Override rights?

I’m setting up RLS and so far everything is great. We have some staff we’d like to restrict to only records associated with them and I was trying to do it through the email they’re logging into holistics with. Problem is I only want it restricted for those folks, my higher level admins should see all data. Since i’m using the h_mail, is there anyway to let a certain group have all addresses assigned or access to all addresses so their data isn’t limited? I know i could do this if i wasn’t using the system attribute but that would cut down maintenance for us.

Hi Mike,

Thank you for your question.

You can combine system user attributes with your own user attributes by creating custom AML fields.

I assume by “RLS”, you mean Row-level permissions?
To set up Row-level permissions combining system user attributes with your own user attributes, for example, you can:

  1. Create a user attribute named is_admin (of type number) and set its value to 1 for your admin users.

  2. On your Model where you would like to apply the restriction, create a new custom dimension to represent the permission. Let’s call it is_visible_to_current_user:

  when: or(
    in(1, H.current_user.is_admin),
    H.current_user.h_email == model_name.email
    then: 1,
  else: 0
  1. Create the row-level Permission Rule in your Dataset on the new custom dimension: is_visible_to_current_user equal 1

Kindly note that our AML custom fields have not been enabled for all customers yet. Thus, in case it has not been enabled yet in your Holistics workspace, please reach out to us at [email protected].

Relevant documentations:

Hope that my answer is helpful to you. Please let me know if you need further assistance.

1 Like

Apologies for the delay, we had to put this aside for a bit to deal with other issues. This is great info thanks! I’m not sure AML is enabled, I’ve asked about getting access to 4.0 but haven’t heard back yet. Are those topics synonymous or separate?

Thanks @sm_mk
In case you are interested in our as-code features, you can send a follow-up ticket to our support team and wait for the upgrade.
However, if you only need the AML field to solve the above permission issue, we can totally enable it for your 3.0 account at the moment. Please let us know your thought, so that we can properly assist you :blush:

This is interesting, I did already have AML enabled and was able to implement the solution Dat posted, worked perfect so thanks for that!!! The 3.0 v 4.0 thing is confusing though. Support told me “we don’t support migrating directly from v3.0 to v4.0 so if you want to try out v4.0 (as-code), you will need to set up another trial account.” Sounds like there is no upgrade option, we’d have to start over. All the docs read like it’s more of an add-on but could be just me.

1 Like

Glad that it works well on your end @sm_mk :blush:
At the moment, we have not supported directly upgrading your current 3.0 account to 4.0 version yet. So if you’d like to try our as-code version, you need to start everything from scratch. We understand that it will definitely cause your inconvenience, but we seek your understanding on this matter.
However, we’re planning to support the migration plan in the near future, and will let you know when it’s available :blush:

Quick followup question on this. Now they’re wanting to pull in related records this rule specifically prevents pulling in. I’m wondering is it possible to add a nested sub-query to that OR condition above? e.g. the user doesn’t have is_admin, email doesn’t match, but if xyz other fields are found in (select statement) then visible. Shot in the dark but worth a try

Hi Mike,

I don’t know the exact logic, but you can try creating Custom Dimensions for your subquery/xyz fields and then reference those Custom Dimensions in the AML expression.