Hi
I am trying to enforce access control for our dimensions and measures based on user attributes.
I am aware I can replace values for fields based on a user attribute using SQL as described here: Column-level Permission | Holistics Docs
Since As-code has been released I was wondering if there is a field attribute that controls access to the field?
Ideally, I would want to hide or show certain fields based on the user attribute.
Hi @mabr ,
Yes, you can use Column level permission in the As-code version. Just one note is that the syntax to define column level permission is aml, not SQL. Let’s me add an example below
Let’s say in the model, I have a dimension email defined by using @sql {{ #SOURCE.email }}
For the PII dimension below, I need to define the field by using @aml
The full syntax is
// original field
dimension email {
label: 'Email'
type: 'text'
hidden: false
definition: @sql {{ #SOURCE.email }};;
}
// pii field
dimension customer_email_pii {
label: "Customer Email Pii"
type: 'text'
definition: @aml case(
when:
in(1, H.current_user.pii_access),
then: ecommerce_users.email,
else: '(redacted)'
);;
}
Do note that our column level permission can only be applied to Explorers, Viewers, and Analysts who don’t have access to the underlying Data Source.
Hi Khai
That makes sense.
Do you have any plans to expand the options to also control who can see specific fields in the UI?
Yes - We have a dataset with several financial fields, that not all employees are allowed to see.
Instead of just redacting the values of the field, I want to hide the field for users with a certain attribute.
This would give a better experience for users.
My workaround is, that I will create a lite-version of our financial dataset and for other datasets, with fewer fields that need to be redacted, I will use your aml solution.
Hi @mabr ,
I do understand the use case is more about the UX for the end-users. For now we don’t have this but I will add this use case into our backlog for further discussion.
Thank you for the suggestion 