In Pigment, access rights and permissions are treated just like any other data type such as number, integer, or text. This means you can create Metrics and use formulas to build custom security rules based on all of the data available in Pigment with a lot of flexibility.
This article is based on the Legacy Access Rights system.
You can identify which system you are on by navigating to Roles, permissions & access section and seeing if you see Version: Legacy or if there is an Unspecified option for read or write permissions within a Role then you are on the Legacy system. For more information, check out this article.
Example
You can restrict the access rights of a country manager so that they only see financial data for their own country, while central management can see a consolidated view for all countries.
This article will focus on building custom Access Rights rules.
First, create a new Metric and define the data type as “Access Rights”
Create the Metric with the Dimensions that you want to use to restrict access rights. Ultimately, the Metrics of Access Rights that you will apply must contain the User Dimension because Pigment needs to know which user to apply these rules on.
In order to apply these custom rules, follow the steps below.
- In the Sidebar, click on Settings.
- Next, select Security tab.
- Scroll to the Access rights rules section and click + Add an access rights rule.
Settings for the Access rights rule
First, you must define the Rule type. This will determine if the rule should apply to Read, Write, or Read & Write access. After defining the scope of what type of access it controls, you have to define how this rule is applied.
You can apply these rules to:
- Some selected Metric(s) that already contain the Dimensions used in your Access Rights Metric (for example: Country, Department)
- All Metrics that contain a set of Dimensions, including the Dimensions used in your Access Rights Metric
- List Properties. Pigment lets you define on which Lists and on which Properties of this List these access rights should apply to. (for example: specific access rights for the Annual Salary property of my Employee list)
Note
While building your custom security rules, keep in mind that they are cumulative as long as they restrict the users. This means that a rule preventing access to some data will always be prioritized against a rule that gives access.
Security rule configuration example:
Please also see this guide, Setting Up User Access: The Complete Practical Guide, for a more extensive explanation.