Permission Inheritance

1.1 Version

1.2 Application scenario

A "Data processing self-service dataset" can be assigned row permissions, but a "Data analysis self-service dataset" cannot. So how does it have row permissions?

A "Data analysis self-service dataset" can inherit the parent table's "row permissions" through "permission inheritance" and cannot and does not need to configure row permissions separately.

The two types of self-service datasets can be described in: Determining the nature of self-service datasets

1.3 Cautions

The ability to set permission inheritance requires that the self-service dataset meets the following requirements.

• It is a self-help dataset of analytical nature.

• If the self-service dataset of this analytical nature needs to be in the extracted state under the Spider version, see section 2.4. There is no such requirement for the Direct Connect version.

2. Example

Leo. Xu (Data Analysis User) has all the data usage and management rights under the "sales" package and has created an analytical self-service dataset using the data from the "sales" package. He wants to share the dataset with Alice and only wants her to see the data for the "America" country.

2.1 Obtain base table permissions

1）Use administrator account to set user Leo.Xu as "Data Analysis User", please refer to Data Analysis User for details

2）The usage and management rights of the "sales" business package are assigned to Leo. For more details, see: Business Package Permission Assignment

2.2 Set base table permissions

1）Login with Leo.Xu user account, click Manage>Permission and set the base table "FRDemo_CUSTOMER" to see only customers in America for Alice (data analysis user), who is the sales leader in America. As shown in the figure below.

Note 1: Alice user can also be a data processing user, the design user type does not affect the effect of permission inheritance, if it is a BI view user, the dashboard data to be viewed will be determined by the sharing method and user permission.

Note 2: Permission inheritance is limited by the creator's permission, see section 3.2 of this article for details.

2.3 Create a self-service dataset

Leo.Xu (Data Analysis User) is the sales manager and created the "customer" table using "FRDemo_CUSTOMER" and some other tables as shown in the figure below.

2.4  Set Permission Inheritance

1）Under the Spider version, the self-service dataset must be in the extracted state before Permission Inheritance is possible, as shown in the following figure.

If you want to create  "customer” table for  America sales leader Alice (Data Analysis User) to see only customers in the America, you can check Permission Inheritance for this self-service dataset, as shown below.

2.5 Permission Inheritance effect

1）When the Alice user (Data Analysis User) logs in to her account and views the "customer" table, she can only see the data for the America country she is responsible for, as shown in the figure below.

2）The "customer" self-service dataset implements the inheritance of the base table permissions. However, if you look at the associated view interface, you will see that there is no inheritance of the association, as shown in the following figure.

2.6 Close scenario

2.6.1 Application scenario

If Leo.Xu, as a Data Analysis User, has created a self-service dataset for "Sales Data Analysis" and wants to show Alice all the data, you can turn off the Permission Inheritance button for that "Sales Data Analysis" as shown below.

If Leo.Xu, as a Data Analysis User, has created a self-service dataset for "Sales Data Analysis" and wants to show Alice all the data, you can turn off the Permission Inheritance button for that "Sales Data Analysis" as shown below.

2.6.2 Effect view

Alice (Data Analysis User), the regional manager of America, can log in to her account and view the "Sales Data Analysis", and see the data of all regions, Alice can use the data of other regions to compare with her own region and do the analysis accordingly. The figure below shows.

3. Cautions

3.1 Associated Relationships

3.1.1 Concept

Table A : Table B = 1 : N, and set the A table field row permission for user R. User R uses table A and table B as the base table to build the analysis self-service dataset with Permission Inheritance enabled (in case of Spider version, set Update Information to Extract Data). In this case, the association view of table A generates an association between table A and the created self-service dataset. The association cannot be edited or deleted, and has no effect on the data table; it disappears when Permission Inheritance is turned off.

3.1.2 Example

Explained in Spider version

1）「DIM_CONTRACT」:「FACT_SALE_CONTRACT」=1: N, as shown in the following figure.

2）Enable the "sales" package permission for user Anna, and set row permissions for the A table field bar, as shown below.

3）Log into Anna's account. The user, Anna, has created an analytic self-service dataset named "Anna Permission Inheritance" using "DIM_CONTRACT" and "FACT_SALE_CONTRACT" and enabled Permission Inheritance as shown in the following figure.

4）Change the extraction setting to "Extract Data", as the figure below.

5）If you look at the "FACT_SALE_CONTRACT" association view, you will find that the system automatically generates an association with "Anna Permission Inheritance", which cannot be deleted or modified under the administrator account. As shown in the figure below:

3.2 Permission Inheritance is restricted by the permissions of the creator

1）For example, Data Analysis User Hanwen has the permission of some rows in the "FRDemo_ORDERS", and can only see the Data of SHIPPORT: A, B, and C, as shown in the figure below:

2）Hanwen created an "order" table using "FRDemo_ORDERS" and enabled Permission Inheritance, as shown below:

3）The super administrator assigns the "FRDemo_ORDERS" and "order" table to Alice, as shown in the figure below:

Set "FRDemo_ORDERS" to be SHIPPORT are B, C, D as shown in the figure below:

4）At this time, user Alice logs in to view the order, and can only see the data whose SHIPPORT are B and C, as shown in the following figure:

3.3 Fields for setting row permissions must be added to the grouping box

The Permission Inheritance under Extracted Data requires the following two points.

• When doing the self-service dataset add grouping summary, you must add the fields for setting row permissions to the grouping box. Turn on Permission Inheritance before the self-help dataset has data, otherwise, the self-help dataset display is empty.

• A table and B table to establish association: A table: B table=1:N. Set row permissions to the main table A. When using the B table to add a group summary to the self-service data set, the fields for setting row permissions must be added to the grouping box. To turn on Permission Inheritance before the self-service data set has data, otherwise, the self-service data set display is empty.

3.4 Dataset is empty after merge up and down

Create a self-service dataset with the table that sets row permissions, add "Group summary" and "merge up and down" to the self-service dataset, and turn on Permission Inheritance. In this case, the self-service dataset will be displayed as empty no matter how it is set.