Access control

Ensuring that the right people in the right roles have access to the right data (and more importantly do not have access to the wrong data) is crucially important. This section will detail the access control functionality built into the Imply UI.

All the features of this section assume that Imply UI acts as a gatekeeper to the data store - i.e. users can only query the data store via Imply UI and never directly.

Data cube and dashboard access control

It is possible to define access permissions for each data cube and dashboard.

This can be done from the Access tab of each. In the dashboard the access tab is in the Options panel.

Data cube edit access

It is possible to restrict access to only specific people or specific roles.

The edit access permissions of individual data cubes and dashboards only apply if the user has the ChangeDataCubes and/or ChangeDashboards permissions set. Similarly, a user possessing the AdministerDataCubes and/or AdministerDashboards permissions will be able to see and change all data cubes and/or dashboards respectively.

When a data cube or dashboard is created the default access controls are set according to what is configured by the Default data cube view access, etc. in the settings.

settings advanced

Row and column level restrictions

A data cube acts as a view (in the SQL sense) allowing you to specify a row level filter and a restrict only certain columns for querying.

There are two use cases for restricting the data cube by rows or by columns:

  1. Fine tuning the user experience with a data cube - maybe you want the user to focus on a meaningful subset of the data and tailor the dimensions and measures that a user sees accordingly.
  2. Letting users see only a specific slice of data for security reasons - maybe the user should not be able to see all the roles, maybe some columns contain sensitive data that this user should not have access to.

If you are in the second use case then you must ensure that the users who you are trying to restrict do not have edit permissions to the data cube as otherwise they can just edit the restrictions out. Furthermore you most likely want to restrict these users from accessing the data manager or the SQL IDE by not giving them those permissions. Any user who should be restricted from accessing all data for security reasons should only ever have the AccessVisualization and possibly QueryRawData.

Row level restriction

It is possible to set a subset filter that would be silently applied to every query made through this data cube (this includes any dashboard tiles and Explain queries based on this data cube).

cube edit advanced

The subset filter is a Plywood expression and is editable in the Advanced tab of the data cube edit screen.

If a user does not have permissions to edit or create data cube (or to access to the SQL IDE, or query the data-store directly) then they effectively be restricted to only seeing the data matched by the subset filter expression.

It is possible to make this subset filter dynamic with the aid of filter tokens.

Column level restriction

Only the columns that are used in the dimensions and measures defined in the data cube will be queryable through the data cube. If there are columns in your data that you want to restrict the user from querying you can do so by not having any dimensions or measures defined that use that column.

Token based row level access control

Sometimes it is necessary to have the row based access control be dynamic given the users role. For example you might be using a single source in Imply to provide analytics to users from a variety of organizations and each organization's users should only be allowed to see data that pertains to their organization.

This is the use case that the filter tokens are designed to solve.

The filter token system consists of two parts. The first part are filter tokens themselves that are just a name and filter formula pair that live on the user roles. The second part are the data cubes that can be configured to require filter token of a given name to be queryable. A user possesses all the filter tokens that are on all the roles that the user is assigned to. When a user goes to query a data cube that has a filter token requirement the user must possess exactly one filter token of that name (otherwise no queries will be issued). The filter expression from that filter token will then be applied to all queries.

Filter token example

Imagine you are running a auction system with buyers and sellers and you have a table of auctions (with columns for buyer_id and seller_id) that contains a record of every closed auction. You want to offer some sellers a way to see their own data in Imply but they should not be able to see other peoples data. At the same time your internal users should be able to see all the data.

Let's look at how you might go about setting this up. Note that any suggested names are only there to provide clarity, you are welcome to use your own names.

Step 1 - the roles

You will want to create the following roles:

Step 2 - the data cubes

You will want to create two data cubes all on the autions data source:

Next steps

You might also want to create a similar arrangements for buyers, you can achieve that by symmetrically creating and ExternalBuyer role and a similar data cube to the one in step 2.

Overview

Deploy

Manage Data

Query Data

Visualize

Configure

Misc