How do I restrict access to a column using AML syntax

mabr · January 14, 2022, 12:42pm

Hi
I am trying to enforce access control for our dimensions and measures based on user attributes.
I am aware I can replace values for fields based on a user attribute using SQL as described here: Column-level Permission | Holistics Docs

Since As-code has been released I was wondering if there is a field attribute that controls access to the field?
Ideally, I would want to hide or show certain fields based on the user attribute.

Khai_To · January 17, 2022, 3:25am

Hi @mabr ,

Yes, you can use Column level permission in the As-code version. Just one note is that the syntax to define column level permission is aml, not SQL. Let’s me add an example below

Let’s say in the model, I have a dimension email defined by using @sql {{ #SOURCE.email }}
For the PII dimension below, I need to define the field by using @aml

The full syntax is


// original field  
dimension email {
  label: 'Email'
  type: 'text'
  hidden: false
  definition: @sql {{ #SOURCE.email }};;
}

// pii field
dimension customer_email_pii {
  label: "Customer Email Pii"
  type: 'text'
  definition: @aml case(
      when:
        in(1, H.current_user.pii_access),
      then: ecommerce_users.email,
      else: '(redacted)'
    );;
}

Do note that our column level permission can only be applied to Explorers, Viewers, and Analysts who don’t have access to the underlying Data Source.

mabr · January 17, 2022, 6:58am

Hi Khai
That makes sense.

Do you have any plans to expand the options to also control who can see specific fields in the UI?

Khai_To · January 17, 2022, 7:43am

Hi @mabr ,
Could you share more about your use case?

mabr · January 17, 2022, 8:46am

Yes - We have a dataset with several financial fields, that not all employees are allowed to see.
Instead of just redacting the values of the field, I want to hide the field for users with a certain attribute.

This would give a better experience for users.

My workaround is, that I will create a lite-version of our financial dataset and for other datasets, with fewer fields that need to be redacted, I will use your aml solution.

Khai_To · January 17, 2022, 2:56pm

Hi @mabr ,
I do understand the use case is more about the UX for the end-users. For now we don’t have this but I will add this use case into our backlog for further discussion.
Thank you for the suggestion