Restrict Access to Native GoodData UI
GoodData supports deployments where users interact exclusively through a custom application, without accessing GoodData’s native UI apps (Analytical Designer, Dashboards, Modeler, Metric Editor, Home UI). Administrators can enforce this by restricting access to the native UI at the organization level.
Not a security boundary
This is a UX-level restriction. Data and management APIs remain accessible according to user permissions. Native iFrame embedding is also blocked for users without access. Export-mode dashboard rendering and single‑widget embedding continue to work.
Behavior
When the RESTRICT_BASE_UI organization setting is enabled:
RESTRICT_BASE_UI | User has Organization.MANAGE | User has BASE_UI_ACCESS | Native UI apps load? | iFrame embedding? |
|---|---|---|---|---|
Not set / false | any | any | Yes | Yes |
true | Yes | any | Yes (implicit) | Yes |
true | No | Yes | Yes | Yes |
true | No | No | No | No |
Notes:
- Organization administrators (users with
Organization.MANAGE) always haveBASE_UI_ACCESSimplicitly. - iFrame embedding of native apps is disabled for users without
BASE_UI_ACCESS. - Dashboard rendering in export mode and single‑widget embedding continue to work.
Configure the setting
Create or update the organization setting restrictBaseUi (type: RESTRICT_BASE_UI) via API.
Create:
curl "$ENDPOINT/api/v1/entities/organizationSettings" \
-H "Content-Type: application/vnd.gooddata.api+json" \
-H "Accept: application/vnd.gooddata.api+json" \
-H "Authorization: Bearer {API_TOKEN}" \
-X POST \
-d '{
"data": {
"type": "organizationSetting",
"id": "restrictBaseUi",
"attributes": {
"content": { "enabled": true },
"type": "RESTRICT_BASE_UI"
}
}
}'Update:
curl "$ENDPOINT/api/v1/entities/organizationSettings/restrictBaseUi" \
-H "Content-Type: application/vnd.gooddata.api+json" \
-H "Accept: application/vnd.gooddata.api+json" \
-H "Authorization: Bearer {API_TOKEN}" \
-X PUT \
-d '{
"data": {
"type": "organizationSetting",
"id": "restrictBaseUi",
"attributes": {
"content": { "enabled": true },
"type": "RESTRICT_BASE_UI"
}
}
}'By default, RESTRICT_BASE_UI is not set, and all users can access the native UI.
Grant access selectively
When RESTRICT_BASE_UI is enabled, only users with the BASE_UI_ACCESS permission can load the native UI. Organization administrators always have access implicitly.
Manage organization permissions via the dedicated endpoint:
Get permissions:
curl "$ENDPOINT/api/v1/layout/organization/permissions" \
-H "Authorization: Bearer {API_TOKEN}"Set permissions (PUT replaces the full list):
curl -X PUT "$ENDPOINT/api/v1/layout/organization/permissions" \
-H "Authorization: Bearer {API_TOKEN}" \
-H "Content-Type: application/json" \
-d '[
{ "assignee": { "id": "adminGroup", "type": "userGroup" }, "name": "MANAGE" },
{ "assignee": { "id": "embed_user", "type": "user" }, "name": "BASE_UI_ACCESS" }
]'For background on permissions, see Manage Organization Permissions.