How do I limit access to columns based on user attributes? (Column-level Permissions)

conner · May 10, 2024, 11:35pm

You may have some fields in a table that contain sensitive information, or you may want to limit them for another reason. In this article, I’ll:

Explain how to use Omni to limit access to those fields, and
Walk through a step-by-step example of this process.

Overview of Column-level Permissions

You can set up column-level permissions through a combination of (1) user attributes, (2) access grants, and (3) access grant requirements on individual fields.

Here’s how those pieces fit together:

Users have user attributes
User attributes can be used to create access grants, which define a set of required values for certain user attributes in order for access to be granted
Applying an access grant to a field means that a user’s user attributes must equal the allowed values in the access grant in order for the user to access that field

This is easier to digest through an example:

Imagine you’re an eCommerce company that collects PII (personal identifiable information) in the order checkout process. You don’t want everyone in your company to be able to see a customer’s PII — you only want people who have been ceritified by your security team to have access to this data.
You might set up a user attribute called security_certified with values of TRUE or FALSE. Each user will have this user attribute denoting if they have been certified by security.
You can then create an access grant called can_see_pii, which checks that security_certified = TRUE before granting access to a given field.
Then, you can apply the can_see_pii access grant to a field, limiting access to users who meet the requirements for the can_see_pii access grant (which, in turn, means the user must have security_certified = TRUE).

Another way to think about this is that access grants let you easily apply the same sets of required user attributes to multiple fields without having to repeatedly define those requirements on each field.

Step-by-Step Example

While this may sound complicated, setting up these controls is straightforward in practice. Let’s walk through an example from start to finish.

Step 1: Creating user attributes

Start by navigating from your homepage > Admin > Attributes. Hit the “New Attribute” button and fill out the information. (Here’s our documentation for more on user attributes).

Once you’ve created a user attribute, you can assign values to each user in the Users tab.

Step 2: Defining your access grant

Open up your model file (you can do this in either your shared or workbook model) and navigate to the “Model” section. Follow the syntax below to add the definition for your new access grant. (Here’s our documentation for more on access grants.)

The allowed_values are case-sensitive, so make sure your user attribute values match the case of your allowed values.

(Note: The allowed_values parameter behaves like an OR. As long as a user has a “test” user attribute value of val1 OR val2, they will pass the access grant.)

access_grants:
  testing_access_grant:
    user_attribute: "test"
    allowed_values: ["val1", "val2"]

Step 3: Applying your access grant to a field/column

Navigate to the view file of the field you want to apply the access grant to. Follow the syntax below to add the required_access_grants parameter to your field definition, and list the names of the access grants you want to apply. (Here’s our documentation for more on the required_access_grants parameter).

(Note: If you supply multiple required_access_grant values, they will behave like an AND. A user must meet the requirements for every access grant listed in order to access the field.)


full_name:
  type: string
  required_access_grants: [testing_access_grant] -- [testing_access_grant1, testing_access_grant2]

Step 4: Testing your access grant

As an admin, you can use Omni’s “Impersonate User” functionality to test that your access grant is functioning properly. Impersonate a user with an user attribute value that excludes them from your access grant, and open up a new workbook to test that they can or can’t see the protected field.

Conclusion

It might take a bit of work to get started, but once you have these user attributes and access grants spun up, protecting important fields should only require a few lines of code. If you’re still having trouble, reach out to the Omni support team and we’d be happy to help.

Topic		Replies	Views
Set user permissions using the API Administration	3	41	November 12, 2024
If I save a query as a view, will the row limit of that query get applied to that view? Modeling	0	966	June 3, 2024
Why am I seeing the error "Can't Display Chart: queries without a topic specified are restricted" Errors	0	647	June 17, 2024
How can I share a single dashboard with outside contractors or employees? Administration	0	68	September 18, 2024
How to extend views with SQL blocks when using dynamic schemas Modeling dynamic-schemas	0	637	June 20, 2024