Pigment Security Basics

  • 21 December 2021
  • 0 replies

Userlevel 3

Pigment’s security is comprised of Roles, Permissions, and Access Rights.  These settings let you configure what users can do, see, or modify within your Applications. All applications have a pre-built set of Roles with assigned Permissions and Access Rights.  This article will go over the basics of Pigment Security. 


Table of Contents




In order to give a user access to a Pigment Workspace, they must have a Pigment account.  After they have an account, they must be assigned a Role within each Application they need access to. 

Roles are comprised of Permissions and Access Rights.  Permissions define the actions a user can take, such as building new Metrics or writing formulas.  Access Rights defines how a user interacts with data, can they read it, write or edit it, or should it remain hidden from them. 



There are the default 5 default Pigment Roles: 

  • Admin: This role has all permissions applied to it, allowing the user to perform all application-level functions. 
  • Contributor: Designed for users who will be interacting with data, this role focuses on inputting actions.
  • Designer: Focused on the creation of the end-user experience, this role allows for Board specific creation actions.  
  • Modeler: This role is designed for Application builders. All actions are allowed except Security configuration and Block update history.  
  • Reader: This role is designed for those who only need to read data on Boards, all other actions are denied.  This is the only role with Write access turned off, meaning users can only read, not write on data. 

These roles can be entirely customized for your needs. Click on “Add Item” in the Role Dimension to create a new one.  





Permissions define the actions that a user can perform in Pigment.  When a user is assigned a role, they will get all the permissions associated with that role.  In the Security Folder, the User roles Metric is the default metric for assigning permissions.  You can click on the Permissions for each role to see which are set to Allowed.  If you select Set as admin all permissions will be granted. 


Here is a list of all permissions and what they do. 

Permission Name Actions Granted
Display Application Application visible in Pigment Workspace
Configure Application  Can edit the Applications Settings
Define Application security Can edit the application security and assign Roles
Configure calendars
Can manage the calendar settings of the Application
View History Can view Block and model History (Including formulas updates and data imports). Can take Snapshots
Create & Delete Folders Can manage folders for both blocks and boards.

​Create scenarios

Can activate Scenario functionality, create new Scenarios and place Scenarios into Read Only 
​Delete scenarios Can Delete Scenarios

Formula playground

Allows users to access the Formula Playground without having the Configure Block permission they will  need to create the metric.
Display Block Explorer Can see the all Blocks in the Sidebar 
Configure Blocks Can write and edit formulas. If disabled, users can still write formulas in the formula playground. It also allows users to create and delete blocks.
Configure Views Can create and edit saved views of blocks
Add & remove List Items Can manage items in Transaction lists and Dimensions.
Import Data Can Import data into blocks and Schedule Imports.
Open Boards Can open Boards. This can be applied to specific boards through the Security panel.
Configure Boards Can access the “Edit board” button to be able to add widgets to a board.
Comment on Boards  Can comment on Boards


You can view the permissions assigned to a role by navigating to the Roles metric, located in the Security Folder. 


Access Rights


Access Rights allow you to control what data is hidden from users and what data they can read or edit.   Each role has an application-level Access Right assigned to it.  This setting applies to the entire application.  All default roles are set up for the ability to read and write in all cells with the exception of the Reader role, which is set to read-only.  


Access Rights can be customized in much greater detail and can be different for every user, regardless of their role.  Go to the Defining & Applying Custom rules article to learn how to set custom security rules. 


Applying a Role to a User 


If a user has the role of an Admin or has the Permission Define Application security set to Allowed, they will be able to assign a user a role.   When an application is created, there is a Security folder.  Within the Security Folder, there is a Role list and a Users roles Metric.  The Role list is where you can define the Permissions or application-level Access Rights. The Users Roles Metric is a metric comprised of all users within the Workspace.  To give a user a role, simply use the drop-down comprised of all the Roles and select the appropriate role.  



Security Settings Page 


The Security settings page serves as the centralized location for the security configurations for an application.  This page allows for more advanced security configurations.  This page is only available for those with the Define Application security Permission. You can read more about each section below. 


Grant roles to users

This will take you to the User roles Metric, where you can assign users a role.  This section is a shortcut to that metric for easier access.


Permissions Owner

To make sure that there is always a user who can configure Permissions and Access Rights of all Applications, each application has an owner. This owner will always have all Permissions in the application, disregarding any other configuration. 


Permissions Application

Permissions of users are defined by the Users Roles metric mentioned above. 


Complement these permission with rules for Boards

If a user has the Open Boards permission set to Allowed, they will be allowed to open all Boards in an Application.  This setting allows for a more customizable approach where you can set Board specific access.   Within the role, set the Open Boards permission to Unspecified.  Next, you can create another Metric with a data type of Permission and choose to Allowed for Open Boards.  Finally, apply that Metric to this setting and choose which boards you want it to apply to.  You can learn more here.



Complement the roles with access rights rules

By default, The Users roles Metric defines the Access Rights configuration for the entire Application.  This section allows for a more granular approach where you can specify which Data is either hidden, readable, or writeable for individual users.  Through the creation of a Metric with a data type of Access Rights, you can establish a more custom approach to your data security.  You can learn more here.


Advanced Options

Allow the removal of inherited access rights for Blocks coming from other Applications using the function RESETACCESSRIGHTS().

This toggle is for Security Admin’s only, it allows for cross-application use of the RESETACCESSRIGHTS function to remove inherited access rights through shared dimensions. 


Blocks Readable by any member

Every block in Pigment has a setting called Make Block data visible by any member this setting will override all other Access Rights configurations and allow all users with access to the Application to be able to read data in that block.  This section will show you all blocks that have that functionality enabled. 




For more information about security check out Setting up User Access: The Complete Practical Guide 

This topic has been closed for comments