Analytics offers enterprise-class authorization and access control capabilities.
Authorization
Users in Analytics are authorized to perform certain actions based on roles assigned to them. See Roles.
Access Control
Access to every object in the system such as a Dataset, Metric, Exploration, Dashboard etc. is controlled by permissions granted through access levels. Users get access to an object in the system by one of the following ways:
- Belonging to a group that has access to that object.
- Belonging to a group where one of its parent level groups has access to that object.
- Explicitly being granted access to that object directly.
- Having certain roles assigned that provide access e.g. "Org Admin" role.
Access Levels
For each object, a user can have one of the following access levels:
- Can View - user can view the object but cannot edit or share it with others.
- Can Edit - user can edit the object but cannot share it with others.
- Full Access - user has full read, write and share access to the object.
For any object you can see who has access to that object, and with what access level, by clicking on the "Share" Icon. A list of users and groups with their corresponding access level is shown.
Following is the list of shareable entities:
- Apps
- Folders
- All catalog entities
This is the access level that has been explicitly assigned to the object. Some users may have implicit access based on their role (e.g. "Org Admin" has access to everything), or may have access based on group memberships, which will not be shown here.
Folder-based Access Levels
All objects in the Analytics catalog are organized into hierarchical folders. Access levels can be assigned to folders too. All objects contained in a folder inherit the access level of that folder unless an explicit access level has been granted to individual objects in the folder.
In the above figure Folder 1 contains Folder 2 and Dashboard 0. Folder 2 contains Dashboard 1 and Dashboard 2. The following scenarios illustrate the effective access levels based on foldering structure:
- If the user has Can Edit access for Folder 1 but Can View access for Folder 2, then the user will have Can Edit access for Dashboard 0 but Can View access for Folder 2 and its entities - Dashboard 1 and Dashboard 2.
- If user is now granted Can Edit access for Dashboard 1, then the user would have Can Edit access only for Dashboard 1 and not for Dashboard 2 or Folder 2.
Access level assigned to a folder is inherited by all objects and folders it contains, recursively all the way to leaf-level objects. For example if the folder structure is as follows:
Folder 2 is a child of Folder 1 and Folder 3 is a child of Folder 2.
- If Can Edit access level is assigned to Folder 1, then Folder 2 and Folder 3 inherit the Can Edit access level. All objects contained in Folder 1, Folder 2 and Folder 3 inherit the Can Edit access level unless a different access level has been specifically assigned.
Please sign in to leave a comment.