Article Content

  1. Overview
  2. How it works
    1. Where to find it
    2. Step-by-step
  3. Example Scenario

Overview

With this feature it is possible to restrict access to specific parts/rows of a Data Table.

This is achieved by defining different Analysis Authorization dimensions that determine which rows a user can or cannot see. An Analysis Authorization dimension contains one or several rules that are evaluated to control the access.

For the rules, the creator of the restriction can use different System Variables that are available in the application or by defining a certain value.


How it works

Where to find it

This section will quickly explain how to find the configuration and applying pages of the Analysis Authorization. A more in depth explanation will follow in the next sections.


Creating an Analysis Authorization Dimension

You can access the Analysis Authorization within the settings page of ONE DATA. To get there, open the side navigation bar and go to "Settings".

Within the settings page of ONE DATA go to "Analysis Authorization" with the button (1) from the left sidebar.

In the respective menu, a list of all available dimensions for the selected domain is shown.

There you can find options to:

  • Create new dimensions (2)
  • Edit existing dimensions (3)
  • Delete existing dimensions (4)

It is also possible to search for a specific dimension by name through the text field on the top (5).



Applying Analysis Authorization

Within an opened Data Table you can access the restrictions for it by the button (1) on the upper left of the page.


Step-by-step

In this section we will explain how to use the feature step by step and additionally we'll have a look at the basic configuration, possible inputs/outputs and necessary user rights.


Defining a Dimension

Required Rights: Only Domain Admins and Super Admins are allowed to create, edit and delete dimensions. More information on user roles can be found here.

Within the Analysis Authorization settings page a user first has to select a domain (1). For this domain all existing dimensions are shown.

After clicking the button to create a new dimension, it is created and added to the list. Within this added item you can set and access information for the restrictions including:

  • (2) Text input to edit the name of the dimension (required)
  • (3) Button to confirm/edit the name and description of the dimension
  • (4) Tab to show dimension description
  • (5) Text input to edit dimension description
  • (6) Tab to see a list of all datasets where this dimension is applied to
  • (7) Button to add a new rule to the dimension (a dimension can have any number of rules)
  • (8) Number of groups selected in the dimension
  • (9) Number of users selected in the dimension
  • (10) Button to delete the whole dimension
  • (11) Button to duplicate the whole dimension including all rules
  • (12) A list of all rules of the dimension.



A rule created for a dimension contains following information and action possibilities:

  • (a) Group Selection: Shows a list of all user groups this rule applies to when selected.
    • Inactive when System Variables are selected for VALUE STRUCTURES
  • (b) User Selection: Shows a list of all available users for the rule.
    • Inactive when System Variables are selected for VALUE STRUCTURES
  • (c) Value Structure Type: Select what type of values should be available for the rule
    • Multi Value Define the value by entering any string (Group/User selection is required)
    • System Variables: List of System Variables to select a value for the rule (No Group/User can be selected)
  • (d) Access Type: Define what kind of access the rule should be.
    • to: Rule provides access to data that matches the values of the rule.
    • except to: Rules provides access to all data except the one that matches the values of the rule.
  • (e) Access Value: Define values of the rule that will be matched.
    • For structure System Variables: Contains a list of available System Variables the user can choose from including:
      • Current User (sys_user)
      • Current Date (sys_date_string)
      • Current Time (sys_time_string)
      • Current Unix Timestamp (sys_datetime)
      • Current Date/Time (sys_datetime_string)
      • Day of Month (sys_day_of_month)
      • Day of Week (sys_day_of_week)
      • Day of the Week (number) (sys_day_of_week_num)
      • Day of Year (sys_day_of_year)
      • Week of Month (sys_week_of_month)
      • Week of Year (sys_week_of_year)
      • Start of Week Date (starting from Monday) (sys_start_of_week_monday)
      • Start of Week Date (starting from Sunday) (sys_start_of_week_sunday)
      • Current Month (sys_month)
      • Current Year (sys_year)
  • For structure Multi Value:
    • Text field to enter the values the rule should be applied on
    • If multiple values are entered they need so be separated with a comma
    • CAUTION: If you use a multi value "except to" restriction you need to add access to all other values. E.g.:
      • Rule1: VALUE STRUCTURE: Multi Value, ACCESS: except to, ACCESS VALUE: 52
      • Rule2: VALUE STRUCTURE: Multi Value, ACCESS: to, ACCESS VALUE: * (required for dimension to work)
  • (f) Button to delete the rule (Only active in edit mode)
  • (g) Button to either:
    • Confirm the settings of the rule (Only active when necessary settings are set)
    • Edit the settings of the rule
  • (h) Button to duplicate the rule within the dimension


After finishing the configuration of the dimensions you can save all changes with the save button from the sidebar. The button is only active when all necessary information for each dimension are set and every rule within a dimension is fully configured. 



Applying a Dimension to a Data Table

To apply an existing dimension to a Data Table the user has to open the Analysis Authorization dialog for the specific Data Table by clicking the button like described in a previous section.

Within the Analysis Authorization dialog the user has three main settings to choose for the Data Table:

  • LOCKED: Only the owner of the Data Table can access the data
  • RESTRICTED: Groups and user configured in an authorization dimension that is applied here can access the data
  • OPEN: Everybody with access to the project and correct Data Table rights can access the data

By default the "RESTRICTED" button is not active. It only is available if a dimension is applied on the Data Table.

In the section "Authorization Relevant Dimensions" you can select the dimensions you want to apply, see a list of all applied dimensions and see a preview of the Data Table for a specific group/user. For these functions the following elements are available:

  • (1) Column Name (required): The column of the Data Table where the dimension is applied on.
  • (2) Access Dimension (required): Select the dimension that should be applied on the previously selected column.
  • (3) Add selected restriction button (Only active when a column and dimension is selected).
    • Added dimensions are shown within the list below (4)
  • (4) List of all applied dimensions
    • (4.1) Column the dimension is applied on.
    • (4.2) Name of the dimension that is applied.
    • (4.3) Button to delete the dimension from the Data Table (Dimension is only deleted from the Data Table but still exists).
  • (5) Select the logical operator that defines how applied access dimensions are combined.
  • (6) Select group/user for Data Table preview: Contains a list of all available groups/users of for the domain (Only available when no dimension with system variables is applied).
  • (7) Refresh by clicking the Data Table preview button (Only available when a group/user is selected and no dimension with system variables is applied).
  • (8) Data Table preview: Shows the data with the applied dimensions for the selected group/user.
  • (9) Cancel button: All changes made are lost and the dialog is closed.
  • (10) Confirm button: All changes made are saved and the dialog is closed.


Where to see Restrictions for Data Tables

If a Data Table has an Analysis Authorization dimension applied, there are different places where you can see if and what kind of restriction is applied.

These are the symbols for the three types of restrictions:

  • LOCKED
  • RESTRICTED
  • OPEN


On the Project Data Table Page

Within the list of all datasets for a project is an indicator (1) for each Data Table showing the type of restriction that is applied.


On the Data Table Information Page

On an opened Data Table, the applied type of restriction is shown within the button (1) to open the Analysis Authorization configuration. Also the number of dimensions (2) for the type "RESTRICTED" is shown there.

If the type is "RESTRICTED" the name of the dimension that is applied on a column is shown in the column header (3).


In the Workflow Editor

If a Data Table with the Analysis Authorization type "LOCKED" or "RESTRICTED" is used within a Workflow the user sees a indicator for the Workflow (1) and for the Processor of the Workflow (2) where the restricted dataset is used.

Also information about the restriction is shown in the Job/Config State of the Workflow. This can be opened from the sidebar. If a restriction is applied, the icon of the sidebar button (3) changes. Clicking the button shows the sidebar where more detailed information (4) about it is shown.


Example Scenario

Short description of how to use the feature in a basic process.

The basic scenario for using the Analysis Authorization that is described step-by-step below, is also shown in the video attached at the bottom of the article.

For the scenario a Data Table exists already. We will restrict access of a user to all rows where the column "country" is not "France". Additionally, the user will only see rows where the column "apk_value" is one of 52, 49, 61 or 53.

The following steps are executed within the scenario:

  1. Log in with a domain admin user
  2. Go to the Analysis Authorization settings page
  3. Create a new dimension
  4. Give the dimension a proper name and description (name: access_except-country_selection)
  5. Confirm the name and description configuration
  6. Configure the rule of the dimension like:
    1. No groups selected
    2. Test user selected for users
    3. Multi Value selected for value structures
    4. Access type "except"
    5. Access value "France"
  7. Confirm the rule (leave edit mode)
  8. Create a second rule for the dimension
  9. Configure the rule of the dimension like:
    1. No groups selected
    2. Test user selected for users
    3. Multi Value selected for value structures
    4. Access type "to"
    5. Access value "*"
  10. Create a second dimension
  11. Give the dimension a proper name and description (name: access_to-apk_value)
  12. Confirm the name and description configuration
  13. Configure the rule of the dimension like:
    1. No groups selected
    2. Test user selected for users
    3. Multi Value selected for value structures
    4. Access type "to"
    5. Access value "52, 49, 61, 53"
  14. Confirm the rule (leave edit mode)
  15. Save all changes of the analysis authorization settings
  16. Go to the test project
  17. Open the test Data Table
  18. Open the analysis authorization configuration for the Data Table
  19. Add a new restriction by selecting:
    1. "country" for the column of the Data Table
    2. "access_except-country_selection" for the dimension
  20. Add the restriction with the "+" button
  21. Add another restriction by selecting:
    1. "apk_value" for the column of the Data Table
    2. "access_to-apk_value" for the dimension
  22. Add the restriction with the "+" button
  23. Show a preview of the Data Table for our test user:
    1. For user select the test user by typing in the name and clicking it
    2. Click the refresh button
  24. As the preview looks fine we select the restriction type RESTRICTED for the Data Table
  25. Confirm the configuration dialog
  26. Save the Data Table
  27. Log out the domain admin
  28. Log in with the test user
  29. Open the Data Table we applied the restriction on

RESULT: The test user can see the opened data tab with the correct data like we configured the analysis authorization.