Configurable Data Source Security

  • All of the Security discussed below applies to Power Users (PU's):
    • Admins have no restrictions as to Data Source  functionality
    • Regular Users have NO access of any kind to Data Sources

Power Users cannot access User Editors; however, Admins may grant Data Source Privileges and Permissions on both Group and User Editors and from a Data Source Editor > Permissions button.

In Rel. 6.3.3, a config variable MODIFY_UNPRIVILEGED_DATA_SOURCES_VIA_API is available to allow organizations to bypass the restriction that requires a PU to have the Create Data Source  Privilege to modify a  Data Sources by Power Users with Edit Access>. Its Default Value is "NO'; i.e., the restriction remains in place.

Overview

Power Users can use Data Sources to which they had at least Use Access Privilege and create content using those Data Sources.  With the  "Create Data Sources" Privilege, a PU with Edit Access to a Data Source can create, edit and assign Data Source access to Groups to which the PU has Edit Access or of which the PU is a member, and to other PU's within any of those Groups.  A related Extended Security Privilege allows the PU to assign Data Source access to any Group or PU.

Data Source Security can be applied to:

  1. Individual PU's
  2. Groups for inheritance by PU members

Security is designed to have both Privileges to add/maintain Data Sources and Permissions to Use or Edit a specific Data Source.  It allows a customer to limit the Data Sources to which a given PU can assign Access or use to create elements and other objects..  These include:

  • Elements
  • Datasets and User Maps
  • Dimensions
  • Event Calendars

 

Privileges are granted via Info Tab > Privileges section on the Group Editor or the User Editor.

Permissions are granted via the Permission button on Group Editor, Data Source Editor, or on the User Editor.

A PU cannot be granted the Extended Security Privilege unless he is first granted the "Create Data Sources" Privilege

If a PU:

  1. Has neither Data Source Privilege:
    1. Cannot:
      1. Create a new Data Source
    2. Can:
      1. Be granted Use Access Permission to one or more specific Data Sources
      2. Use a Data Source to which PU has Use Access to create a new object that fetches data    
  2. Has only "Create Data Sources" Privilege, PU can:
    1. Create a new Data Source
    2. Assign Use or Edit access to Data Sources that the PU creates or to which the User has been given/inherited Edit Access :
      • Groups of which this PU is a member
      • Groups to which this PU has Edit Access
      • Other PU members of those Groups
  3. Has both Privileges, PU can:
    1. Create a new Data Source
    2. Assign Use or Edit access to Data Sources that user creates or has been given/inherited Edit Access to any Group or other PUs

1. Grant Privileges

Admin >  Groups > Groups tab > Group Editor > Info tab > + Privileges to Group button

There are two Data Source Privileges that can only be assigned to Power Users or inherited from the Group(s) to which a Power User belongs.  Power Users with Edit Access to a Group can assign these Privileges to a Group.

  1. "Create Data Sources"
    • Can be selected without the Extended Security Priviilege
  2. "Allow Power Users to grant Data Source access to any User or Group"  (Extended Security Privilege)
    • If the Extended Security Priviilege is selected by itself, the Create Data Sources parent Privilege is automatically selected

2. Grant Permissions 

Admin > Collection & Storage > Data Sources > Data Source Editor > Permissions button

On the Permissions popup, there are two types of Data Source Security Permissions that may be granted to a Group or PU:

  1. Use Access:  Select "No"
    1. May be granted to PU without other Data Source-related Privileges
    2. PU can select the Data Source when creating an element or other object
  2. Edit Access:  Select "Yes"
    • For Groups, restricted to those to with the PU belongs unless the Power User has the extended Data Source Privilege
    • For Power Users, restricted to those with the Create Data Sources Privilege
    • With this Permission, a PU can:
      • Select the Data Source from Data Source drop-down list
      • Open and Edit the Data Source
  3. On the Data Source Editor, click the Permissions button to open the Data Sources Permissions pop-up

3. Data Source List Page

This List Page is only available if a Power User has the Create Data Sources Privilege. If the User has no Edit Access to a Data Source as yet, the grid is not visible but the Add button is.

  1. The grid only shows Data Sources to which the PU has Edit Access
  2. Active Name links in the Name
  3. [+ New Data Source] used to create a new Data Source

4. Data Source Editor  

PU's with Edit Access can access a specific Data Source's Editor from:

  • Admin menu  > Data Sources click on a Data Source name in the list grid
  • Object Editors > Edit icon to the right of Data Source text box

From the Editors, a PU can:

  • Make changes to the settings
  • Use the [Permissions] button to grant Data Source Use or Edit Access
  • Duplicate the Data Source and, optionally, duplicate its Permissions
  • Delete the Data Source
  • Add another Data Source

5. Grant Permissions on the Group Editor  

Admin > Users & Groups > Groups tab > Group Editor > Power Users tab

PU's with the Privilege to Create Groups or Permission to edit a specific Group can grant access to a Data Source on the Group Editor > Power Users tab:

  1. [+Data Source to Group] to open the Add Data Source to Group pop-up
  2. Select a Data Sources from the dropdown contains only those  to which the Power User has Edit Access
  3. Grant Use or Edit Access to be inherited by the Group's members

[Save]

6. Assign Data Source to Metric, Dataset, User Map, Dimension, and Event Calendar via the Object's  Editors

Object Editor  > Data tab

PU can create a new object or open any Editor of an object to which PU has Edit AccessOn the Data tab,

  1. Data Source drop-down list contains:
    • The currently assigned Data Source 
    • Other Configurable Data Sources for which the PU has Use or Edit Access
    • Non-configurable Data Sources for which the PU has the related "Create Content" Privilege