We restrict permissions for certain datasets to specific user groups (e.g. Only
Hiring Managers user group is listed under the “Share dataset” options in our hiring_opportunities dataset).
Only for users within the
Hiring Managers user group to be able to see the hiring_opportunities dataset
All users with the Analyst role can see the hiring_opportunities dataset, regardless of whether they are in the
Hiring Managers user group.
Why is this the case? What can we do to prevent users with the Analyst role (that are not in a user group) from seeing sensitive datasets?
The data access permission of analysts depends on whether the data source is shared with them. So if you share with them the data source, they will be able to see all datasets from that data source.
For the solution, you can try either one of them:
1/ Un-share the data source used to build hiring dataset
For example, you have built dataset A and dataset B from your data source ABC.
- If you share the data source with your analysts, they will be able to access and edit all dataset A and B
- If you don’t share the data source with them, but only share the dataset A, they will be only able to access the dataset A.
For more information, please visit our announcement here: Launched: Allow Analysts to create reports without Modeling access
2/ Use our Row-level or Column-level Permission
Another solution is to restrict the data that they can retrieve from the hiring dataset. For more information, please check our docs here:
Could you help check if our recommendations can solve your issue?
Hi @jingyu , can the other analysts see the data within the
hiring_opportunties dataset, or just the existence of the dataset?
The way it works for us is that access / groups are controlled at the data connection level. We create permission groups, then add connections and users to those groups.
That way, an analyst might see that a dataset / report exists, but if they tried to access any data they will get a permissions error because they are not a member of the group that the connection is in.
We haven’t tried setting permission level based on different datasets coming from the same data connection, as it doesn’t fit our use-case. But if you’re struggling to control it, then having separate data connections (with each connection’s service account having appropriate access) could be a way for you to manage this