Manage Workspace Permissions
Workspace permissions specify what users can do within a workspace, covering a range of activities from simply viewing dashboards to managing the workspace’s entire logical data model.
Permissions and Hierarchy Permissions
Workspace permissions can be assigned using two types of permission definitions:
permissionsare tied to an individual workspace and define what a user can do with that one specific workspace.hierarchyPermissionsare tied to a specific workspace and define what a user can do with that specific workspace and all of its child workspaces. For more information on workspace hierarchies, see the Build a Workspace Hierarchy section.
Supported Permissions
The following permissions are applicable to a workspace object:
VIEWAllows the user to view dashboards that have been shared to them.
ANALYZEAllows users to not only view but also create, edit, or delete dashboards and visualizations, alongside viewing the Logical Data Model (LDM) and metrics.
EXPORTEnables users to view dashboards and export them to PDF files, as well as export visualization data to XLSX and CSV files.
Further distinctions within the
EXPORTpermission include:EXPORT_PDF: Specifically for viewing and exporting dashboards as PDF files.EXPORT_TABULAR: Enables viewing and exporting visualization data to XLSX and CSV formats.
MANAGECovers the
VIEW,ANALYZEandEXPORTpermissions. Additionally, a user can create, edit or delete the logical data model and metrics, and access all dashboards and edit their dashboard permissions without limitations.Additional Permissions May Be Required
To be able to fully work with the LDM, a user also requires at least the `USE` permission for the data source that the workspace is connected to. See the [Manage Data Sources Permissions](../set-permissions-for-data-source/) section for details.
Set Permissions For a Workspace
Workspaces can have their permissions configured through specific API endpoints, providing a flexible approach to access control.
To directly set permissions for an individual workspace, use the /api/v1/actions/workspaces/<workspace_id>/managePermissions/ endpoint. This method does not require redefining the entire workspace layout. Access to this endpoint requires either Organization.MANAGE permission or Workspace.MANAGE hierarchyPermission.
Alternatively, you can set permissions using the declarative API through the following endpoints:
/api/v1/layout/workspaces/api/v1/layout/organization
These endpoints offer a broader scope of permissions management but require the Organization.MANAGE permission for access.
Steps:
Follow these steps to update your workspace permissions through an API call:
Define the Permissions in a JSON File
[ { "assigneeIdentifier": { "id": "<user_group_id>", "type": "userGroup" }, "hierarchyPermissions": [ "MANAGE" ] }, { "assigneeIdentifier": { "id": "<user_group_2_id>", "type": "userGroup" }, "permissions": [ "ANALYZE" ], "hierarchyPermissions": [ "EXPORT_PDF" ] }, { "assigneeIdentifier": { "id": "<user_id>", "type": "user" }, "permissions": [ "EXPORT" ] } ]Update the Workspace Permissions
Update the workspace permissions with your
jsonfile using the following API call:curl -H "Authorization: Bearer $API_TOKEN" \ -H "Content-Type: application/json" \ -X POST \ $HOST_URL/api/v1/actions/workspaces/<workspace_id>/managePermissions/ -d @<your_workspace_permissions>.json
Permissions JSON Structure
Permissions Definition
Use the
permissionsdefinition if you want to give a user access to a single, specific workspace.Use the
hierarchyPermissionsdefinition if you want to give a user access to a workspace and all its subordinated child workspaces.
It’s optional to use both permissions types simultaneously, depending on your access control needs.
Assignee
An assignee refers to either a
useror auser group, identified by theiridand specified bytypewithin the permissions setup.Name
The permission name (e.g.
MANAGE) within this structure dictates the level of access, mapping to specific actions that are otherwise restricted.