Data Permission Management

  • Last update:December 15, 2023
  • Rules of Constructing Business Package Hierarchy

    1. Layer business packages in FineBI following the principles of "Be convenient for data distribution and management, improve system performance, and facilitate data maintenance and updates." The goal is to minimize cross-level associations, control the magnitude of updates, and simplify data permission allocation.

    2. Considering the differences in industry and warehouse structure, companies can create business packages or groups in FineBI according to the company's business type, system, user department, and person in charge of the business package. For example:

     

    3. Follow the responsibility system when managing business packages.

    • Assign each business package/group to data administrators as needed. Typically, the raw data is managed by IT personnel, the basic data is handled by department data analysts, and the analysis table is managed by the business personnel who create the table.

    • Ensure the data quality of their business packages/groups, including but not limited to ensuring no duplicate data tables, correct indicator logic, and consistent data calibers.

    •  Keep the business package data as the only source of official data output. The data released by the business package administrator is the only official data for the corresponding module.

    • An example of a permission allocation and maintenance system:

     

    4. The four elements of business package naming are the business/system/user department, the business package level, the data information, and the person in charge of the business package. Enterprises can name business packages according to the actual condition and do not have to strictly follow the naming rules. For example, some customers usually simplify naming and omit some prefixes in the actual application. For example:

    5. In addition to dividing groups and business packages by organization, system, and business subject, you can also create public group to store tables for public use by multiple departments in the BI system and tables used for configuring BI permissions to facilitate the subsequent detailed permission assignment and avoid confusion. At the same time, administrators should notice the valuable data concluded by business users through self-analysis to continuously improve the public data tables.

    6. Here is an example of the business package design.

     

     

    Dataset Rules

    Dataset Naming Rules

    The name of a public dataset interprets the data the most clearly. Clear naming helps to reduce communication costs and helps users quickly know the dataset content.

    The recommended naming rules are as follows.

    1. Department_dataset content_creator

    2. Analysis indicator_business purpose_creator

    3. Table granularity_business meaning_database source

    Data Management

    A business package should include raw data, basic data, and analysis tables, and tables of the same class should be stored at the same level. After grouping business packages by department or business, divide the data of each group into raw data, basic data, and analysis tables.

    The construction rules are as follows.

    1. Raw data consists of tables from the operational data store (ODS), and are not directly used in FineBI. It is non-essential but serves as an underlying layer for maintaining scalability. Data redundancy may occur in case of large data volume. Select tables as needed.

    2. Basic data consists of tables from the data market (DM), with specified business meanings and coverage.

    • Creation rules: High cohesion and low coupling.

    • Fields in the table must be highly matched with the subject of the basic table.

    3. Analysis tables are summary tables obtained by business personnel through processing basic tables in FineBI, requiring no adding by administrators. Administrators only need to prepare the raw data and basic data and allocate permissions.

    Public Data Management Approach

    Data Preparation in FineBI 5.x and Public Data in FineBI 6.0 provide public data to users within the enterprise. If the data in these modules is not well managed, poor data utilization may occur in the long run due to the continuous increase of redundant resources, the gradual confusion of data lineage, and the increased difficulty in data usage.

    Super admins as well as all secondary admins (users with permission to manage public data) shall wittingly:

    1. Publish and remove data following rules: Comply with corresponding rules to publish and remove public data and record necessary information.

    2. Observe data table maintenance responsibility system: Each data table must have a clear person in charge, who is responsible for the interpretation, question answering, error checking, and subsequent maintenance of the data.

    3. Improve public data description: A simple but comprehensive description of the public dataset can help others to use it.

    4. Clarify the logic and boundaries of the dataset: Ensure that the connections and distinctions between datasets are clear, and avoid multiple tables for the same business.

    The ideal public data is as follows.

    • Public data is grouped by business modules and users can find all the required data in the team directory, with only one copy of each data table (no longer distinguishing between the types of data tables).

    • Public data is of good data quality, with clear dimensions, consistent criteria, and clear primary keys. Users no longer need to confirm dimension information or verify whether the calculation caliber meets expectations. During joint analysis, cross-source data can be correlated smoothly and are not forcibly put together.

    • Rights and responsibilities are clear. All data tables published to the public module have undergone strict review and similar data are not repeatedly published.

    • It supports the release of data models, and users can refer to or reuse the existing data models, which are also constantly optimized with the newly drawn analysis conclusions.

    Directory Management

    A well-managed directory of the BI system can improve the efficiency of users, while the opposite may cause unnecessary misunderstanding and dissatisfaction among users.

    1. Directory nodes can be named following the organizational structure and special classification as needed.

    2. The directory level should not exceed three.

    3. It is prohibited to set dashboards and directory nodes at the same level at the same time.

    4. After the user applies to publish a dashboard, the business administrator shall confirm to which directory the user wants to mount the data and review the content and efficiency of the dashboard. The inspection items include but are not limited to:

    • Whether functions work properly;

    • Whether the color scheme and UI design meet the standards;

    • Whether the data is accurate;

    • Whether the component name complies with standards;

    • Whether the loading time is in line with performance requirements;

    • Whether the necessary text description is included.

    5. The dashboard name can be in the format business meaning_responsible person, such as "Platform user analysis_peter". through which users can know the purpose of this dashboard in combination with the directory name.

    Permission Allocation Strategy

    BI Permission System

    Permission Scope

    Object

    Permission

    Description

    Data connection

    Usage

    If assigned this permission, users can fetch data from the corresponding table via the data connection when adding DB/SQL tables.

    Management (dependent on hierarchical authorization)

    If assigned this permission, users can edit, delete, and copy data connections within the permission scope.

    Folder/Business package

    Usage

    If assigned permission to use a business package, users can use data from this business package to create dashboards and self-service datasets and can use all new data in this business package. However users cannot add any tables to the business package, including basic data tables and self-service datasets, nor can they rename, delete, or move and group business packages.

    Management

    If assigned permission to manage a business package, besides those included in the usage permission, users can create tables in the business package, including basic tables (data analysis users can only create Excel datasets, while data processing users can create any basic table) and self-service datasets. Users can also rename and delete the business package. Users can edit the basic table in the business package, but can't edit the self-service dataset created by others (administrators can).

    Data table

    (V6.0) Component data viewing permission

    In Version 6.0, the permission to view component data is a separate permission item. By granting this permission to users while disabling their usage permission, they can view the data on the dashboard, but cannot use it for further analysis.

    (V6.0) Management permission

    In Version 6.0, the permission to manage datasets is redesigned. If a user is assigned this permission, no matter whether this dataset is created by the user or not, this user can edit the dataset, including modifying steps, renaming, deletion, etc.

    Usage

    If assigned this permission, users can view dataset data and perform further analysis based on it.

    Row-level permission

    If assigned this permission and usage permission, users can configure data tables in FineBI to only display certain rows of specific objects.

    Column-level permission

    If assigned this permission and usage permission, users can configure data tables in FineBI to only display certain columns to specific objects.

    Platform directory

    Viewing

    This permission can be configured for a folder or a single dashboard. If assigned this permission, users can see the name of the folder/dashboard in the platform directory, but whether they can access detailed data in the folder or dashboard depends on whether they have the dataset permission or not.

    Export

    FineBI also supports the configuration of permissions to export the dashboard for users who have been granted viewing permission.

    Single dashboard (dependent on template authentication)

    Viewing and export

    In addition to opening a dashboard by clicking the directory in FineBI, users can also open and view a dashboard through the preview link. To control the permission to view and export the dashboard in this case, configure the template authentication.

    Permission Allocation Object

    The data permissions in FineBI can be allocated by department, position, role, and user.

    Among them, the configuration of permissions for a user takes priority over that for other objects. If a user is configured with permissions (with a yellow/grey guy icon on the right side of a node), the user’s permission settings to that node prevail over those for his/her department/position/role.

     

    If user permissions are configured on department, position, and role dimensions, the final permission is the union of those settings.

    • If a user belongs to multiple permission carriers, such as User A belongs to Department A-Position 1, and Role A, the permission settings of different carriers for the same permission entity (dataset) jointly take effect.

    • If a user belongs to multiple permission carriers, such as User A belongs to Department A-Position 1, and Role A, the permission settings of different carriers for different permission entities jointly take effect.

    Unified Allocation Workflow

    It refers to designating a system administrator to handle all permission allocation, including:

    1. Initial authorization: During the system construction and promotion, administrators will add many datasets and dashboards into the system, to which the initial permissions should be set according to the results of permission research.

    2. Permission application and authorization: During usage, users may gradually find that their permissions fail to meet analysis needs. To grant permissions, a permission approval workflow should be created with an entrance for permission application.

    3. Permission viewing: After allocation, if you want to view the allocated permissions, you can use the Export Permission plugin or check them in the system authorization logs. 

    Hierarchical Authorization Strategy

    In large and medium-sized enterprises, in addition to a unified super admin, FineBI also needs to set up subordinate administrators to grant the permission of permission allocation to each business module to facilitate daily work. This scenario can be achieved by the hierarchical authorization function. For details, see Sub-admin Permission Scope.

    iconNote:
    The super admin should set standards for the daily authorization by sub-admins in advance and review their work regularly.


    Permission Implementation Scheme

    Implementation Scheme

     

    Case Studies

    A total of more than 100 data tables are spread across 10 departments in a company. Two departments with typical data characteristics were selected based on the previous information collection to build the permission system.

    Data characteristics of Department A: There are three different job levels, namely team leader, team member, and intern. The team leader can see all the data of the department and usually does not conduct data analysis. Team members can see most of the data and need to conduct data analysis. Interns can only see a small part of the data and do not need to conduct analysis.

    Data characteristics of Department B: There is only one position and everyone is familiar with all the data in this department, but they belong to different stages in the workflow. "Business personnel" only need to view the data analysis results, "analyst" is responsible for further developing the processed detailed data to obtain the results required by business personnel, and "developer" is responsible for introducing and standardizing the department's data for use by analysts.

    The two departments share a data operator named Kate, who knows the data of both departments well, especially which data is sensitive, which data can be shown to external people, and which data can be made public.

    Based on these data characteristics, the company has designed the following permission logic table.

    Permission priority from high to low is listed below.

    • Authorization permission

    • Adding, deletion, and modification (management) permissions

    • Usage permission

    • Viewing permission

    Data Row and Column Permission Scheme

    In enterprises, managers usually hope that users at different levels can only view the data within their permission scope, such as certain data rows for their department or business line, or only certain users have access to specific data fields (for example, only the manager can see salary information, while others can only see basic personal information). FineBI allows setting row and column permissions to achieve this scenario.

    For details, see Assigning Partial Data Permission of a Data Table.

    For detailed configuration cases, see:

    In addition, for data obtained through a direct connection, using system username parameters, department parameters, etc. for control is advised. For details, see Assigning Permissions Through System Parameters.


    附件列表


    主题: 源文档下架
    Previous
    Next
    • Helpful
    • Not helpful
    • Only read

    滑鼠選中內容,快速回饋問題

    滑鼠選中存在疑惑的內容,即可快速回饋問題,我們將會跟進處理。

    不再提示

    10s後關閉

    Get
    Help
    Online Support
    Professional technical support is provided to quickly help you solve problems.
    Online support is available from 9:00-12:00 and 13:30-17:30 on weekdays.
    Page Feedback
    You can provide suggestions and feedback for the current web page.
    Pre-Sales Consultation
    Business Consultation
    Business: international@fanruan.com
    Support: support@fanruan.com
    Page Feedback
    *Problem Type
    Cannot be empty
    Problem Description
    0/1000
    Cannot be empty

    Submitted successfully

    Network busy