How Source Permissions Are Determined

This applies to: Visual Data Discovery

By default, the creator of a source configuration always has Data Access, Read, Write, and Delete permissions until those permissions are changed by an administrator or someone with appropriate authorization to change source permissions. If a user is removed from the Symphony environment, sources created by that user are retained. The system admin (v23.4) becomes the creator of these orphaned data sources.

Data Access is a separate permission for sources. It can be set directly on sources for users, groups, and accounts, and is enabled for users, groups, and accounts when you assign Read permission for a visual that uses that source. Unless they are granted Read permission to the source as well, they can't see the source listed on the Source page, or select the source to create a new visual (for users with the Create Visuals or Administer Visuals privilege).

If conflicting source permissions are specified for a tenant, the group within a tenant, and the user within a tenant, the permissions granted to the users are determined using a most permissive model. Users are granted the highest level of permission specified for the tenant, group, and user. For example, if the tenant is granted read and write permissions, but Group A is granted write and delete permissions, users in Group A will be able to read, write, and delete the source. However, users in any other groups in the tenant will only be able to read and write the data source.

Here's another example. If the tenant is granted data access, read, write, and delete permissions, but the groups in the tenant are only granted data access permissions, all users in the tenant will have data access, read, write, and delete permissions for the data source.