About Data Source Permissions
As a Composer user assigned to a group with the Administer Sources privilege or with the Manage Source Permissions privilege, you can enable users to work with data sources by enabling Data Access, Read, Write, and Delete permissions for data sources.
Users who create a data source configuration can always modify or remove it, unless their permissions are revoked. Users who belong to a group with the Administer Sources privilege enabled have Data Access, Read, Write, and Delete permissions for any data source configuration in Composer.
You can grant data source access to users who do not belong to a group with privileges enabled by defining Data Access, Read, Write, and Delete permissions for individual data sources.
Data Access is a separate permission for data sources. It can be set directly on data sources for users, groups, and accounts, and is enabled for users, groups, and accounts when you assign Read permission for a visual that uses that data source. Unless they are granted Read permission to the source as well, they can't see the data source listed on the Source page, or select the source to create a new visual (for users with the Create Visuals or Administer Visuals privilege).
Privilege Considerations
To manage permission settings for a data source, a Composer user must meet one of the following criteria:
The user is an administrator, belonging to the Administrators group.
The user belongs to a group with the Administer Sources (ROLE_ADMINISTER_SOURCES) privilege enabled.
The user belongs to a group with the Manage Source Permissions (ROLE_PERMISSION_SOURCES) privilege enabled. If a user only has this privilege (and not the Administer Sources privilege), they can only manage permissions for data source configurations they can read.
In addition, you may be restricted in which permissions you can assign. You can only assign permissions equivalent to your own. For example, if your user account has read permission for a data source, you can grant and revoke the read option available on the Source Permissions panel. If you have write permission for a data source, you can grant and revoke the write option on the Source Permissions panel.
If your user account does not have read permission for a data source, you can't see the data source on the Sources page.
Data source permissions are determined using a most permissive model. For more information, see How Data Source Permissions Are Determined.
Data Store Connection Considerations
Users with write permissions for a data source are automatically able to read the connection definitions for a data source. However, connection definitions can only be maintained by Composer administrators or users belonging to groups that have been granted the Manage Connections privilege.
Row and Column Security Considerations
Row and column security filters can be maintained for a data source by a:
Composer administrator.
User in a group that has been granted the Administer Sources privilege.
User in a group that has been granted the Manage Source Permissions privilege who also has read permission for the data source.
Security filters will not be applied to users with the privileges mentioned above. Source administrators can manage security filters for regular users but not for other source administrators.
For specific information about source permissions, see the following topics:
- Grant Permissions for a Data Source
- Modify Permissions for a Data Source
- Revoke Permissions for a Data Source
- How Data Source Permissions Are Determined
Data source permissions can also be managed using the API endpoints GET /api/sources/{sourceId}/acls
, PATCH and PUT /api/sources/{sourceId}/acls/bulk
, GET /api/user/permissions/sources/{sourceId}
, GET /api/user/permissions/sources
, and GET /api/inventory/SOURCE/{id}
.
When you use the GET /api/sources/{sourceId}/acls
endpoint, you can read the source data. Use PATCH
and PUT
to restrict the list to specific users, groups, or accounts using the sidTypes
parameter. In addition, you can use the returnSids
parameter to restrict the list so it retrieves only users, groups, or accounts with access to the data sources or to only users, groups, or accounts without access.
API documentation is provided with your Composer installation at this link: https://<composer-URL>/composer/swagger-ui.html
.
Comments
0 comments
Please sign in to leave a comment.