Roles and Permissions

One Model uses Role Based Security (RBS) to assign permissions to Admins, roles and users with additional permissions available when sharing Storyboards.

The main types of permissions are;

  1. Application Access Roles (RBS).

  2. Data Access Roles (RBS); and

  3. Storyboard sharing.

As an Admin or user, you may have all, some, or a few roles that will enable you to see and do different things in One Model.

Use this guide as a quick reference to see what roles and permissions are available.

Learn more about Role Based Security

Explore

General

Permission

Description

Additional Information

Prerequisite Permissions

CanExploreData Allows users to configure and explore data using charts and tables.   None
CanViewDimensions Prerequisite to configure metrics This permission is required to Create, Edit, and Delete metrics None
CanViewDimensionDetails

Prerequisite to configure metrics and Org Chart

This permission is required to Create, Edit, and Delete metrics as well as to configure the Org Chart.  

Create / Edit Metrics

Permission 

Description

Additional Information

Prerequisite Permissions

CanCreateMetric Allows users to create metrics Users will be able to access the Create / Edit option for metrics in Explore to create metrics if user has Data Access permissions to see at least one metric.
Additional permissions exist for editing and deleting metrics. Creating metrics is a powerful permission that should only be given selectively, as it gives users access to data tables beyond their role based permissions.
CanExploreData, CanViewDimensions, CanViewDimensionDetail
CanEditMetric Allows users to edit metrics Users will be able to access the Create / Edit option for metrics in Explore to edit metrics if user has Data Access permissions to see at least one metric. Additional permissions exist for deleting metrics.Editing metrics is a powerful permission that should only be given selectively, as it gives users access to data tables beyond their role based permissions. CanExploreData, CanViewDimensions, CanViewDimensionDetail, CanCreateMetric
CanDeleteMetric Allows users to delete metrics Users will be able to access the Create / Edit option for metrics in Explore if user has Data Access permissions to see at least one metric. They will be able to Delete any metric from the metric catalog. Creating, Editing and Deleting metrics is a powerful permission that should only be given selectively, as it gives users access to data tables beyond their role based permissions.

CanExploreData, CanViewDimensions, CanViewDimensionDetail, CanCreateMetric, CanEditMetric

Storyboards

Home Page / Storyboards

Permission 

Description

Additional Information

Prerequisite Permissions

CanConfigureOrgChart Allows users to configure and explore data using the org chart This permission will enable the Org Chart Icon to be on the top right-hand side of the screen. CanViewDimensionDetails
CanChangeHomePageFilterSet Allows users to add filters and use saved filter sets on the Home Page See Admin settings for permission to edit Home Page Template. None
CanEditHomePageDashboardTemplate Allows users to edit the Home Page Template. Users need additional permission CanChangeHomePageFilterSet if user wants to change any of the filter sets on the home page.

CanChangeHomePageFilterSet

CanExploreData (for adding/editing charts)
Optional: CanConfigureCompany to change home page image
CanDrillthroughMetric Allows users to drillthrough from a data point Drillthrough provides additional insight by giving row-level information of the records that comprise that metric. Depending on the user's data and applications access roles, they can drillthrough from the Home Page or a Storyboard.
See Admin section for permissions CanViewDrillThroughColumns and CanEditDrillThroughColumn that define which tables and fields to include in the drillthrough.
Optional: CanViewDashboards

Export

Permission 

Description

Additional Information

Prerequisite Permissions

CanExportCSV

Allows users to export tables

and charts as .csv files

Depending on the user's access roles, they can export images from the Home Page, a Storyboard or Explore. This permission will also show the Exports menu item. Optional: CanExploreData, CanViewDashboards
CanExportImage Allows users to export charts as .png files and Storyboards as powerpoint PPTX. Depending on the user's access roles, they can export images from the Home Page, a Storyboard or Explore. Keep in mind that PNG Exports will not be listed under the Exports menu item. Optional: CanExploreData, CanViewDashboards

Storyboards

Permission 

Description

Additional Information

Prerequisite Permissions

CanViewDashboards

Allows users to view Storyboards that are

shared with them.

When this is permission is disabled, the "Storyboards" menu is removed. Users need additional permissions to edit storyboards. None
CanCreateDashboard

Allows users to create,

copy, and delete

Storyboards. 

Users can create new Storyboards via the + Icon under Storyboards or by pinning a tile to a new Storyboard from Explore. CanViewDashboards, Optional: CanExploreData
CanPublishDashboard Allows users to publish Storyboards. Publishing a Storyboard allows the user to share the Storyboard with other roles defined by the Data Access Roles. CanViewDashboards

Featured Storyboards

Permission 

Description

Additional Information

Prerequisite Permissions

StoryboardAdministrator Allows users to rename Storyboard categories, replace Storyboard content, and configure Featured Storyboards. Storyboard Administrator also needs the permission CanCreateDashboard to replace storyboard content. CanViewDashboards, Optional: CanCreateDashboard

One AI

One AI Embedded Insights

Permission 

Description

Additional Information

Prerequisite Permissions

CanEnableOneAICorrelation Allows users to enable Correlations   CanViewDashboards
CanEnableOneAIForecast Allows users to enable Forecasts   CanViewDashboards
CanEnableOneAILineOfBestFit Allows users to enable Line of Best Fit   CanViewDashboards
CanEnableOneAIReferenceLine
Allows users to enable Reference Lines   CanViewDashboards
CanEnableOneAlTableInsights Allows users to enable Table Insights   CanViewDashboards

One AI Machine Learning

Permission 

Description

Additional Information

Prerequisite Permissions

CanAccessOneAIMenu

(was CanAccessAugmentations)

Controls whether the user sees the One AI option at the top of the screen   None

CanConfigureOneAIGenerativeAttributes

(was CanConfigureGenerativeAttributes)

Allows users to create Generative Attributes in One AI Recipes within Machine Learning Models   CanAccessOneAIMenu

One AI Generative AI

Permission 

Description

Additional Information

Prerequisite Permissions

CanAccessOneAIAssistant

Controls whether the user gets access to One AI Assistant   None

CanConfigureOneAI

Can Configure One AI settings   None

Data

Loads

Permission 

Description

Additional Information

Prerequisite Permissions

CanConfigureNotifications Allows users to subscribe to notifications.  This permission will enable the Notifications pane under Preferences where users can subscribe to receive an email notification when data loads have completed (when the metrics are updated) or when there is an error for all or selected data sources.  
CanAccessDataLoads

Allows users to view

Data Loads.

   
CanModifyDataLoads

Allows users to modify

Data Loads.

Gives access to process data. CanAccessDataLoads

Sources

Permission 

Description

Additional Information

Prerequisite Permissions

CanViewDataSources

Allows users to view the Data Sources and Data Source runs

that exist.

Prerequisite permission for any other action regarding data sources. Permissions relating to Data Sources should only be given selectively and are recommended for Administrator type personas as they can control how much data is loaded from your source systems into One Model  
CanCreateDataSource

Allows users to create a new

data source.

  CanViewDataSources
CanDeleteDataSource Allows users to delete an existing Data Source.   CanViewDataSources
CanEditDataSource

Allows users to edit configurable options for a Data Source, including adding or removing data included in that Data Source.

  CanViewDataSources
CanConfigureDataSource Allows users to access the main configure Data Source pane.   CanViewDataSources
CanRunDataSource

Allows users to run a Data

Source

  CanViewDataSources
CanUploadData

Allows users to upload data into One Model

  CanViewDataSources

Destinations

Permission 

Description

Additional Information

Prerequisite Permissions

CanViewDataDestinations Allows users to see configured Data Destinations Permissions relating to Data Destinations should only be given selectively and are recommended for Administrator type personas as they can give data access beyond a user's Role Based Security.  
CanViewDataDestinationsHistory

Allows users to view

the history of when a Data Destination was

run.

  CanViewDataDestinations
CanEditDataDestination

Allows users to add,

edit or delete existing Data Destinations.

Gives access to process data. CanViewDataDestinations
CanRunDataDestinations

Allows users to run an existing Data

Destination.

  CanViewDataDestinations, CanEditDataDestinations
 

Dimensions

Permission 

Description

Additional Information

Prerequisite Permissions

CanCreateDimension Allows users to create Dimensions.   CanViewDimension
CanDeleteDimension Allows users to delete Dimensions.   CanViewDimension
CanEditDimension Allows users to edit Dimensions.   CanViewDimension

Data Warehouse Relationships

Permission 

Description

Additional Information

Prerequisite Permissions

CanViewDataWarehouse

RelationshipDetails

Allows users to see the details for Data Warehouse Relationships.  

CanViewDataWarehouse

Relationships

CanViewDataWarehouse

Relationships

Allows users to see the Data Warehouse Relationships.

 

 

CanCreateDataWarehouse

Relationship

Deprecated - Data Warehouse Relationships can be created through Processing Script.  

CanViewDataWarehouse

Relationships

CanDeleteDataWarehouse

Relationship

Allows users to delete Data Warehouse Relationships.  

CanViewDataWarehouse

Relationships

CanEditDataWarehouseRelationship Deprecated - Data Warehouse Relationships can be edited through the Processing Script  

CanViewDataWarehouse

Relationships

Data Warehouse Tables

Permission 

Description

Additional Information

Prerequisite Permissions

CanCreateDataWarehouseTable Deprecated - Data warehouse Tables can be created through the Processing Script.    CanViewDataWarehouseTables
CanDeleteDataWarehouseTable Allows users to remove references to Data Warehouse Tables.   CanViewDataWarehouseTables
CanEditDataWarehouseTable Deprecated - Data Warehouse Tables can be edited through the Processing Script   CanViewDataWarehouseTables

CanViewDataWarehouseTable

Details

Allows users to see the details of Data Warehouse Tables.   CanViewDataWarehouseTables
CanViewDataWarehouseTables Allows users to see the Data Warehouse Relationships    

Processing Scripts

Permission 

Description

Additional Information

Prerequisite Permissions

CanViewAndEditProcessingScript Allows the user to both view and edit the Processing Script.   None
CanAccessRawData Allows users to access Raw Data in various places for troubleshooting. This permission allows users to access raw data in different locations, mainly Data Loads and Data Destinations.  
 

Admin

Branding / Cached Storyboards

Permission 

Description

Additional Information

Prerequisite Permissions

CanConfigureCompany Allows users to configure the Company Settings under Admin, including branding and style, view and edit cached Storyboards. This will make the following submenus visible under Admin: Company, Branding, Cached Storyboards.This permission is also required to edit Company Home Page.

The Company site includes some settings that require additional permissions listed below.
None
CanEditCompanyValueFormat Allows users to edit company value formats. These include date and time formats, currency symbols, separators, etc. CanConfigureCompany
CanCreatePgpConfigurations Allows users to create new PGP keys.   CanConfigureCompany

CanDownloadPgp

Configurations

Allows users to download PGP keys.   CanConfigureCompany
CanConfigureAllowlistIp Allows users to configure the allowed IP Addresses.   CanConfigureCompany
CanCreateAllowlistIp Allows users to create allowed IP Addresses.   CanConfigureCompany CanConfigureAllowlistIp

Users

Permission 

Description

Additional Information

Prerequisite Permissions

CanViewUsers Allows users to view active and inactive users. This permission will enable the submenu "Users" under the Admin tab. Additional permissions are required to manage users listed below. None
CanCreateUser Allows users to create new users.   CanViewUsers
CanEditUser Allows users to edit settings and details for users.   CanViewUsers
CanDeactivateUser Allows users to deactive and restore users.   CanViewUsers
CanUnlockUser Allows users to unlock users. A user may be locked out of their account after a number of unsuccessful login attempts. The Unlock Option will only show after a user has been locked out. CanViewUsers
CanUploadBulkUserFile Allows users to upload a bulk user file. The .csv file creates new users or modifies existing users and assigns roles. CanViewUsers
CanResetPasswords Allows users to reset individual user passwords. This control only works for users who have "Allow log in with username and password" enabled. CanViewUsers
CanEditUserRoles Allows users to edit user roles. This controls which Application Access Roles and Data Access Roles are assigned to users. Unless the user also has the permission to edit Data Access Roles (CanEditDataAccessRoles and CanEditDataAccessRoleUsers) or add users to Application Access Roles (CanEditRoleUsers), this page will be empty.
Enabling this permission will grant the user full Admin rights which will allow them to assign additional permissions to other users and themselves, even if their assigned role does not explicitly permit them to do so.
CanViewUsers, Optional: CanEditDataAccessRoles CanEditDataAccessRoleUsers CanEditRoleUsers

Roles

Permission 

Description

Additional Information

Prerequisite Permissions

CanCreateRole Allows users to create Application Access Roles and Data Access Roles. This permission enables the Create New link for Application Access Roles and Data Access Roles.
If user does not have the permission CanViewRoleDetails or CanEditDataAccessRoles, they will not be able to see the role once created.

CanViewRoles, Optional: CanViewRoleDetails CanEditDataAccessRoles

CanProxyUsers Allows users to proxy as other users. Enabling this permission will grant the user full Admin rights which will allow them to assign additional permissions to other users and themselves, even if their assigned role does not explicitly permit them to do so. None
CanViewRoles This permission will show the submenu Application Access Roles and Data Access Roles under Admin. Users require additional permissions to see individual application and data access roles listed below. None

Application Access Roles

Permission

Description

Additional Information

Prerequisite Permissions

CanViewRoleDetails

Allows users to view all Application Access Roles.

With this permission, users can see all Application Access Roles, regardless if they have been assigned to them. Additional permissions are required to edit Application Access Roles. CanViewRoles
CanEditRole Allows users to change name and description for Application Access Roles. This permission enables the "Edit" hyperlink for each Application Access Role. Editing in this case means changing the Name and Description of the role. CanViewRoles, CanViewRoleDetails
CanEditRolePermissions Allows users to edit Role Permissions. This permission enables the "Permissions" link for each Application Access Role. Under the Permissions link, users can add and remove Permissions to Application Access Roles.
Enabling this permission will grant the user full Admin rights which will allow them to assign additional permissions to other users and themselves, even if their assigned role does not explicitly permit them to do so.
CanViewRoles, CanViewRoleDetails
CanEditRoleUsers Allows users to add and remove users to/from Application Access Roles. This permissions enables the "Users" hyperlink for each Application Access Role. Under the Users link, users can add and remove users to/from Application Access Roles. users also need this permission to enable the Roles function under the users submenu (CanEditUserRoles).
Enabling this permission will grant the user full Admin rights which will allow them to assign additional permissions to other users and themselves, even if their assigned role does not explicitly permit them to do so.
CanViewRoles, CanViewRoleDetails
CanDeleteRole Allows users to delete Application Access Roles. This permission enables the "Delete" hyperlink for each Application Access Role. CanViewRoles, CanViewRoleDetails

Data Access Roles

Permission 

Description

Additional Information

Prerequisite Permissions

CanEditDataAccessRoles

Allows users to edit

Data Access Roles

This permission grants users access to the Data Access Roles Menu item under the Admin tab. For every Data Access Role, it allows users to Edit, Metrics, Storyboards, Dimensions, Columns, Rules, Users, Publish To Roles, and Delete.
Users will also need this permission to enable the Roles function under the Users submenu (CanEditUserRoles).
Enabling this permission will grant the user full Admin rights which will allow them to assign additional permissions to other users and themselves, even if their assigned role does not explicitly permit them to do so.
CanViewRoles
CanEditDataAccessRoleUsers

Allows users to add or remove users from Data Access Roles.

This permission will enable the link Users on the Data Access Roles Page to add or remove users from Data Access Roles. Users will also need this permission to enable the Roles function under the Users submenu (CanEditUserRoles).
Enabling this permission will grant the user full Admin rights which will allow them to assign additional permissions to other users and themselves, even if their assigned role does not explicitly permit them to do so.
 
CanEditRoleDashboards*

*N/A - this is a legacy permission that is currently not functional.

   
CanEditRoleDimensions*

*N/A - this is a legacy permission that is currently not functional.

   
CanEditRoleMetrics*

*N/A - this is a legacy permission that is currently not functional.

   

Drillthrough Columns

Permission 

Description

Additional Information

Prerequisite Permissions

CanViewDrillThroughColumns Allows users to view Drill Through Column configuration. This permission enables the Drill Through Columns Menu item under the Admin tab. In this menu users can see the Drill Through Column configuration. In order to access Drillthrough from Storyboards or thr Home Page, users need to have the permission CanDrillThroughmetric. none
CanEditDrillThroughColumn Allows users to configure Drill Through Columns. This is where users can edit the Drill Through Column configuration. In order to access Drillthrough from Storyboards or Home Page, users need to have the permission CanDrillThroughMetric. CanViewDrillThroughColumns
 

Table & Column Label Editor

Permission 

Description

Additional Information

Prerequisite Permissions

CanEditDataWarehouseTableAndColumnLabels Allows users to edit the table and column labels in their instance. This permission grants access to the Table and Column Editor page. None

File History

Permission 

Description

Additional Information

Prerequisite Permissions

CanViewFileHistory Allows users to view File History.   None

Site Validation

Permission 

Description

Additional Information

Prerequisite Permissions

CanViewSiteValidation Allows users to view the Site Validation page. This provides site errors and warnings to those who are responsible for remedial activities. None

Admin Reports

Permission 

Description

Additional Information

Prerequisite Permissions

CanViewAdminReports Allows users to access the Admin Reports option in the dropdown menu under the Admin tab.   None

Help

Permission 

Description

Additional Information

Prerequisite Permissions

CanViewHelp Allows users to view One Model Help content or custom help URL if configured.   None

 

Storyboard Sharing Permissions

Additional permissions for sharing Storyboards are found in the Settings tab on individual Storyboards. These permissions operate differently from the others as they are tied to specific Storyboards and control the actions users with assigned roles can take, such as viewing, editing, and changing the filter set.
 

Permission

Description

Can’tVieworEdit Role can’t view or edit the Storyboard
CanView Role can only view the Storyboard
CanView & Edit Role can view and edit the Storyboard. Users with this permission are referred to as ‘Storyboard Designers’.
CanChangeFilterSet Role can change the filter sets applied to the Storyboard.

 

 
 

 

 

Was this article helpful?

2 out of 2 found this helpful

Comments

0 comments

Please sign in to leave a comment.