How do I manage user dataset access using roles (RBAC)?

Below are some high level points which should get you started.

  • Unless you are an Admin role or the owner of the dataset, for anyone else to access a dataset, specific permissions on that dataset must be set (tagging)
  • Tagging is done using fixed permissions sets: view, edit, update are the most common but there are others
  • Dataset-level permissions sets must be applied to roles: user and admin are the standard ones but others can be created
  • Each dataset should have only one tag of each type, although a permission type can be applied to multiple roles  e.g.
view:hrbp,admin,exec
edit:hrcentral,finance
  • Note that when setting Apply Tag (see screenshot at the end of the article) a different permission type must be set on a different line, but once saved each permission type will appear on the same line separated by ; i.e. the above example will display as
view:hrbp,admin,exec;edit:hrcentral,finance 
  • Multiple tags will not operate correctly when applied to one dataset e.g.
view:hrbp
view:admin
view:exec

 

The following approach is the minimum for a given user (name) to have access:

  • Ensure username has an entry in the users table with at least role "user".  If you do not have access access you will have to consult your admin to do this
  • Now username should have access but so will everyone else that is a user in that dataset

Note in practice, any given individual will at least two roles - except for Admins, who already have unlimited tenant access - which is user plus at least oen other

REminder: where people are assigned to two or more roles (permissions groups) which have different access level to the same dataset, the highest level would apply to that individual.


The following is a general example of managing user dataset access using roles

  • (I will invent a new role ftb to demonstrate)
  • Ensure username has an entry in the users table with at least role "user".
  • Update the role to state "user,ftb"

 

  • If I want anyone else to have the ftb role, I can update in the user table in the same way
  • Update the dataset tag.  If I want username to be the only one to make changes, I set the tag as "update:ftb", although if anyone else has the ftb role, they can now make changes
  • If I want to let everyone see the dataset but only have username make changes, I set the tag "view:user,update:ftb"

 

 

 

 

 

 

 

Have more questions? Submit a request

Comments