Setting permissions on dataset
Last updated
Was this helpful?
Last updated
Was this helpful?
A permission is a row-level security (RLS) applied to data to make sure that any user has only access the data he needs, and no more.
A permission filters the data based on user attributes such as user group, user attributes, username, etc., enabling you to restrict access to data according to your users' profile. The most common user attribute used for mapping permissions is the list of Toucan user groups a user belongs to. However, you can also rely on attributes that may come directly from your environment (from your identity provider; see more details further).
Permissions can be defined on both Stored and Live datasets.
Warning :
Permissions on a dataset are applicable only when the dataset is used either by a live dataset (or a succession of live datasets) or directly by a chart. This implies that if permissions are created on a dataset A, and another stored dataset B is created from dataset A then the permissions of dataset A will not be valid when referring to dataset B. However, if dataset B has been defined as a live dataset, then the permissions will be applicable.
In order to setup a permission on a dataset
Go on the action menu of the dataset, and click on "Permissions"
Configure the default permissions applied to the dataset
Configure permissions rules by clicking on "Add permission" button and making the configuration
The permissions are saved automatically when a configuration is changed within the interface.
The is 2 options for default value on permissions:
Users can't view any row: users won't view any row by default. Thus, you will need to add permission rules to setup permissions more in detail.
Users can view all rows: user will view all rows. Thus, you will need to add permission rules to setup permissions more in detail.
You can build permission rules based on user group and attributes.
You may want to pass some user attributes through the Single Sign On process. In this way, you can define permissions based on the information provided by your Identity Provider directly instead of creating user groups in Toucan Toco.
So let’s say, in our example, that when a user gets authenticated to Toucan through your SSO, we get an attribute view that fits our need. So a France country manager’s view attribute will be equal to “France” for example.
You can use custom user variables in your permission filters by using the following syntax: {{ YOUR_VARIABLE_NAME }}. In our example, it will be {{ view }}. If you use the right syntax in the input text, the string should be converted into a variable block like this:
There is a possibility to test directly the application of the permissions by refering to the "Preview as" function.
It allows to tests the result obtained for a given user, or a custom user created on the fly.
It's also possible to verify the application of permissions while in the Storytelling part, by using the "Preview" function accessible within the navigation bar.
Please see this for more information on authentication and the usage of user attributes.
