- Getting started
- Licensing
- Setup and configuration
- Using Data Service
- Reference
- Examples & Tutorials
Managing Access
Clicking the Manage Access icon opens the Administration page, where you can create and manage user roles for an entity in your Data Service tenant. This extensive and granular permission model allows you to integrate all your business users using the service based on their level of expertise and your business requirements. Furthermore, you can select users or groups from your organization and assign roles to them.
Data Service is configured such that organization users can read data by default.
To limit data access, remove the Everyone group, add users or groups that need access, and assign them the desired roles.
The following steps enable you to manage your users and groups:
- From the top navigation bar, click the Manage Access icon.
The Administration page is displayed.
The following tabs are available:
Tab |
Description |
---|---|
Role assignments |
Contains a list of all the users and groups that are defined for your current tenant and their associated Roles. |
Roles |
A list of all the Roles defined for Data Service. For each role you can see the number of user or group assignments. |
Standard Roles have a predefined set of permissions. The following standard roles can be assigned to Data Service users:
- Administrator
- Data Reader
- Data Writer
-
Designer
Each standard role has a different set of permissions, including at least one administrative permission and a data access permission.
Administrative Permissions
Below is a description of the Administrative Permissions for a standard role.
Permission |
Roles with this permission... |
---|---|
Manage Permissions |
... can create new roles, edit and delete existing roles, and assign one or more roles to users or groups. |
View All Schema |
... can view the schema of all entities and choice set definitions, but cannot modify them. |
Customize All Schema |
... can view, create, edit, or delete the schema of all entities and choice set definition. |
Data Access Permissions
Below is a description of the Data Access Permissions of a standard role.
Permission |
Roles with this permission... |
---|---|
No access |
... do not have access to any entity data. Users or groups with this permission are not allowed to create, read, edit, or delete data records of an entity. |
Read access for all Entities |
... can view the data records of an entity. |
Complete read and write access for all Entities |
... can create, view, edit, and delete data records of an entity. |
The following table summarizes the default permissions of each standard role:
Standard role |
Administrative Permissions |
Data Access Permissions |
---|---|---|
Administrator |
Manage Permissions |
No access |
Data Reader |
View All Schema |
Read access for all Entities |
Data Writer |
View All Schema |
Complete read and write access for all Entities |
Designer |
View All Schema Customize All Schema |
No access |
Custom roles enable you to create custom sets of permissions that can be assigned to users or groups.
To create new custom roles, you need to have the Manage Permissions permission assigned.
For custom roles you can decide which permissions you want to assign to the role.
At creation, assign at least one Administrative Permissions to the new role. Consequently, you may assign Data Access Permissions to the role, which grants Create,Read,Edit, or Deletepermissions on the specified entities.
Administrative Permissions
Below is a description of the Administrative Permissions that can be assigned to a custom role.
Permission |
Roles with this permission... |
---|---|
Manage Roles |
... can create new roles, edit and delete existing roles, and assign one or more roles to Users/Groups. |
View Schema |
... can view the schema of all entities and choice set definitions, but cannot modify them. |
Customize All Schema |
... can view, create, edit, or delete the schema of all entities and choice set definition. |
Data Access Permissions
When defining a custom role, you can assign different data access permissions for the selected entities in the tenant.
You can select whether the custom role can create, read, edit, or delete the entity records. Moreover, if an entity has Role base field access enabled fields, you can assign data access permissions to each entity field.
Below is a description of the Data Access Permissions for an entity that can be assigned to a Custom Role.
Permission |
Roles with this permission... |
---|---|
Create |
... can create entity records. |
Read |
... can view entity records. |
Edit |
... can view and modify entity records. |
Delete |
... can view and delete entity records. |
To create a new role:
Setting permissions for specific fields
When creating entities it is possible to enable Role base field access for user-created fields. When defining a custom role, you may assign data access permissions to these fields.
Follow the steps below to set role based field permissions.
- Create a new role, or edit an existing custom role.
- If the entity has Role base field access enabled fields, a message indicating to add data access permissions is displayed: Certain fields require data access permissions. Click Add them.
- From the drop-down list, select the fields for which you want to set data access permissions.
- Set the desired permissions: Create, Read, Edit, or Delete.
- Click Save.
See also Customizing an Entity.
You may change your mind about specific permissions for a custom role. You can edit custom roles by clicking the corresponding Edit button.
If you decide you no longer need a custom role, you can remove it by clicking the corresponding Delete button.
All calls in the Data Service are based on user authorization. The decision to grant or deny an operation is always based on the effective permissions for the user based on their individual or group membership permission grants. Studio,Assistant, and Robot also inherit permissions based on their configured users.
Data Service supports all users and groups defined in the organization and doesn’t maintain a separate user list.
To add users that are part of your organization:
A group is a collection of user accounts. Data Service supports all groups defined in the account and does not maintain a separate list of groups. A permission granted to a group propagates to all users and groups.
To define the roles for a user or group follow the below steps:
Groups are user containers with specific permission sets. Permissions for groups can be configured inside each service by selecting the group and associating the desired permissions. Users get the union of all permissions assigned to the groups they are members in.
When you assign users to a group, you grant them access to all the services which have permissions configured for that specific user group. The level of access to the service is determined by the roles assigned to that group at the service level.
Group Membership |
Organization Level Role |
Data Service Roles |
---|---|---|
Administrators |
Organization Administrator | |
Automation Developers |
User | |
Automation Users |
User | |
Citizen Developers |
User | Designer and Data Writer |
Everyone |
User |
The automatic role mapping applies for tenants created after the introduction of the Citizen Developer group. For tenants created prior to the group addition, you need to add the Citizen Developer group and assign the Designer and Data Writer roles manually.
Removing users or groups from the Assign Roles tab implies the inability to access Data Service. That is, every deleted user and users part of the deleted group cannot access Data Service anymore.
To allow access once again, add organization users or groups individually, and assign them Data Service roles.
To remove a user or a group from Data Service, click the corresponding Remove user/group button.