About Source Permissions
This applies to: Visual Data Discovery
As a Symphony user assigned to a group with the Administer Sources privilege or with the Manage Source Permissions privilege, you can enable users to work with data sources by enabling Data Access, Read, Write, and Delete permissions for sources.
Note: If you try to delete a visual, filter snippet, dashboard, dashboard link, source, or source field, Symphony displays an error message naming any objects dependent on the item you’re trying to delete. You can delete the item after you’ve removed the association from the dependent object. See Fields Usage.
Users who create a data source can always modify or remove it, unless their permissions are revoked. Users who belong to a group with the Administer Sources privilege enabled have Data Access, Read, Write, and Delete permissions for any source in Symphony Visual Data Discovery.
You can grant data source access to users who do not belong to a group with privileges enabled by defining Data Access, Read, Write, and Delete permissions for individual sources.
Data Access is a separate permission for sources. It can be set directly on sources for users, groups, and tenants, and is enabled for users, groups, and tenants when you assign Read permission for a visual that uses that source. Unless they are granted Read permission to the source as well, they can't see the source listed on the Source page, or select the source to create a new visual (for users with the Create Visuals or Administer Visuals privilege).
Privilege Considerations
To manage permission settings for a source, a Symphony user must meet one of the following criteria:
The user is an administrator, belonging to the Administrators group.
The user belongs to a group with the Administer Sources (ROLE_ADMINISTER_SOURCES) privilege enabled.
-
The user belongs to a group with the Manage Source Permissions (ROLE_PERMISSION_SOURCES) privilege enabled. If a user only has this privilege (and not the Administer Sources privilege), they can only manage permissions for sources they can read.
In addition, you may be restricted in which permissions you can assign. You can only assign permissions equivalent to your own. For example, if your user account has read permission for a source, you can grant and revoke the read option available on the Source Permissions panel. If you have write permission for a source, you can grant and revoke the write option on the Source Permissions panel.
Note: If your user account does not have read permission for a source, you can't see the source on the Sources page.
Source permissions are determined using a most permissive model. For more information, see How Source Permissions Are Determined.
Data Store Connection Considerations
Users with write permissions for a data source are automatically able to read the connection definitions for a data source. However, connection definitions can only be maintained by Symphony administrators or users belonging to groups that have been granted the Manage Connections privilege.
Row and Column Security Considerations
Row and column security filters can be maintained for a data source by:
an administrator.
User in a group that has been granted the Administer Sources privilege.
User in a group that has been granted the Manage Source Permissions privilege who also has read permission for the data source.
Security filters will not be applied to users with the privileges mentioned above. Source administrators can manage security filters for regular users but not for other source administrators.
For specific information about source permissions, see the following topics:
Data source permissions can also be managed using the API endpoints GET /api/sources/{sourceId}/acls
, PATCH and PUT /api/sources/{sourceId}/acls/bulk
, GET /api/user/permissions/sources/{sourceId}
, GET /api/user/permissions/sources
, and GET /api/inventory/SOURCE/{id}
.
When you use the GET /api/sources/{sourceId}/acls
endpoint, you can read the source data. Use PATCH
and PUT
to restrict the list to specific users, groups, or tenants using the sidTypes
parameter. In addition, you can use the returnSids
parameter to restrict the list so it retrieves only users, groups, or tenants with access to the sources or to only users, groups, or tenants without access.
API documentation is provided with your Symphony installation at this link: <symphony-URL>/discovery/swagger-ui.html
.
Permissions for imported objects
When you import dashboards, associated resources such as visuals, sources, and connections are imported as well. You can quickly grant default access levels to all imported and associated objects in your tenants by enabling Share Default Access With All Users at import time. Users are granted Data Access to Sources and Read access to Visuals and Dashboards.
Comments
0 comments
Please sign in to leave a comment.