One Model uses Role Based Security (RBS) to assign permissions to Admins, roles and users with additional permissions available when sharing Storyboards.
The main types of permissions are;
-
Application Access Roles (RBS).
-
Data Access Roles (RBS); and
-
Storyboard sharing.
As an Admin or user, you may have all, some, or a few roles that will enable you to see and do different things in One Model.
Use this guide as a quick reference to see what roles and permissions are available.
Learn more about Role Based Security
Explore
General
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanExploreData | Allows users to configure and explore data using charts and tables. | None |
Create / Edit Metrics
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanViewDimensions | Prerequisite to configure metrics | This permission is required to Create, Edit, and Delete metrics | |
CanViewDimensionDetails | Prerequisite to configure metrics and Org Chart | This permission is required to Create, Edit, and Delete metrics as well as to configure the Org Chart. | |
CanCreateMetric | Allows users to create metrics | Users will be able to access the Create / Edit option for metrics in Explore to create metrics if user has Data Access permissions to see at least one metric. Additional permissions exist for editing and deleting metrics. Creating metrics is a powerful permission that should only be given selectively, as it gives users access to data tables beyond their role based permissions. |
CanExploreData, CanViewDimensions, CanViewDimensionDetail |
CanEditMetric |
Allows users to edit metrics | Users will be able to access the Create / Edit option for metrics in Explore to edit metrics if user has Data Access permissions to see at least one metric. Additional permissions exist for deleting metrics.Editing metrics is a powerful permission that should only be given selectively, as it gives users access to data tables beyond their role based permissions. | CanExploreData, CanViewDimensions, CanViewDimensionDetail, CanCreateMetric |
CanDeleteMetric | Allows users to delete metrics | Users will be able to access the Create / Edit option for metrics in Explore if user has Data Access permissions to see at least one metric. They will be able to Delete any metric from the metric catalog. Creating, Editing and Deleting metrics is a powerful permission that should only be given selectively, as it gives users access to data tables beyond their role based permissions. |
CanExploreData, CanViewDimensions, CanViewDimensionDetail, CanCreateMetric, CanEditMetric |
Storyboards
Home Page / Storyboards
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanConfigureOrgChart | Allows users to configure and explore data using the org chart | This permission will enable the Org Chart Icon to be on the top right-hand side of the screen. | CanViewDimensionDetails |
CanChangeHomePageFilterSet | Allows users to add filters and use saved filter sets on the Home Page | See Admin settings for permission to edit Home Page Template. | None |
CanDrillthroughMetric | Allows users to drillthrough from a data point | Drillthrough provides additional insight by giving row-level information of the records that comprise that metric. Depending on the user's data and applications access roles, they can drillthrough from the Home Page or a Storyboard. See Admin section for permissions CanViewDrillThroughColumns and CanEditDrillThroughColumn that define which tables and fields to include in the drillthrough. |
Optional: CanViewDashboards |
Export
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanExportCSV |
Allows users to export tables and charts as .csv files |
Depending on the user's access roles, they can export images from the Home Page, a Storyboard or Explore. This permission will also show the Exports menu item. | Optional: CanExploreData, CanViewDashboards |
CanExportImage | Allows users to export charts as .png files and Storyboards as powerpoint PPTX. | Depending on the user's access roles, they can export images from the Home Page, a Storyboard or Explore. Keep in mind that PNG Exports will not be listed under the Exports menu item. | Optional: CanExploreData, CanViewDashboards |
Storyboards
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanViewDashboards |
Allows users to view Storyboards that are shared with them. |
When this is permission is disabled, the "Storyboards" menu is removed. Users need additional permissions to edit storyboards. | None |
CanCreateDashboard |
Allows users to create, copy, and delete Storyboards. |
Users can create new Storyboards via the + Icon under Storyboards or by pinning a tile to a new Storyboard from Explore. | CanViewDashboards, Optional: CanExploreData |
CanPublishDashboard | Allows users to publish Storyboards. | Publishing a Storyboard allows the user to share the Storyboard with other roles defined by the Data Access Roles. | CanViewDashboards |
Featured Storyboards
Permission |
Description |
Additional Information |
Prerequisite Permissions |
StoryboardAdministrator | Allows users to rename Storyboard categories, replace Storyboard content, and configure Featured Storyboards. | Storyboard Administrator also needs the permission CanCreateDashboard to replace storyboard content. | CanViewDashboards, Optional: CanCreateDashboard |
One AI
One AI Embedded Insights
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanEnableOneAICorrelation | Allows users to enable One AI Correlations | CanViewDashboards | |
CanEnableOneAIForecast | Allows users to enable One AI Forecasts | CanViewDashboards | |
CanEnableOneAILineOfBestFit | Allows users to enable One AI Line of Best Fit regression | CanViewDashboards | |
CanEnableOneAlTableInsights | Allows users to enable One Al Table Insights | CanViewDashboards |
One AI Machine Learning
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanAccessOneAIMenu (was CanAccessAugmentations) |
Allows users to access the Augmentations option in the Data menu | Augmentations include Data Augmentations and Machine Learning Models. | None |
CanConfigureOneAIGenerativeAttributes (was CanConfigureGenerativeAttributes) |
Allows users to create Generative Attribues in One AI Recipes within Machine Learning Models | CanAccessOneAIMenu |
One AI Generative AI
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanAccessOneAIDiscover |
Controls access to One AI Discover | None | |
CanAccessOneAIDescribe |
Controls access to One AI Describe | CanAccessOneAIDiscover |
Data
Loads
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanConfigureNotifications | Allows users to subscribe to notifications. | This permission will enable the Notifications pane under Preferences where users can subscribe to receive an email notification when data loads have completed (when the metrics are updated) or when there is an error for all or selected data sources. | |
CanAccessDataLoads |
Allows users to view Data Loads. |
||
CanModifyDataLoads |
Allows users to modify Data Loads. |
Gives access to process data. | CanAccessDataLoads |
Sources
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanViewDataSources |
Allows users to view the Data Sources and Data Source runs that exist. |
Prerequisite permission for any other action regarding data sources. Permissions relating to Data Sources should only be given selectively and are recommended for Administrator type personas as they can control how much data is loaded from your source systems into One Model | |
CanCreateDataSource |
Allows users to create a new data source. |
CanViewDataSources | |
CanDeleteDataSource | Allows users to delete an existing Data Source. | CanViewDataSources | |
CanEditDataSource |
Allows users to edit configurable options for a Data Source, including adding or removing data included in that Data Source. |
CanViewDataSources | |
CanConfigureDataSource | Allows users to access the main configure Data Source pane. | CanViewDataSources | |
CanRunDataSource |
Allows users to run a Data Source |
CanViewDataSources | |
CanUploadData |
Allows users to upload data into One Model |
CanViewDataSources |
Destinations
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanViewDataDestinations | Allows users to see configured Data Destinations | Permissions relating to Data Destinations should only be given selectively and are recommended for Administrator type personas as they can give data access beyond a user's Role Based Security. | |
CanViewDataDestinationsHistory |
Allows users to view the history of when a Data Destination was run. |
CanViewDataDestinations | |
CanEditDataDestination |
Allows users to add, edit or delete existing Data Destinations. |
Gives access to process data. | CanViewDataDestinations |
CanRunDataDestinations |
Allows users to run an existing Data Destination. |
CanViewDataDestinations, CanEditDataDestinations |
Processing Scripts
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanViewAndEditProcessingScript | Allows the user to both view and edit the Processing Script. | None | |
CanAccessRawData | Allows users to access Raw Data in various places for troubleshooting. | This permission allows users to access raw data in different locations, mainly Data Loads and Data Destinations. | |
CanCreateDimension | Allows users to create Dimensions. | CanViewDimension | |
CanDeleteDimension | Allows users to delete Dimensions. | CanViewDimension | |
CanEditDimension | Allows users to edit Dimensions. | CanViewDimension | |
CanModifyDataLoads | Allows users to start a new Data Load to process data. | CanAccessDataLoads | |
CanCreateDataWarehouse Relationship |
Deprecated - Data Warehouse Relationships can be created through Processing Script. |
CanViewDataWarehouse Relationships |
|
CanCreateDataWarehouseTable | Deprecated - Data warehouse Tables can be created through the Processing Script. | CanViewDataWarehouseTables | |
CanDeleteDataWarehouse Relationship |
Allows users to delete Data Warehouse Relationships. |
CanViewDataWarehouse Relationships |
|
CanDeleteDataWarehouseTable | Allows users to remove references to Data Warehouse Tables. | CanViewDataWarehouseTables | |
CanEditDataWarehouseRelationship | Deprecated - Data Warehouse Relationships can be edited through the Processing Script |
CanViewDataWarehouse Relationships |
|
CanEditDataWarehouseTable | Deprecated - Data Warehouse Tables can be edited through the Processing Script | CanViewDataWarehouseTables | |
CanViewDataWarehouse RelationshipDetails |
Allows users to see the details for Data Warehouse Relationships. |
CanViewDataWarehouse Relationships |
|
CanViewDataWarehouse Relationships |
Allows users to see the Data Warehouse Relationships. | ||
CanViewDataWarehouseTable Details |
Allows users to see the details of Data Warehouse Tables. | CanViewDataWarehouseTables | |
CanViewDataWarehouseTables | Allows users to see the Data Warehouse Relationships |
Admin
Branding / Cached Storyboards
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanConfigureCompany | Allows users to configure the Company Settings under Admin, including branding and style, view and edit cached Storyboards. | This will make the following submenus visible under Admin: Company, Branding, Cached Storyboards. The Company site includes some settings that require additional permissions listed below. |
None |
CanConfigureOneAI | Access One AI configuration option under the Admin Menu | ||
CanEditHomePageDashboard Template |
Allows users to edit the Home Page Template. | Users need additional permission CanChangeHomePageFilterSet if user wants to change any of the filter sets on the home page. This one is located under Storyboards. |
CanConfigureCompany, Optional: CanChangeHomePage FilterSet |
CanEditCompanyValueFormat | Allows users to edit company value formats. | These include date and time formats, currency symbols, separators, etc. | CanConfigureCompany |
CanCreatePgpConfigurations | Allows users to create new PGP keys. | CanConfigureCompany | |
CanDownloadPgp Configurations |
Allows users to download PGP keys. | CanConfigureCompany | |
CanConfigureAllowlistIp | Allows users to configure the allowed IP Addresses. | CanConfigureCompany | |
CanCreateAllowlistIp | Allows users to create allowed IP Addresses. | CanConfigureCompany CanConfigureAllowlistIp |
Users
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanViewUsers | Allows users to view active and inactive users. | This permission will enable the submenu "Users" under the Admin tab. Additional permissions are required to manage users listed below. | None |
CanCreateUser | Allows users to create new users. | CanViewUsers | |
CanEditUser | Allows users to edit settings and details for users. | CanViewUsers | |
CanDeactivateUser | Allows users to deactive and restore users. | CanViewUsers | |
CanUnlockUser | Allows users to unlock users. | A user may be locked out of their account after a number of unsuccessful login attempts. The Unlock Option will only show after a user has been locked out. | CanViewUsers |
CanUploadBulkUserFile | Allows users to upload a bulk user file. | The .csv file creates new users or modifies existing users and assigns roles. | CanViewUsers |
CanResetPasswords | Allows users to reset individual user passwords. | This control only works for users who have "Allow log in with username and password" enabled. | CanViewUsers |
CanEditUserRoles | Allows users to edit user roles. | This controls which Application Access Roles and Data Access Roles are assigned to users. Unless the user also has the permission to edit Data Access Roles (CanEditDataAccessRoles and CanEditDataAccessRoleUsers) or add users to Application Access Roles (CanEditRoleUsers), this page will be empty. Enabling this permission will grant the user full Admin rights which will allow them to assign additional permissions to other users and themselves, even if their assigned role does not explicitly permit them to do so. |
CanViewUsers, Optional: CanEditDataAccessRoles CanEditDataAccessRoleUsers CanEditRoleUsers |
Roles
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanCreateRole | Allows users to create Application Access Roles and Data Access Roles. | This permission enables the Create New link for Application Access Roles and Data Access Roles. If user does not have the permission CanViewRoleDetails or CanEditDataAccessRoles, they will not be able to see the role once created. |
CanViewRoles, Optional: CanViewRoleDetails CanEditDataAccessRoles |
CanProxyUsers | Allows users to proxy as other users. | Enabling this permission will grant the user full Admin rights which will allow them to assign additional permissions to other users and themselves, even if their assigned role does not explicitly permit them to do so. | None |
CanViewRoles | This permission will show the submenu Application Access Roles and Data Access Roles under Admin. | Users require additional permissions to see individual application and data access roles listed below. | None |
Application Access Roles
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanViewRoleDetails |
Allows users to view all Application Access Roles. |
With this permission, users can see all Application Access Roles, regardless if they have been assigned to them. Additional permissions are required to edit Application Access Roles. | CanViewRoles |
CanEditRole | Allows users to change name and description for Application Access Roles. | This permission enables the "Edit" hyperlink for each Application Access Role. Editing in this case means changing the Name and Description of the role. | CanViewRoles, CanViewRoleDetails |
CanEditRolePermissions | Allows users to edit Role Permissions. | This permission enables the "Permissions" link for each Application Access Role. Under the Permissions link, users can add and remove Permissions to Application Access Roles. Enabling this permission will grant the user full Admin rights which will allow them to assign additional permissions to other users and themselves, even if their assigned role does not explicitly permit them to do so. |
CanViewRoles, CanViewRoleDetails |
CanEditRoleUsers | Allows users to add and remove users to/from Application Access Roles. | This permissions enables the "Users" hyperlink for each Application Access Role. Under the Users link, users can add and remove users to/from Application Access Roles. users also need this permission to enable the Roles function under the users submenu (CanEditUserRoles). Enabling this permission will grant the user full Admin rights which will allow them to assign additional permissions to other users and themselves, even if their assigned role does not explicitly permit them to do so. |
CanViewRoles, CanViewRoleDetails |
CanDeleteRole | Allows users to delete Application Access Roles. | This permission enables the "Delete" hyperlink for each Application Access Role. | CanViewRoles, CanViewRoleDetails |
Data Access Roles
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanEditDataAccessRoles |
Allows users to edit Data Access Roles |
This permission grants users access to the Data Access Roles Menu item under the Admin tab. For every Data Access Role, it allows users to Edit, Metrics, Storyboards, Dimensions, Columns, Rules, Users, Publish To Roles, and Delete. Users will also need this permission to enable the Roles function under the Users submenu (CanEditUserRoles). Enabling this permission will grant the user full Admin rights which will allow them to assign additional permissions to other users and themselves, even if their assigned role does not explicitly permit them to do so. |
CanViewRoles |
CanEditDataAccessRoleUsers |
Allows users to add or remove users from Data Access Roles. |
This permission will enable the link Users on the Data Access Roles Page to add or remove users from Data Access Roles. Users will also need this permission to enable the Roles function under the Users submenu (CanEditUserRoles). Enabling this permission will grant the user full Admin rights which will allow them to assign additional permissions to other users and themselves, even if their assigned role does not explicitly permit them to do so. |
|
CanEditRoleDashboards* |
*N/A - this is a legacy permission that is currently not functional. |
||
CanEditRoleDimensions* |
*N/A - this is a legacy permission that is currently not functional. |
||
CanEditRoleMetrics* |
*N/A - this is a legacy permission that is currently not functional. |
Drillthrough Columns
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanViewDrillThroughColumns | Allows users to view Drill Through Column configuration. | This permission enables the Drill Through Columns Menu item under the Admin tab. In this menu users can see the Drill Through Column configuration. In order to access Drillthrough from Storyboards or thr Home Page, users need to have the permission CanDrillThroughmetric. | none |
CanEditDrillThroughColumn | Allows users to configure Drill Through Columns. | This is where users can edit the Drill Through Column configuration. In order to access Drillthrough from Storyboards or Home Page, users need to have the permission CanDrillThroughMetric. | CanViewDrillThroughColumns |
Import / Export Configuration
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanImportExportConfigurations | Allows users to import and export site configurations used for implementation setup. | This permission enables the menu item Import/Export Configuration under Admin. | None |
Table & Column Label Editor
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanEditDataWarehouseTableAndColumnLabels | Allows users to edit the table and column labels in their instance. | This permission grants access to the Table and Column Editor page. | None |
File History
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanViewFileHistory | Allows users to view File History. | None |
Site Validation
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanViewSiteValidation | Allows users to view the Site Validation page. | This provides site errors and warnings to those who are responsible for remedial activities. | None |
Admin Reports
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanViewAdminReports | Allows users to access the Admin Reports option in the dropdown menu under the Admin tab. | None |
Help
Permission |
Description |
Additional Information |
Prerequisite Permissions |
CanViewHelp | Allows users to view One Model Help content or custom help URL if configured. | None |
Storyboard Sharing Permissions
Permission |
Description |
Can’tVieworEdit | Role can’t view or edit the Storyboard |
CanView | Role can only view the Storyboard |
CanView & Edit | Role can view and edit the Storyboard. Users with this permission are referred to as ‘Storyboard Designers’. |
CanChangeFilterSet | Role can change the filter sets applied to the Storyboard. |
Comments
0 comments
Please sign in to leave a comment.