Authorization and access control

  • Updated

Analytics provides enterprise-class authorization and access control capabilities to manage who can perform certain actions and access specific objects within the system.

Authorization

You are authorized to perform actions in Analytics based on the roles assigned to you. See Roles.

Access control

Access to every object in the system, such as Datasets, Metrics, Explorations, and Dashboards, is controlled by permissions granted through access levels. You can gain access to an object in one of the following ways:

  • By belonging to a group that has access to the object.
  • By belonging to a group where one of its parent groups has access to the object.
  • By being explicitly granted access to the object.
  • By having certain roles assigned that provide access, such as the Org Admin role.

Access levels

For each object, a user can have one of the following access levels:

  • Can view – View the object, but cannot edit or share it with others.
  • Can edit – Edit the object, but cannot share it with others.
  • Full access – View, edit, and share the object.
  • No access – Cannot access the entity.

Click the Share icon to see who has access to an object and their access levels.

The following is a list of shareable entities:

  • Apps
  • Folders
  • All catalog entities

Access levels explicitly assigned to objects are shown, but some users may have implicit access through their roles (for example, the Org Admin role) or group memberships, which are not displayed here.

Folder-based access levels

Objects in the Analytics catalog are organized into hierarchical folders. Access levels can be assigned to folders, and objects within a folder inherit its access level unless an explicit access level is granted to individual objects.

Authorization and access control 2.png

For example, if Folder 1 contains Folder 2 and Dashboard 0, and Folder 2 contains Dashboard 1 and Dashboard 2:

  • If you have Can Edit access for Folder 1 but Can View access for Folder 2, you have Can Edit access for Dashboard 0 but only Can View access for Folder 2 and its entities (Dashboard 1 and Dashboard 2).
  • If you are then granted Can Edit access for Dashboard 1, you have Can Edit access only for Dashboard 1, not for Dashboard 2 or Folder 2.

Access levels assigned to a folder are inherited by objects and folders it contains, recursively down to leaf-level objects.

Authorization and access control 3.png

For example, if Folder 2 is a child of Folder 1 and Folder 3 is a child of Folder 2, assigning Can Edit access to Folder 1 means Folder 2 and Folder 3 inherit this access level, as do objects within these folders, unless a different access level is specifically assigned.