Row-level permission control is performed on datasets. Row-level permission control of Quick BI allows you to perform authorization based on users/user groups or tags. If the number of members in an organization is large, we recommend that you use tag-based authorization. This way, you can authorize all users at a time, which reduces authorization costs and complexity and facilitates future management.

Prerequisites

A dataset is created. For more information, see Create a dataset.

Background information

Currently, only Quick BI Pro and Quick BI Enterprise Standard allow you to configure row-level permissions on a dataset in a group workspace.

Set member tags

The following example demonstrates how to allow users to view only the rows with shipping_type set to truck and air in the dataset company_sales_record.

  1. Log on to the Quick BI console.
  2. In the top navigation bar, click the Settings icon.
  3. On the Organization page, click the Members tab, find the target member, and click Edit Tags in the Actions column.For more information about how to manage tags, see Tags.
  4. In the Edit Tags dialog box, set the value of the area tag to air,truck and click OK.

After you set the member tag, you must configure tag-based authorization in the Grant Row-Level Permissions to Dataset company_sales_record dialog box.

Configure tag-based authorization

  1. Click the Workspace tab. In the left-side navigation pane, click Datasets.
  2. On the Datasets page, find the dataset company_sales_record, click the More icon in the Actions column, and select Grant Row-level Permissions.

    You can also right-click the dataset company_sales_record and select Grant Row-level Permissions.

  3. In the Grant Row-Level Permissions to Dataset company_sales_record dialog box, select Enable Row-level Access Control and select Tag for Authorize.
  4. Click the drop-down icon next to Fields and select shipping_type. Select area in the Tag column. Then, click OK.

After tag-based authorization is configured, the user can view only rows with shipping_type set to air and truck.

Example of tag-based authorization

  1. Prepare the row-level permission matrix.
    For an organization, row-level permission control is closely related to the organizational structure. The organizational structure generally includes departments and positions. A position is a collection of responsibilities and permissions that are assigned by the organization to individuals. The row-level permissions of an employee are related to the department and position of the employee, but are not totally determined by them. For example, the manager of Branch Company A is also responsible for the business of Branch Company B. The manager has the permissions to access specific data of the two branch companies.
    The row-level permission matrix is based on tag-based authorization and has the following features:
    • Permission scope:
      • example1 has the permissions to access all the data of the organization.
      • example2 has the permissions to access data in Zhejiang province in East China.
      • example3 has the permissions to access data in Hangzhou city in East China.
    • The tag fields can be customized. The fields start with tag_, such as tag_area, tag_province, and tag_city.
    • $ALL_MEMBERS$ indicates the permissions to access all data.
    • If a tag corresponds to multiple permissions, separate the permissions with commas (,).
    • If a tag is empty, the user has no permission.
  2. Import tags.
    In most cases, if tags are initialized or the organizational structure is changed greatly, you need to import tags. To import tags, follow these steps:
    1. In the top navigation bar, click the Settings icon.
    2. On the Organization page, click the Members tab and then click Import Members.
    3. In the Import Organization Members dialog box, click Upload Excel to upload the sorted-out permission matrix.
  3. Change tag values.
    If permissions of some employees need to be changed, you need to change tag values.
    1. On the Members tab of the Organization page, find the employee whose permissions need to be changed and click Edit Tags in the Actions column.
    2. In the Edit Tags dialog box, change the tag values and click OK.
  4. Specify tags for fields based on which permission control is performed.
    1. Click the Workspace tab. In the left-side navigation pane, click Datasets.
    2. On the Dataset page, right-click the target dataset and select Grant Row-level Permissions.
    3. In the Grant Row-Level Permissions to Dataset XXX (XXX indicates the dataset name) dialog box, select Enable Row-level Access Control.
    4. Select Tag for Authorize. Click the drop-down icon next to Fields and select tag parameters. Click OK.

Verify tag-based authorization

Before you enable row-level permission control, the order distribution chart displays the data of the whole country.

After you enable row-level permission control, the order distribution chart displays data of a specific area, such as Zhejiang province.