We restrict permissions for certain datasets to specific user groups (e.g. Only Hiring Managers user group is listed under the “Share dataset” options in our hiring_opportunities dataset).
Expectation
Only for users within the Hiring Managers user group to be able to see the hiring_opportunities dataset
Observed
All users with the Analyst role can see the hiring_opportunities dataset, regardless of whether they are in the Hiring Managers user group.
Why is this the case? What can we do to prevent users with the Analyst role (that are not in a user group) from seeing sensitive datasets?
Hi @jingyu
The data access permission of analysts depends on whether the data source is shared with them. So if you share with them the data source, they will be able to see all datasets from that data source.
For the solution, you can try either one of them: 1/ Un-share the data source used to build hiring dataset
For example, you have built dataset A and dataset B from your data source ABC.
If you share the data source with your analysts, they will be able to access and edit all dataset A and B
2/ Use our Row-level or Column-level Permission
Another solution is to restrict the data that they can retrieve from the hiring dataset. For more information, please check our docs here:
Hi @jingyu , can the other analysts see the data within the hiring_opportunties dataset, or just the existence of the dataset?
The way it works for us is that access / groups are controlled at the data connection level. We create permission groups, then add connections and users to those groups.
That way, an analyst might see that a dataset / report exists, but if they tried to access any data they will get a permissions error because they are not a member of the group that the connection is in.
We haven’t tried setting permission level based on different datasets coming from the same data connection, as it doesn’t fit our use-case. But if you’re struggling to control it, then having separate data connections (with each connection’s service account having appropriate access) could be a way for you to manage this