Data security is important, this article will discuss how Pigment can help secure your Application and maintain data privacy. Pigment Application security is composed of three main components, Roles, Permissions, and Access Rights. Permissions define what actions a user can perform, Access Rights determine what data users can access and Roles allow for easy implementation of those functionalities.
Roles are defined packages of Permission and Access Rights that application Admins can use to easily apply to users in an Application.
By default there are 5 Roles:
- Admin: This role has all permissions applied to it, allowing the user to perform all application-level functions.
- Contributor: Designed for users who will be interacting with data, this role focuses on inputting actions.
- Designer: Focused on the creation of the end-user experience, this role allows for Board specific creation actions.
- Modeler: This role is designed for Application builders. All actions are allowed except Security configuration and Block update history.
- Reader: This role is designed for those who only need to read data on Boards, all other actions are denied. This is the only role with Write access turned off, meaning users can only read, not write on data.
The Application Owner is assigned by default to the member that created the application. An Application Owner will be always have an Admin Role in the application, and only the owner has the ability to delete the application. Workspace Security Admins are able to manage the ownership of an application for any application within the workspace.
Permissions define the actions that a Pigment Member can do in a given application.
Permissions within the Pigment application determine the specific actions that a Pigment Member is authorized to perform within the context of the application. They are established by adding them to Roles and assigning a Member a Role.
Display Application: This permission enables the visibility of the application within the Pigment Workspace. Users with this permission can view the application.
Configure Application: Users with this permission can edit the application's settings, allowing them to customize and adapt the application as needed.
Define Application Security: This permission empowers users to modify application security settings and assign roles, ensuring proper access control and data protection. This permission also allows users to update the application owner.
Configure Automations: Users possessing this permission have the ability to create, edit, and delete automations.
Configure Calendars: With this permission, users can manage calendar settings for the Application.
View History: This permission grants users access to view the history of blocks , including updates to formulas and data imports. Additionally, users can capture snapshots of applications.
Create & Delete Folders: Users with this permission can effectively manage folders for both blocks and boards.
Create Scenarios: This permission activates Scenario functionality, enabling users to create and utilize new Scenarios, and place Scenarios into read-only mode.
Delete Scenarios: Users with this permission can delete scenarios.
Open Block Explorer: This permission allows users to see all blocks conveniently within the sidebar.
Configure Blocks: Users with this permission can write and edit formulas, create and delete blocks, and still engage in formula creation within the formula playground.
Configure Views: With this permission, users can craft and modify saved views of blocks, optimizing the way data is presented.
Add List Items: Users possessing this permission can add items to transactions and dimension lists, enhancing data management. This permission can be customized to be used for All Lists or individual lists
Remove List Items: This permission enables users to delete or remove items from Transactions and Dimension lists, ensuring data accuracy.
Reorder List Items: Users with this permission can rearrange items within transactions and dimension lists, promoting effective data arrangement.
Import Data: This permission empowers users to import data into blocks and schedule connector data imports.
Formula Playground Access: Users with this permission can access the Formula Playground. To Create metrics from the formula playground they need the Configure Block permission.
Can Open Boards: This permission allows users to open boards, enhancing their ability to interact with various board features.
Can Comment on Boards: Users with this permission can leave comments on boards, fostering collaboration and communication.
Can Configure Boards: This permission grants users access to the "Edit board" button, enabling them to add widgets to Boards and create new Boards.
Access rights define how a user can interact with data. There are two category of Access rights, Read and Write. The Read category has the option to be set to
No Read or
Read. The Write category has the option to be set to
No Write or
Write. These options will establish the default access to data at the application level. Learn more about Access rights here.
If you see the “Unspecified” option, you are on a legacy version of Access Rights.
Applying a role to a User
If a user has the role of an Admin or has the Permission Define Application security set to Allowed, they will be able to assign a user a role. When an application is created, there is a Security folder. Within the Security Folder, there is a Role list and a Users roles Metric. The Role list is where you can define the Permissions or application-level Access Rights. The Users Roles Metric is a metric comprised of all users within the Workspace. To give a user a role, simply use the drop-down comprised of all the Roles and select the appropriate role.
For more information on custom Access Rights configurations, check out the guide below: