Permission Hierarchies

User groups can be nested into one another and their respective permissions can be inherited. This allows you to manage permissions of multiple user groups at once. By assigning permission to a parent user group, all of its child user groups inherit that permissions as well.

Example: Make Dashboards Easily Sharable With Everyone

This example describes how you can combine nested user groups with the SEE permission to ensure the creators of dashboards can easily share their dashboard everyone else in their workspace hierarchy.

Scenario

Suppose we have the following workspace hierarchy:

Diagram of a workspace hierarchy with one parent workspace at the top and two child workspaces below. Each workspace is connected to a different user group: Analytics group for the parent, Sales group for one child, and Devs group for the other.

The hierarchy consists of three workspaces. One is a parent workspace, and two are child workspaces. The parent workspace contains a dashboard that is inherited by the child workspaces.

There are three user groups. Each group can access one workspace:

Analytics User Group
Users in this group have a permission (ANALYZE or higher) to the Parent workspace, which means they can create, edit and share dashboards without restrictions.
Sales User Group
Users in this group have a permission (VIEW or higher) to the Sales workspace.
Dev User Group
Users in this group have a permission (VIEW or higher) to the Devs workspace.

How can you ensure that a user in the Analytics User Group is able to easily share the dashboard with users of the child workspaces?

Implement a Solution

A solution is to combine user group parent-child relationships with SEE permissions.

Diagram showing user group relationships. A Super Group sits at the top, with Sales Group and Dev Group as its children. The Super Group grants the SEE permission to an unrelated third group called Analytics Group, enabling visibility and dashboard sharing across the hierarchy.

Steps:

Create a new user group called super_group, see Create a User Group.
Make super_group the parent to sales_group and dev_group.
In the super_group object, assign SEE permission to the analytics_group.
This will let users in the analytics_group see the super_group in the list of possible user groups when sharing a dashboard.

Once you are done, you can GET your user groups using the /api/v1/layout/userGroups API endpoint and verify that it looks similar to this:

[
    ...,
    {
        "id": "analytics_group",
        "permissions": []
    },
    {
        "id": "sales_group",
        "parents": [
            {
                "id": "super_group",
                "type": "userGroup"
            }
        ],
        "permissions": []
    },
    {
        "id": "dev_group",
        "parents": [
            {
                "id": "super_group",
                "type": "userGroup"
            }
        ],
        "permissions": []
    },
    {
        "id": "super_group",
        "permissions": [
            {
                "assignee": {
                    "id": "analytics_group",
                    "type": "userGroup"
                },
                "name": "SEE"
            }
        ]
    }
]

Result

Once you have implemented the super group hierarchy, the analytics users can share dashboards from the parent workspace with all users and user groups, including the super_group itself for an easy way to share the dashboard with everyone at once:

The Share with users and groups dialog showing the list of users and groups that the object is shared with. The level of their permissions is indicated on the right.

Clicking the Add button in the top-right corner of the Share with users and groups dialog shows a dropdown with all available users and groups.

Alternatively, to update the dashboard permissions using the API, you can use the /api/v1/actions/workspaces/<workspaceId>/analyticalDashboards/<dashboardId>/managePermissions endpoint.

Create a Multitenant Environment