I’m setting up RLS and so far everything is great. We have some staff we’d like to restrict to only records associated with them and I was trying to do it through the email they’re logging into holistics with. Problem is I only want it restricted for those folks, my higher level admins should see all data. Since i’m using the h_mail, is there anyway to let a certain group have all addresses assigned or access to all addresses so their data isn’t limited? I know i could do this if i wasn’t using the system attribute but that would cut down maintenance for us.
Hi Mike,
Thank you for your question.
You can combine system user attributes with your own user attributes by creating custom AML fields.
I assume by “RLS”, you mean Row-level permissions?
To set up Row-level permissions combining system user attributes with your own user attributes, for example, you can:
-
Create a user attribute named
is_admin(of typenumber) and set its value to1for your admin users.
-
On your Model where you would like to apply the restriction, create a new custom dimension to represent the permission. Let’s call it
is_visible_to_current_user:
case(
when: or(
in(1, H.current_user.is_admin),
H.current_user.h_email == model_name.email
),
then: 1,
else: 0
)
- Create the row-level Permission Rule in your Dataset on the new custom dimension:
is_visible_to_current_userequal1
Kindly note that our AML custom fields have not been enabled for all customers yet. Thus, in case it has not been enabled yet in your Holistics workspace, please reach out to us at [email protected].
Relevant documentations:
- Dimensions & Measures | Holistics Docs
- Using User Attributes in AML | Holistics Docs
- Holistics Expression | Holistics Docs
- Row-level Permission | Holistics Docs
Hope that my answer is helpful to you. Please let me know if you need further assistance.
1 Like
Apologies for the delay, we had to put this aside for a bit to deal with other issues. This is great info thanks! I’m not sure AML is enabled, I’ve asked about getting access to 4.0 but haven’t heard back yet. Are those topics synonymous or separate?
Thanks @sm_mk
In case you are interested in our as-code features, you can send a follow-up ticket to our support team and wait for the upgrade.
However, if you only need the AML field to solve the above permission issue, we can totally enable it for your 3.0 account at the moment. Please let us know your thought, so that we can properly assist you 
This is interesting, I did already have AML enabled and was able to implement the solution Dat posted, worked perfect so thanks for that!!! The 3.0 v 4.0 thing is confusing though. Support told me “we don’t support migrating directly from v3.0 to v4.0 so if you want to try out v4.0 (as-code), you will need to set up another trial account.” Sounds like there is no upgrade option, we’d have to start over. All the docs read like it’s more of an add-on but could be just me.
1 Like
Glad that it works well on your end @sm_mk
At the moment, we have not supported directly upgrading your current 3.0 account to 4.0 version yet. So if you’d like to try our as-code version, you need to start everything from scratch. We understand that it will definitely cause your inconvenience, but we seek your understanding on this matter.
However, we’re planning to support the migration plan in the near future, and will let you know when it’s available
Quick followup question on this. Now they’re wanting to pull in related records this rule specifically prevents pulling in. I’m wondering is it possible to add a nested sub-query to that OR condition above? e.g. the user doesn’t have is_admin, email doesn’t match, but if xyz other fields are found in (select statement) then visible. Shot in the dark but worth a try
Hi Mike,
I don’t know the exact logic, but you can try creating Custom Dimensions for your subquery/xyz fields and then reference those Custom Dimensions in the AML expression.