Object permissions
DataLens access control is implemented at the object and the folder level.
You can grant users permission to each object and directory. They determine which operations are allowed. If you created or copied a directory or object, they will have the same permissions as their new parent folder.
You can grant users access to a directory or any service object:
Note
To control access to individual fields or their values, use RLS. This will allow you, for example, to display different information for different users on a single dashboard.
Permissions can be granted to individual users or the All group that includes users who passed authentication. Users can also request permissions on their own via the request form. For more information, see Requesting permissions.
You can grant the following permissions to objects and directories in DataLens:
Execute
A user with the Execute
permission for a connection can make requests to it, but can't create datasets. Regardless of dataset permissions, the user can't access a list of tables in a dataset or view the SQL subquery that the dataset is based on.
A user with Execute
access to a dataset can run queries against the dataset but is unable to create or edit charts or view the dataset.
Warning
You can only grant the Execute
permission for connections and datasets.
Granting users the Execute
permission lets you:
-
Reduce the number of requests to the source, thereby reducing the load on the connection source.
-
Better control what data can be shown from a dataset. You can hide some source fields so that users can't view all fields.
-
Restrict the creation of subqueries to the source database. A user with the
Execute
permission can't write subqueries.
Read
A user with the Read
permission can view dashboards, widgets, datasets, and directories.
Warning
The Read
permission doesn't allow copying datasets, because they contain RLS settings. A user can only copy datasets if granted the Write
or Admin
permission.
Write
A user with the Write
permission can edit dashboards, widgets, connections, datasets, and directories.
The Write
permission includes everything included in the Read
permission.
Admin
A user with the Admin
permission can edit available objects and directories, as well as change permissions.
The Admin
permission includes everything included in the Write
permission.
Table of permissions
Access object Action |
Execute | Read | Write | Admin |
---|---|---|---|---|
Directory | ||||
View directories | N/A | |||
Edit a directory | N/A | |||
Delete directories | N/A | |||
Edit permissions | N/A | |||
Connection | ||||
Make requests to a connection |
||||
Create a dataset over a connection |
||||
View connection parameters |
||||
Edit connections | ||||
Delete connections | ||||
Edit permissions | ||||
Datasets | ||||
Make requests to a dataset |
||||
Create a chart on a dataset |
||||
View a dataset | ||||
Edit a dataset | ||||
Copy a dataset | ||||
Delete datasets | ||||
Edit permissions | ||||
Chart | ||||
View charts | N/A | |||
Edit charts | N/A | |||
Copy a chart | N/A | |||
Delete charts | N/A | |||
Edit permissions | N/A | |||
Grant public access | N/A | |||
Dashboard | ||||
View dashboards | N/A | |||
Edit dashboards | N/A | |||
Copy dashboards | N/A | |||
Delete dashboards | N/A | |||
Edit permissions | N/A | |||
Grant public access | N/A |
Note
You cannot duplicate (copy) a folder and a connection with any permissions.
Object access audit
A DataLens user can get access logs for DataLens objects (view, edit, delete).
To retrieve logs, please contact technical support