Dashboard authorizations

The DSS dashboard allows people who don’t have the permissions to read or write the full content of a project to access a selected set of insights about the data project.

Within a given project, these “dashboard-only” users (who can’t read or write the full content of a project) have thus access to a subset of the objects.

This is handled by the “Dashboard authorizations” mechanism, which is available in Project > Settings > Security > Dashboard authorizations.

Both project-local objects and objects exposed from other projects can be dashboard-authorized.

Scope

Dashboard authorizations define which objects are allowed for dashboard-only users.

  • Dashboard authorizations are not tied to a group. When an object is in the list of dashboard authorizations, all dashboard-only users have access to this object. It is not possible to restrict a given object to a given set of users.
  • Dashboard authorizations apply to a whole DSS object (a dataset, a saved model, …). Thus, if a dataset is in the list of dashboard authorizations, it is technically possible, even for users who only have “read dashboard” access to access the whole content of the dataset, even though only a single chart insight is present on the dashboard.

Most dashboard authorizations only give read access (see below for more information). A few kind of objects have “authorization modes” (WRITE and RUN).

Adding objects to dashboard authorizations

You can manage which objects are in the dashboard authorizations in Project > Settings > Security > Dashboard authorizations. In order to do that you need the “Manage dashboard authorizations” project-level permission. See Main permissions for more info.

When you publish something on a dashboard (for example, a chart based on a dataset), and this object is not yet in dashboard authorizations, you will get a warning:

  • If you don’t have “Manage dashboard authorizations” permission, the warning will indicate that dashboard-only users won’t be able to see this insight in the dashboard
  • If you do have “Manage dashboard authorizations” permission, the warning will include a prompt to add this item to the list of dashboard authorizations of the project.

In Project > Settings > Security > Dashboard authorizations, it is also possible to define that all objects present in a project are dashboard-authorized. In that case, all authorizations are in read-only mode.

Details by object type

Dataset

Authorizing a dataset makes it possible to view and create the following insights on this dataset:

  • Dataset table
  • Chart
  • Comments
  • Metrics

Even if only a limited chart is available on the dashboard, if a given dataset is dashboard-authorized, then it’s technically possible to access all data in the dataset. There is no “intra-dataset” security.

Saved model

Authorizing a dataset makes it possible to view and create the following insights on this model:

  • Model report
  • Comments
  • Metrics

It gives dashboard-only users the ability to view all details (metrics, variables, …) of the model.

Managed folder

Authorizing a managed folder makes it possible to view and create the following insights on this folder:

  • Managed folder (displays the content of the folder)
  • Comments
  • Metrics

It gives dashboard-only users the ability to view all files in the folder.

Jupyter notebook

Authorizing a dataset makes it possible to view and create “Jupyter notebook”. These insights are based on exports of notebooks, not the notebook itself.

When a Jupyter notebook is dashboard-authorized, it does not give dashboard-only users the ability to execute code in the notebook, nor to create a new export of the notebook.

Web app

Authorizing a web app makes it possible to view and create the following insights on this webapp:

  • Web app (displays the content of the webapp)
  • Comments

It allows dashboard-only users to view the webapp. It does not allow them to modify the webapp or to view the backend code.

Scenario

Authorizing a scenario in read-only mode makes it possible to create an insight representing the history of runs of this scenario.

Authorizing a scenario in “run” mode makes it possible for dashboard-only users to run this scenario. This can lead to interesting use cases. For example, if a scenario takes as input a campaigns reference file on a FTP folder, the marketing team can update the file, and when they want, rerun a scenario directly from the dashboard.