Data security is important, this article will discuss how Pigment can help secure your Application and maintain data privacy. Pigment Application security is composed of three main components, Roles, Permissions, and Access Rights. Permissions define what actions a user can perform, Access Rights determine what data users can access and Roles allow for easy implementation of those functionalities.
Roles
Roles are predefined packages of Permission and Access Rights that application Admins can use to easily apply to users in an Application.
By default there are 5 Roles:
- Admin: This role has all permissions applied to it, allowing the user to perform all application-level functions.
- Contributor: Designed for users who will be interacting with data, this role focuses on inputting actions.
- Designer: Focused on the creation of the end-user experience, this role allows for Board specific creation actions.
- Modeler: This role is designed for Application builders. All actions are allowed except Security configuration and Block update history.
- Reader: This role is designed for those who only need to read data on Boards, all other actions are denied. This is the only role with Write access turned off, meaning users can only read, not write on data.
Permissions
Permissions define the actions that a Pigment Member can do in a given application.
Here are the different Actions you can grant to a user:
| Permission Name | Actions Granted |
|---|---|
| Application | |
| Display Application | Application visible in Pigment Workspace |
| Configure Application | Can edit the Applications Settings |
| Define Application security | Can edit the application security and assign Roles |
| Configure calendars | Can manage the calendar settings of the model |
| View History | Can view Block and model History (Including formulas updates and data imports). Can take snapshots of an Application |
| Create & Delete Folders | Can manage folders for both blocks and boards. |
| Create scenarios | Can activate Scenario functionality, create new Scenarios and place Scenarios into Read Only |
| Delete scenarios | Can Delete Scenarios |
| Blocks | |
| Open Block Explorer | Can see the all Blocks in the Sidebar |
| Configure Blocks | Can write and edit formulas. If disabled, users can still write formulas in the formula playground. It also allows users to create and delete blocks. |
| Configure Views | Can create and edit saved views of blocks |
| Add List Items | Can add items in Transactions and Dimension lists. The default setting is that this permission is granted for all lists, but you can use the dropdown to indicate that a role should only have this permission on selected lists |
| Remove List items | Can delete or remove items in Transactions and Dimension lists. The default setting is that this permission is granted for all lists, but you can use the dropdown to indicate that a role should only have this permission on selected lists |
| Reorder List items | Can reorder items in Transactions and Dimension lists. The default setting is that this permission is granted for all lists, but you can use the dropdown to indicate that a role should only have this permission on selected lists |
| Import Data | Can Import data into blocks and Schedule Imports. |
| Formula playground | Allows users to access the Formula Playground without having the Configure Block permission they will need to create the metric. |
| Boards | |
| Can open | Can open Boards. This can be applied to specific boards through the Security panel. |
| Can comment | Can comment on Boards |
| Can configure | Can access the “Edit board” button to be able to add widgets to a Board. |
Access rights
Access Rights define how a user can interact with data. Within Read and Write there are three options, Allowed, Denied and Unspecified. These can be set for the entire application within the Role list. For example, the Reader role has Read set to Allowed and Write set to Denied. This means throughout the entire application, they will only be able to read data.
Applying a role to a User
If a user has the role of an Admin or has the Permission Define Application security set to Allowed, they will be able to assign a user a role. When an application is created, there is a Security folder. Within the Security Folder, there is a Role list and a Users roles Metric. The Role list is where you can define the Permissions or application-level Access Rights. The Users Roles Metric is a metric comprised of all users within the Workspace. To give a user a role, simply use the drop-down comprised of all the Roles and select the appropriate role.
For more information on custom Access Rights configurations, check out Setting up User Access: The Complete Practical Guide