🛑Setting permissions on dataset

A permission is a row-level security (RLS) applied to data to make sure that any user has only access the data he needs, and no more.

How does it work ?

A permission filters the data based on user attributes such as user group, user attributes, username, etc., enabling you to restrict access to data according to your users' profile. The most common user attribute used for mapping permissions is the list of Toucan user groups a user belongs to. However, you can also rely on attributes that may come directly from your environment (from your identity provider; see more details further).

Permissions can be defined on both Stored and Live datasets.

Warning :

Permissions on a dataset are applicable only when the dataset is used either by a live dataset (or a succession of live datasets) or directly by a chart. This implies that if permissions are created on a dataset A, and another stored dataset B is created from dataset A then the permissions of dataset A will not be valid when referring to dataset B. However, if dataset B has been defined as a live dataset, then the permissions will be applicable.

Information

If a user belongs to more than one user group, he will be able to see the union of all rows allowed by the permissions attached to his user groups.

Information

When permissions are defined on a dataset, it is important to note that these permissions are not applied in staging mode.

Alternative ways

It's also possible to apply RLS (Row level security) without using the permissions feature. The alternative way of doing it can be discovered here for YouPrep, and at this page for SQL.

Create permissions

In order to setup a permission on a dataset

Go on the action menu of the dataset, and click on "Permissions"
Configure the default permissions applied to the dataset
Configure permissions rules by clicking on "Add permission" button and making the configuration

The permissions are saved automatically when a configuration is changed within the interface.

More on permissions configurations

Default Value

The is 2 options for default value on permissions:

Users can't view any row: users won't view any row by default. Thus, you will need to add permission rules to setup permissions more in detail.
Users can view all rows: user will view all rows. Thus, you will need to add permission rules to setup permissions more in detail.

Permission based on user group / attributes

You can build permission rules based on user group and attributes.

Permission identity provider attributes through SSO

You may want to pass some user attributes through the Single Sign On process. In this way, you can define permissions based on the information provided by your Identity Provider directly instead of creating user groups in Toucan Toco.

Please see this documentation for more information on authentication and the usage of user attributes.

So let’s say, in our example, that when a user gets authenticated to Toucan through your SSO, we get an attribute view that fits our need. So a France country manager’s view attribute will be equal to “France” for example.

You can use custom user variables in your permission filters by using the following syntax: {{ YOUR_VARIABLE_NAME }}. In our example, it will be {{ view }}. If you use the right syntax in the input text, the string should be converted into a variable block like this:

Test permissions

There is a possibility to test directly the application of the permissions by refering to the "Preview as" function.

It allows to tests the result obtained for a given user, or a custom user created on the fly.

It's also possible to verify the application of permissions while in the Storytelling part, by using the "Preview" function accessible within the navigation bar.

Last updated 10 months ago