One Model uses Role Based Security (RBS) to assign permissions to Admins, roles and users with additional permissions available when sharing Storyboards.
The main types of permissions are;
Application Access Roles (RBS).
Data Access Roles (RBS); and
Storyboard sharing.
As an Admin or user, you may have all, some, or a few roles that will enable you to see and do different things in One Model.
Use this guide as a quick reference to see what roles and permissions are available.
Learn more about Role Based Security
Explore
General
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanExploreData | Allows users to configure and explore data using charts and tables. | None | |
| CanViewDimensions | Prerequisite to configure metrics | This permission is required to Create, Edit, and Delete metrics | None |
| CanViewDimensionDetails | Prerequisite to configure metrics and Org Chart | This permission is required to Create, Edit, and Delete metrics as well as to configure the Org Chart. | None |
Create / Edit Metrics
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanCreateMetric | Allows users to create metrics |
Users will be able to access the Create / Edit option for metrics in Explore to create metrics if user has Data Access permissions to see at least one metric. Additional permissions exist for editing and deleting metrics. Creating metrics is a powerful permission that should only be given selectively, as it gives users access to data tables beyond their role based permissions. |
CanExploreData, CanViewDimensions, CanViewDimensionDetail |
| CanEditMetric | Allows users to edit metrics | Users will be able to access the Create / Edit option for metrics in Explore to edit metrics if user has Data Access permissions to see at least one metric. Additional permissions exist for deleting metrics.Editing metrics is a powerful permission that should only be given selectively, as it gives users access to data tables beyond their role based permissions. | CanExploreData, CanViewDimensions, CanViewDimensionDetail, CanCreateMetric |
| CanDeleteMetric | Allows users to delete metrics | Users will be able to access the Create / Edit option for metrics in Explore if user has Data Access permissions to see at least one metric. They will be able to Delete any metric from the metric catalog. Creating, Editing and Deleting metrics is a powerful permission that should only be given selectively, as it gives users access to data tables beyond their role based permissions. | CanExploreData, CanViewDimensions, CanViewDimensionDetail, CanCreateMetric, CanEditMetric |
Storyboards
Home Page / Storyboards
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanConfigureOrgChart | Allows users to configure and explore data using the org chart | This permission will enable the Org Chart Icon to be on the top right-hand side of the screen. | CanViewDimensionDetails |
|
CanChangeHomePage FilterSet |
Allows users to add filters and use saved filter sets on the Home Page | See Admin settings for permission to edit Home Page Template. | None |
|
CanEditHomePage DashboardTemplate |
Allows users to edit the Home Page Template. | Users need additional permission CanChangeHomePageFilterSet if user wants to change any of the filter sets on the home page. |
CanChangeHomePageFilterSet CanExploreData (for adding/editing charts) |
| CanDrillthroughMetric | Allows users to drillthrough from a data point |
Drillthrough provides additional insight by giving row-level information of the records that comprise that metric. Depending on the user's data and applications access roles, they can drillthrough from the Home Page or a Storyboard. See Admin section for permissions CanViewDrillThroughColumns and CanEditDrillThroughColumn that define which tables and fields to include in the drillthrough. |
Optional: CanViewDashboards |
|
CanShareStoryboard WithUser |
Allows sharing of Storyboards with selected users based on the Publish to permission. |
CanViewDashboards CanPublishDashboard |
Export
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanExportCSV |
Allows users to export tables and charts as .csv files |
Depending on the user's access roles, they can export images from the Home Page, a Storyboard or Explore. This permission will also show the Exports menu item. | Optional: CanExploreData, CanViewDashboards |
| CanExportImage | Allows users to export charts as .png files and Storyboards as powerpoint PPTX. | Depending on the user's access roles, they can export images from the Home Page, a Storyboard or Explore. Keep in mind that PNG Exports will not be listed under the Exports menu item. | Optional: CanExploreData, CanViewDashboards |
Storyboards
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanViewDashboards | Allows users to view Storyboards that are shared with them. | When this is permission is disabled, the "Storyboards" menu is removed. Users need additional permissions to edit storyboards. | None |
| CanCreateDashboard | Allows users to create, copy, and delete Storyboards. | Users can create new Storyboards via the + Icon under Storyboards or by pinning a tile to a new Storyboard from Explore. | CanViewDashboards, Optional: CanExploreData |
| CanPublishDashboard | Allows users to publish Storyboards. | Publishing a Storyboard allows the user to share the Storyboard with other roles defined by the Data Access Roles. | CanViewDashboards |
Featured Storyboards
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| StoryboardAdministrator | Allows users to rename Storyboard categories, replace Storyboard content, and configure Featured Storyboards. | Storyboard Administrator also needs the permission CanCreateDashboard to replace storyboard content. |
CanView Dashboards Optional: CanCreate Dashboard |
Notifications
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanConfigureData StoriesNotifications |
Allows users to subscribe to storyboard notifications. | CanViewDashboards |
One AI
One AI Embedded Insights
Permission |
Description |
Prerequisite Permissions |
|
| CanEnableOneAICorrelation | Allows users to enable Correlations | CanViewDashboards | |
| CanEnableOneAIForecast | Allows users to enable Forecasts | CanViewDashboards | |
| CanEnableOneAILineOfBest Fit | Allows users to enable Line of Best Fit | CanViewDashboards | |
| CanEnableOneAIReference Line | Allows users to enable Reference Lines | CanViewDashboards | |
| CanEnableOneAlTable Insights | Allows users to enable Table Insights | CanViewDashboards |
One AI Machine Learning
Permission |
Description |
Prerequisite Permissions |
|
|
CanAccessOneAIMenu (was CanAccessAugmentations) |
Controls whether the user sees the One AI option at the top of the screen | None | |
|
CanConfigureOneAIGenerativeAttributes (was CanConfigureGenerativeAttributes) |
Allows users to create Generative Attributes in One AI Recipes within Machine Learning Models | CanAccessOneAIMenu |
One AI Assistant
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanAccessOneAIAssistantVisualizations | Controls whether the user gets access to One AI Assistant Visualizations | None | |
| CanConfigureOneAI | Controls whether the user can configure One AI Assistant | None | |
| CanAccessOneAIAssistantStoryboards | Controls whether the user gets access to the Storyboards Nav Assist feature in One AI Assistant | None | |
| CanAccessOneAIAssistantInsights | Controls whether the user gets access to the Insights feature in One AI Assistant | CanAccessOneAIAssistantVisualizations | |
| CanAccessOneAIAssistantInsightRecommendations | Controls whether the user gets access to Recommendations when viewing Insights in One AI Assistant | CanAccessOneAIAssistantInsights | |
| CanAccessOneAIAssistantAnswers | Controls whether the user gets access to the Answers feature in One AI Assistant | None | |
| CanAccessOneAIAssistantAnswersNLResponse | Controls whether the user gets access to natural language responses in the Answers feature in One AI Assistant | CanAccessOneAIAssistantAnswers | |
| CanAccessOneAIAssistantAnalyze | Controls whether the user gets access to the Analyze feature in One AI Assistant |
CanAccessOneAIAssistantVisualizations and/or CanAccessOneAIAssistantAnswers |
|
| CanAccessOneAIAnalyzeWebSearch | Controls whether the user gets access web search via Analyze in One AI Assistant | Web search is opt-in and must be enabled by a One Model employee for the option to be visible | CanAccessOneAIAssistantAnalyze |
| CanAccessOneAIAssistantChat | Controls whether the user gets access to the Chat feature in One AI Assistant | None | |
| CanAccessOneAIChatWebSearch | Controls whether the user gets access web search via Chat in One AI Assistant | Web search is opt-in and must be enabled by a One Model employee for the option to be visible | CanAccessOneAIAssistantChat |
| CanAccessOneAIHelpWebSearch | Controls whether the user gets access to help via web search in One AI Assistant | Web search is opt-in and must be enabled by a One Model employee for the option to be visible | CanAccessOneAIAssistantChat |
Data Loads
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanConfigureNotifications | Allows users to subscribe to notifications. | This permission will enable the Notifications pane under Preferences where users can subscribe to receive an email notification when data loads have completed (when the metrics are updated) or when there is an error for all or selected data sources. | None |
| CanAccessDataLoads | Allows users to viewData Loads. | None | |
| CanModifyDataLoads | Allows users to modifyData Loads. | Gives access to process data. | CanAccessData Loads |
Sources
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanViewData Sources | Allows users to view the Data Sources and Data Source runs that exist. | Prerequisite permission for any other action regarding data sources. Permissions relating to Data Sources should only be given selectively and are recommended for Administrator type personas as they can control how much data is loaded from your source systems into One Model | None |
| CanCreateData Source |
Allows users to create a new data source. |
CanViewDataSources | |
| CanDeleteData Source | Allows users to delete an existing Data Source. | CanViewDataSources | |
| CanEditDataSource | Allows users to edit configurable options for a Data Source, including adding or removing data included in that Data Source. | CanViewDataSources | |
| CanConfigureData Source | Allows users to access the main configure Data Source pane. | CanViewDataSources | |
| CanRunDataSource |
Allows users to run a Data Source |
CanViewDataSources | |
| CanUploadData | Allows users to upload data into One Model | CanViewDataSources |
Destinations
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanViewData Destinations | Allows users to see configured Data Destinations | Permissions relating to Data Destinations should only be given selectively and are recommended for Administrator type personas as they can give data access beyond a user's Role Based Security. | None |
| CanViewData DestinationsHistory | Allows users to view the history of when a Data Destination was run. | CanViewDataDestinations | |
| CanEditData Destination | Allows users to add, edit or delete existing Data Destinations. | Gives access to process data. | CanViewDataDestinations |
| CanRunData Destinations | Allows users to run an existing Data Destination. | CanViewDataDestinations, CanEditDataDestinations |
Dimensions
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanCreateDimension | Allows users to create Dimensions. | CanViewDimension | |
| CanDeleteDimension | Allows users to delete Dimensions. | CanViewDimension | |
| CanEditDimension | Allows users to edit Dimensions. | CanViewDimension |
Data Warehouse Relationships
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanViewDataWarehouse RelationshipDetails | Allows users to see the details for Data Warehouse Relationships. | CanViewDataWarehouse Relationships | |
| CanViewDataWarehouse Relationships | Allows users to see the Data Warehouse Relationships. | None | |
| CanCreateDataWarehouse Relationship | Deprecated - Data Warehouse Relationships can be created through Processing Script. | CanViewDataWarehouse Relationships | |
| CanDeleteDataWarehouse Relationship | Allows users to delete Data Warehouse Relationships. | CanViewDataWarehouse Relationships | |
| CanEditDataWarehouse Relationship | Deprecated - Data Warehouse Relationships can be edited through the Processing Script | CanViewDataWarehouse Relationships |
Data Warehouse Tables
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanCreateDataWarehouseTable | Deprecated - Data warehouse Tables can be created through the Processing Script. | CanViewDataWarehouse Tables | |
| CanDeleteDataWarehouseTable | Allows users to remove references to Data Warehouse Tables. | CanViewDataWarehouse Tables | |
| CanEditDataWarehouseTable | Deprecated - Data Warehouse Tables can be edited through the Processing Script | CanViewDataWarehouse Tables | |
|
CanViewDataWarehouseTable Details |
Allows users to see the details of Data Warehouse Tables. | CanViewDataWarehouse Tables | |
| CanViewDataWarehouseTables | Allows users to see the Data Warehouse Relationships | None |
Processing Scripts
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanViewAndEdit ProcessingScript | Allows the user to both view and edit the Processing Script. | None | |
| CanAccessRawData | Allows users to access Raw Data in various places for troubleshooting. | This permission allows users to access raw data in different locations, mainly Data Loads and Data Destinations. | None |
SQL Explorer
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanViewSQLExplorer | Allows users to view SQL Explorer | None |
Admin
Branding / Cached Storyboards
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanConfigureCompany | Allows users to configure the Company Settings under Admin, including branding and style, view and edit cached Storyboards. |
This will make the following submenus visible under Admin: Company, Branding, Cached Storyboards.This permission is also required to edit Company Home Page. The Company site includes some settings that require additional permissions listed below. |
None |
| CanEditCompanyValueFormat | Allows users to edit company value formats. | These include date and time formats, currency symbols, separators, etc. | CanConfigureCompany |
| CanCreatePgpConfigurations | Allows users to create new PGP keys. | CanConfigureCompany | |
|
CanDownloadPgp Configurations |
Allows users to download PGP keys. | CanConfigureCompany | |
| CanConfigureAllowlistIp | Allows users to configure the allowed IP Addresses. | CanConfigureCompany | |
| CanCreateAllowlistIp | Allows users to create allowed IP Addresses. | CanConfigureCompany CanConfigureAllowlistIp |
Users
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanViewUsers | Allows users to view active and inactive users. | This permission will enable the submenu "Users" under the Admin tab. Additional permissions are required to manage users listed below. | None |
| CanCreateUser | Allows users to create new users. | CanViewUsers | |
| CanEditUser | Allows users to edit settings and details for users. | CanViewUsers | |
| CanDeactivateUser | Allows users to deactive and restore users. | CanViewUsers | |
| CanUnlockUser | Allows users to unlock users. | A user may be locked out of their account after a number of unsuccessful login attempts. The Unlock Option will only show after a user has been locked out. | CanViewUsers |
| CanUploadBulkUserFile | Allows users to upload a bulk user file. | The .csv file creates new users or modifies existing users and assigns roles. | CanViewUsers |
| CanResetPasswords | Allows users to reset individual user passwords. | This control only works for users who have "Allow log in with username and password" enabled. | CanViewUsers |
| CanEditUserRoles | Allows users to edit user roles. |
This controls which Application Access Roles and Data Access Roles are assigned to users. Unless the user also has the permission to edit Data Access Roles (CanEditDataAccessRoles and CanEditDataAccessRoleUsers) or add users to Application Access Roles (CanEditRoleUsers), this page will be empty. Enabling this permission will grant the user full Admin rights which will allow them to assign additional permissions to other users and themselves, even if their assigned role does not explicitly permit them to do so. |
CanViewUsers, Optional: CanEditDataAccessRoles CanEditDataAccessRole Users CanEditRoleUsers |
Roles
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanCreateRole | Allows users to create Application Access Roles and Data Access Roles. |
This permission enables the Create New link for Application Access Roles and Data Access Roles. If user does not have the permission CanViewRoleDetails or CanEditDataAccessRoles, they will not be able to see the role once created. |
CanViewRoles, Optional: CanViewRoleDetails CanEditDataAccessRoles |
| CanProxyUsers | Allows users to proxy as other users. | Enabling this permission will grant the user full Admin rights which will allow them to assign additional permissions to other users and themselves, even if their assigned role does not explicitly permit them to do so. | None |
| CanViewRoles | This permission will show the submenu Application Access Roles and Data Access Roles under Admin. | Users require additional permissions to see individual application and data access roles listed below. | None |
Application Access Roles
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanViewRoleDetails | Allows users to view all Application Access Roles. | With this permission, users can see all Application Access Roles, regardless if they have been assigned to them. Additional permissions are required to edit Application Access Roles. | CanViewRoles |
| CanEditRole | Allows users to change name and description for Application Access Roles. | This permission enables the "Edit" hyperlink for each Application Access Role. Editing in this case means changing the Name and Description of the role. |
CanViewRoles,
|
| CanEditRole Permissions | Allows users to edit Role Permissions. |
This permission enables the "Permissions" link for each Application Access Role. Under the Permissions link, users can add and remove Permissions to Application Access Roles. Enabling this permission will grant the user full Admin rights which will allow them to assign additional permissions to other users and themselves, even if their assigned role does not explicitly permit them to do so. |
CanViewRoles, CanViewRole Details |
| CanEditRoleUsers | Allows users to add and remove users to/from Application Access Roles. |
This permissions enables the "Users" hyperlink for each Application Access Role. Under the Users link, users can add and remove users to/from Application Access Roles. users also need this permission to enable the Roles function under the users submenu (CanEditUserRoles). Enabling this permission will grant the user full Admin rights which will allow them to assign additional permissions to other users and themselves, even if their assigned role does not explicitly permit them to do so. |
CanViewRoles, CanViewRole Details |
| CanDeleteRole | Allows users to delete Application Access Roles. | This permission enables the "Delete" hyperlink for each Application Access Role. |
CanViewRoles, CanViewRole Details |
Data Access Roles
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanEditDataAccessRoles |
Allows users to edit Data Access Roles |
This permission grants users access to the Data Access Roles Menu item under the Admin tab. For every Data Access Role, it allows users to Edit, Metrics, Storyboards, Dimensions, Columns, Rules, Users, Publish To Roles, and Delete. Users will also need this permission to enable the Roles function under the Users submenu (CanEditUserRoles). Enabling this permission will grant the user full Admin rights which will allow them to assign additional permissions to other users and themselves, even if their assigned role does not explicitly permit them to do so. |
CanViewRoles |
| CanEditDataAccessRoleUsers | Allows users to add or remove users from Data Access Roles. |
This permission will enable the link Users on the Data Access Roles Page to add or remove users from Data Access Roles. Users will also need this permission to enable the Roles function under the Users submenu (CanEditUserRoles). Enabling this permission will grant the user full Admin rights which will allow them to assign additional permissions to other users and themselves, even if their assigned role does not explicitly permit them to do so. |
None |
| CanEditRoleDashboards* | *N/A - this is a legacy permission that is currently not functional. | ||
| CanEditRoleDimensions* | *N/A - this is a legacy permission that is currently not functional. | ||
| CanEditRoleMetrics* | *N/A - this is a legacy permission that is currently not functional. |
Drillthrough Columns
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanViewDrillThroughColumns | Allows users to view Drill Through Column configuration. | This permission enables the Drill Through Columns Menu item under the Admin tab. In this menu users can see the Drill Through Column configuration. In order to access Drillthrough from Storyboards or thr Home Page, users need to have the permission CanDrillThroughmetric. | None |
| CanEditDrillThroughColumn | Allows users to configure Drill Through Columns. | This is where users can edit the Drill Through Column configuration. In order to access Drillthrough from Storyboards or Home Page, users need to have the permission CanDrillThroughMetric. | CanViewDrill ThroughColumns |
Table & Column Label Editor
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanEditDataWarehouse TableAndColumnLabels | Allows users to edit the table and column labels in their instance. | This permission grants access to the Table and Column Editor page. | None |
File History
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanViewFileHistory | Allows users to view File History. | None |
Site Validation
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanViewSiteValidation | Allows users to view the Site Validation page. | This provides site errors and warnings to those who are responsible for remedial activities. | None |
Admin Reports
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanViewAdminReports | Allows users to access the Admin Reports option in the dropdown menu under the Admin tab. | None |
Audit Logs
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanViewAuditLogs | Allows users to view audit logs. | None |
Help
Permission |
Description |
Additional Information |
Prerequisite Permissions |
| CanViewHelp | Allows users to view One Model Help content or custom help URL if configured. | None |
Storyboard Sharing Permissions
Additional permissions for sharing Storyboards are found in the Settings tab on individual Storyboards. These permissions operate differently from the others as they are tied to specific Storyboards and control the actions users with assigned roles can take, such as viewing, editing, and changing the filter set.
Permission |
Description |
| Can’tVieworEdit | Role can’t view or edit the Storyboard |
| CanView | Role can only view the Storyboard |
| CanView & Edit | Role can view and edit the Storyboard. Users with this permission are referred to as ‘Storyboard Designers’. |
| CanChangeFilterSet | Role can change the filter sets applied to the Storyboard. |
Comments
0 comments
Please sign in to leave a comment.