Bulk connection management at a user level

Hey everyone,

Can anyone please tell me if we have the ability to manipulate the user connection settings i.e. viewer, Restricted Querier, Querier etc from the API? I was seeing the api docs for “users” but there is nothing related to updating the connection settings.

To elaborate my use case, when we onboarded users to Omni platform, we onboarded them in bulk and applied a default connection setting of Restricted Querier. So basically every user is by default set to No Access at a user level but the connection level access setting overrides their permission, resulting in the appropriate access.
However, we want to move away from this, now that our onboarding of users has stabilized. And we want to set Connection to No Access while each user has their own individual access level.

Any advice is appreciated! Thank you.

I have a follow up for this topic as well.

Imagine we form a new connection for some database.

1. Will that be No Access for all users by default?
2. Will I need to go again into each user and select this new connection and then make it the appropriate level for every user?
3. I personally want to move away from Connection Level role. This can have security implications in the future.

How would we handle this at scale if a company has 500+ employees?

Lastly, is it an architecture choice that we have a user - connection role rather than a user level role?

Wouldn’t it make more sense to have a user level resolved role rather than a user-connection resolved role?

Hi Kartik! You can update the default connection using the connection API (docs here) using the baseRole parameter. Similarly you can use the create connection API to deploy a new connection with whichever base access you prefer.

The reason behind the user-connection approach is that some customers deploy a mix of users across several data connections, where some users are restricted to single connections while others have broader access (like data admins). When deploying at scale, we recommend taking a fairly locked-down approach where base access is restricted (such as No Access or Viewer) and then selectively upgrading users, which can be done in bulk via APIs. I recommend reading these common permission scenarios to get a sense of how you might manage access to a large user base. Hope this helps!

Hi Adrien, thank you for your response. These docs are helpful and highlight what we are doing right now. But I don’t think they answer my question.

I want to understand how we can set a base access at a user level rather than from a connection level. Any docs related to that would be appreciated.

Just to reiterate, any user onboarded would by default have No Access at a user level. And we have to manually change the access level per user. Is there an easier way to do this? Our base connection level is No Access.

Thank you.

The way I’d recommend doing this is setting up User Groups (APIs) and then applying a certain connection role to those groups. Right now you’d have to manually set the base role for each group - we’re working on APIs for this - but it should be significantly easier to do this for a handful of groups rather than 500+ users. For example you could just make No Access, Viewer, Restricted Querier groups, assign people to them, and then only have three manual “updates” to make in your connection settings.

That is helpful. Thank you so much for your help.