Managing access at the data row level (RLS)
Using RLS (row-level security), you can restrict data access for users within a single dataset. For example, you can restrict access for different customers.
You can restrict data access at the row level both in a dataset and data source.
You can restrict access to any dataset dimension. Each user can be granted rights to an unlimited number of measure values.
Restrictions are set in the access configuration and look like this:
'[value 1]': [user 1], [user 2] '[value 2]': [user 3] '[value 3]': [user 1], [user 2], [user 3]
Values and users can be defined using wildcard characters:
user 2can access any values of the field
*: [user 1], [user 2]
value 1value is available to all users
'[value 1]': *
Quotes in values are set using double quotes:
'value in ''quotes''': [user 1], [user 2]
With RLS, a query to a dataset passes through the following filter:
where [dimension] in ([value 1], [value 2]... [value N])
If you have set permissions at the row level, make sure to apply the
Execute permission for the dataset. In this case, nobody can edit row permissions or open the data preview window.
The method described above involves editing the dataset every time the RLS settings are changed.
To avoid this, you can transfer the logic of access control at the row level to the data source.
Add a new field for storing user IDs to the source data. All requests to the source will be filtered by this field.
- To view your ID, follow this link. If you need another user's ID, ask them to open this link and pass the ID to you.
For each row of source data, specify the ID of the user who is allowed to access this row. If multiple users should have access to the same row, you can move the access control logic to a separate table and join it to the main table at the dataset level.
In the dataset field with the IDs in the RLS settings, enter
useridvariable can be used together with the regular RLS type in the dataset:
'[value 1]': [user 1], [user 2] '[value 2]': [user 3] userid:userid
You can transfer the RLS logic to the source side for sources where the data structure can be changed. In Metrica and AppMetrica, the data structure is closed so you can't use this method.
How to change permissions to a row in a dataset
To configure permissions for a data row value:
Open the dataset.
On the right of the row, click and select Permissions.
Enter the value of the field and users in the specified format and click Save.
'[value 1]': [user 1], [user 2] '[value 2]': [user 3]
For example, to configure access to the
first-companyvalue for the
Save the dataset.
- Add to the source a field that will store user IDs and be used for filtering. You can add this field to a new table and join it using the
- Add the field to the dataset.
- Open the dataset.
- On the right of the row, click and select Permissions.
- In the permission settings, add
userid:useridto the field and click Save.
- Save the dataset.
Let's create a dashboard based on sales data by four regions (West, East, North, and South). Regional managers should only have access to their own data, and the company's chief executive to all data.
Let's define user IDs.
In the source, create an additional table named
MANAGER_IDwith the region related to the user ID. If multiple regions are available for the same ID, then list all unique pairs:
REGION MANAGER_NAME MANAGER_ID West Arkady 19287318273912873 East Vasily 92877912837318927 North Olga 02993284928374346 South Dmitry 10836293849237642 West Maxim 71726123712891283 East Maxim 71726123712891283 North Maxim 71726123712891283 South Maxim 71726123712891283
Let's add the table to the dataset.
To do this, we'll make a
Then set up RLS by the
MANAGER_IDfield and add
To change the access control settings, update the data in the source table.