights.
- Find the required user in the list. Assigned roles are specified in the Roles column.
-
To add a cloud role, click
section. To add a role for a folder, select the folder and click Assign role in the Roles for folders section.
-
Choose
datalens.instances.user
from the list.
For more information about assigning roles in Yandex Cloud, see Roles.
Object permissions
Permissions can be assigned to individual users or the All group that includes users who passed authentication.
You can assign the following permissions to objects and directories in DataLens:
Execute
A user with the Execute
permission for a connection can make requests to it, but can't create datasets. Regardless of dataset permissions, the user can't access a list of tables in a dataset or view the SQL subquery that the dataset is based on.
A user with Execute
access to a dataset can run queries against the dataset but is unable to create or edit charts or view the dataset.
Warning
You can only grant the Execute
permission for connections and datasets.
Granting users the Execute
permission lets you:
-
Reduce the number of requests to the source, thereby reducing the load on the connection source.
-
Better control what data can be shown from a dataset. You can hide some source fields so that users can't view all fields.
-
Restrict the creation of subqueries to the source database. A user with the
Execute
permission can't write subqueries.
Read
A user with the Read
permission can view dashboards, widgets, datasets, and directories.
Warning
The Read
permission doesn't allow copying datasets, because they contain RLS settings. A user can only copy datasets if granted the Write
or Admin
permission.
Write
A user with the Write
permission can edit dashboards, widgets, connections, datasets, and directories.
The Write
permission includes everything included in the Read
permission.
Admin
A user with the Admin
permission can edit available objects and directories, as well as change permissions.
The Admin
permission includes everything included in the Write
permission.
Table of permissions
Access object Action |
Execute | Read | Write | Admin |
---|---|---|---|---|
Directory | ||||
View directories | N/A | |||
Edit a directory | N/A | |||
Delete directories | N/A | |||
Edit permissions | N/A | |||
Connection | ||||
Make requests to a connection |
||||
Create a dataset over a connection |
||||
View connection parameters |
||||
Edit connections | ||||
Delete connections | ||||
Edit permissions | ||||
Datasets | ||||
Make requests to a dataset |
||||
Create a chart on a dataset |
||||
View a dataset | ||||
Edit a dataset | ||||
Deleting datasets | ||||
Edit permissions | ||||
Chart | ||||
View charts | N/A | |||
Editing charts | N/A | |||
Delete charts | N/A | |||
Edit permissions | N/A | |||
Grant public access | N/A | |||
Dashboard | ||||
View dashboards | N/A | |||
Editing dashboards | N/A | |||
Deleting dashboards | N/A | |||
Edit permissions | N/A | |||
Grant public access | N/A |
Object access audit
A DataLens user can get access logs for DataLens objects (view, edit, delete).
To retrieve logs, please contact technical support.