Data security is important, this article will discuss how Pigment can help secure your Application and maintain data privacy. Pigment Application security is composed of three main components, Roles, Permissions, and Access Rights. Permissions define what actions a user can perform, Access Rights determine what data users can access and Roles allow for easy implementation of those functionalities.
Roles are predefined packages of Permission and Access Rights that application Admins can use to easily apply to users in an Application.
By default there are 5 Roles:
- Admin: This role has all permissions applied to it, allowing the user to perform all application-level functions.
- Contributor: Designed for users who will be interacting with data, this role focuses on inputting actions.
- Designer: Focused on the creation of the end-user experience, this role allows for Board specific creation actions.
- Modeler: This role is designed for Application builders. All actions are allowed except Security configuration and Block update history.
- Reader: This role is designed for those who only need to read data on Boards, all other actions are denied. This is the only role with Write access turned off, meaning users can only read, not write on data.
Permissions define the actions that a Pigment Member can do in a given application.
Here are the different Actions you can grant to a user:
|Permission Name||Actions Granted|
|Display Application||Application visible in Pigment Workspace|
|Configure Application||Can edit the Applications Settings|
|Define Application security||Can edit the application security and assign Roles|
|Configure calendars|| |
Can manage the calendar settings of the model
|View Application and Blocks updates||Can view Block and model History (Including formulas updates and data imports)|
|Create & Delete Folders||Can manage folders for both blocks and boards.|
|Can activate Scenario functionality, create new Scenarios and place Scenarios into Read Only|
|Delete scenarios||Can Delete Scenarios|
|Display Block Explorer||Can see the all Blocks in the Sidebar|
|Configure Blocks||Can write and edit formulas. If disabled, users can still write formulas in the formula playground. It also allows users to create and delete blocks.|
|Configure Views||Can create and edit saved views of blocks|
|Add & remove List Items||Can manage items in Transaction lists and Dimensions.|
|Import Data||Can Import data into blocks and Schedule Imports.|
|Open Boards||Can open Boards. This can be applied to specific boards through the Security panel.|
|Configure Boards||Can Import data into blocks.|
|Comment on Boards||Can comment on Boards|
Access Rights define how a user can interact with data. Within Read and Write there are three options, Allowed, Denied and Unspecified. These can be set for the entire application within the Role list. For example, the Reader role has Read set to Allowed and Write set to Denied. This means throughout the entire application, they will only be able to read data.
Applying a role to a User
If a user has the role of an Admin or has the Permission Define Application security set to Allowed, they will be able to assign a user a role. When an application is created, there is a Security folder. Within the Security Folder, there is a Role list and a Users roles Metric. The Role list is where you can define the Permissions or application-level Access Rights. The Users Roles Metric is a metric comprised of all users within the Workspace. To give a user a role, simply use the drop-down comprised of all the Roles and select the appropriate role.
For more information on custom Access Rights configurations, check out Setting up User Access: The Complete Practical Guide