Roles and Permissions
1. Permission Model
Tenant-level permissions are controlled by the RBAC (Role-Based Access Control) model. Each entity has an owner (OWNER), and the owner can grant access permissions for that entity.
2. Tenant
The user who creates a tenant is the tenant OWNER. Tenants include the following permission points:
| Permission Point | Permission Description | Super Administrator (OWNER) | Administrator | Metric Definer | Metric Consumer |
|---|---|---|---|---|---|
| Data Management | Has owner permissions for all data sources, datasets, dimensions, metrics, categories, and acceleration tasks. This permission cannot be assigned and is available only to OWNER and platform administrators. | √ | √ | ||
| Manage Roles | 1. Create regular roles by using permission points under the tenant. 2. Delete regular roles. 3. Grant regular roles to users. a. Super administrators can grant Administrator, Metric Definer, and Metric Consumer roles. b. Administrators can grant Metric Definer and Metric Consumer roles. 4. This permission cannot be assigned to regular roles and is available only to super administrators and platform administrators. |
√ | √ | ||
| Manage Users | 1. Create users. 2. Reset user passwords. 3. Delete users. |
√ | √ | ||
| Manage User Groups | 1. Create user groups. 2. Manage user group hierarchy relationships. 3. Add users to user groups. 4. Delete user groups. |
√ | √ | ||
| Manage Metric Categories | Can create root categories. | √ | √ | ||
| Manage Dimension Categories | Can create dimension categories. | √ | √ | ||
| Manage Dataset Categories | Can create dataset categories. | √ | √ | ||
| Acceleration Tasks | Can create acceleration tasks. | √ | √ | ||
| Data Sources | Can create data sources. | √ | √ | √ | |
| Datasets | Can create datasets. | √ | √ | √ | |
| Dimensions | Can create dimensions. | √ | √ | √ | |
| Metrics | Can create metrics. | √ | √ | √ | |
| Metric Dashboards | Can create metric dashboards. | √ | √ | √ | √ |
| Analysis Views | Can create analysis views. | √ | √ | √ | √ |
Note
- Only the owner can delete an asset or transfer permissions.
- Editing data source connections and configuration changes requires owner or administrator permissions.
- Without data source usage permission, users cannot create datasets.
3. Data Sources
The user who creates a data source is the data source owner. Users with the Data Management permission are equivalent to owners.
| Permission Point | Permission Description | Actual Operations (Menu) | Applicable Objects |
|---|---|---|---|
| Owner | 1. Exclusive to the data source creator and cannot be granted to others. 2. Delete the data source. 3. Edit data source connection information. 4. Transfer owner permissions. |
· Edit · Grant/Revoke Permissions · Transfer · Delete |
Owner |
| Manage | 1. Edit data source connection information. 2. Grant permissions to other users or user groups. Can grant both manager and user permissions. 3. Revoke permissions from others. 4. Transfer owner permissions. |
· Edit · Grant/Revoke Permissions |
Owner, Administrator |
| Use | Use tables in the data source. | · Query/read data source tables · Create datasets based on the data source |
Owner, Administrator, users granted Use permission |
Additional Notes
- Only the owner can delete an asset or transfer permissions.
- Editing data source connections and configuration changes requires owner or administrator permissions.
- Without data source usage permission, users cannot create datasets.
4. Datasets
The user who creates a dataset is the dataset owner. Users with the Data Management permission are equivalent to owners.
| Permission Point | Permission Description | Operation Examples | Applicable Objects |
|---|---|---|---|
| Owner | 1. Exclusive to the dataset creator, cannot be granted, and can be transferred. 2. Edit the dataset definition. 3. Grant/revoke permissions. Can grant Manage and Use permissions. 4. Adjust the category. 5. Modify basic information. 6. Replace the data source. 7. Delete the dataset. |
· Adjust the dataset category · Edit field calculation logic · Modify metadata such as name and description · Replace the bound data source |
Owner |
| Manage | 1. Edit the dataset definition. 2. Grant/revoke permissions. Can grant Manage and Use permissions. 3. Adjust the category. 4. Modify basic information. 5. Replace the data source. 6. Edit the dataset. |
· Adjust the dataset category · Edit field calculation logic · Modify metadata such as name and description · Replace the bound data source |
Owner, Administrator |
| Use | Use the dataset, including: 1. Create basic metrics based on the dataset. 2. Create relationships with other datasets. 3. Use dimensions defined by the dataset. |
· Create metrics by using dataset fields | Owner, Administrator, users granted Use permission |
Note
Replace Data Source,Modify Basic Information, andEditrequire administrator or owner permissions and cannot be performed by regular users.- Without dataset usage permission:
- Users cannot create metrics based on the dataset.
- Users cannot create data relationships with the dataset.
- Users cannot preview data.
5. Metrics
The user who creates a metric is the metric owner. Users with the Data Management permission are equivalent to owners.
| Permission Point | Permission Description | Actual Operations (Menu) | Applicable Objects |
|---|---|---|---|
| Owner | 1. Exclusive to the metric creator, cannot be granted, and can be transferred. 2. View metric data. 3. Edit the metric definition. 4. Grant/revoke permissions. Can grant Manage and Use permissions. 5. Adjust the category. 6. Take the metric offline. 7. Copy and create a metric. 8. Delete the metric. |
· Edit metric · Favorite metric · Adjust metric category · Take offline · Share · Copy and create metric · Transfer owner · Delete metric |
Owner |
| Manage | 1. Edit the metric definition. 2. View metric data. 3. Grant/revoke permissions. Can grant user permissions. 4. Adjust the category. 5. Take the metric offline. 6. Copy and create a metric. |
· Edit metric · Favorite metric · Adjust metric category · Take offline · Share · Copy and create metric |
Owner, Administrator |
| Use | Use the metric, including: 1. Use it in metric dashboards and analysis views. |
· View · Favorite |
Owner, Administrator, users granted Use permission |
Details
- Edit, adjust category, take offline, share, and copy and create metric: both owners and administrators can perform these operations.
- Without usage permission:
- Users cannot create derived metrics based on the metric.
- Users cannot use the metric in metric dashboards or analysis views.
- Users cannot view the metric data.
6. Dimensions
The user who creates a dimension is the dimension owner. Users with the Data Management permission are equivalent to owners.
| Permission Point | Permission Description | Actual Operations (Menu) | Applicable Objects |
|---|---|---|---|
| Owner | 1. Exclusive to the dimension creator, cannot be granted, and can be transferred. 2. View dimension data. 3. Edit the dimension definition. 4. Grant/revoke permissions. Can grant Manage and Use permissions. 5. Adjust the category. 6. Take the dimension offline. 7. Copy and create a dimension. 8. Delete the dimension. |
· Edit dimension · Adjust dimension category · Take offline · Share · Copy and create dimension · Transfer owner · Delete dimension |
Owner |
| Manage | 1. Edit the dimension definition. 2. View dimension data. 3. Grant/revoke permissions. Can grant user permissions. 4. Adjust the category. 5. Take the dimension offline. 6. Copy and create a dimension. |
· Edit dimension · Adjust dimension category · Take offline · Share · Copy and create dimension |
Owner, Administrator |
| Use | Use the dimension, including: 1. View dimension details. 2. Reference it in metric dashboards and metric boards. This permission is inherited from the dataset. |
· View | Owner, Administrator, users granted Use permission |
Additional Notes
- Administrators and owners can perform management operations such as editing, adjusting categories, taking offline, sharing, copying, and transferring.
- Users can only view.
- Users without Use permission cannot directly view dimension data, but this does not affect references to the dimension in metric dashboards or metric boards.
7. Categories (Metric Categories / Dimension Categories / Dataset Categories)
The user who creates a category is the category owner. Users with the Data Management permission are equivalent to owners.
| Permission Point | Permission Description | Actual Operations (Menu) | Applicable Objects |
|---|---|---|---|
| Owner | 1. Exclusive to the category creator and cannot be granted. 2. Delete the category. Deleting a category also deletes all child categories under it. 3. Create categories, metrics, dimensions, or datasets under the category. 4. Grant Manage, Create, and Use permissions to other users. 5. Move the category. 6. Rename the category. |
· Delete · Create child category · Create metrics, dimensions, or datasets under the category · Authorize (Manage / Create / Use) · Adjust category order · Rename |
Owner |
| Manage | 1. Edit the category name. 2. Create metrics, dimensions, or datasets under the category. 3. Grant Create permission to other users. 4. Revoke Create permission from other users. 5. Manage child categories. |
· Create child category · Create metrics, dimensions, or datasets under the category · Authorize (Create, Use) |
Owner, Administrator |
| Create | Under a category where Create permission has been granted: create metrics, dimensions, datasets, and child categories. | · Create category · Create metrics, dimensions, or datasets · Assets under the authorized category |
Owner, Administrator, users granted Create permission |
| Use | Use existing assets under the category, such as metrics, dimensions, and datasets. | · View category content | Owner, Administrator, users granted Use permission |
Additional Notes
- Owners and administrators can fully manage categories, including creating, editing, deleting, building the category tree, and creating metrics, dimensions, or datasets under categories.
- Users can only view existing resources under categories and cannot create or adjust them.
8. Metric Dashboards
The user who creates a metric dashboard is the metric dashboard owner. Users with the Data Management permission are equivalent to owners.
| Permission Point | Permission Description | Additional Notes |
|---|---|---|
| Owner | 1. Exclusive to the metric dashboard creator and can be transferred. 2. View metric dashboard data. 3. Copy the metric dashboard. 4. Edit the metric dashboard structure. 5. Modify basic information. 6. Grant administrator and user permissions to other users. 7. Delete the metric dashboard. |
Highest permission. |
| Manage | 1. View metric dashboard data. 2. Edit the metric dashboard structure. 3. Grant user permissions to other users. 4. Copy the metric dashboard. 5. Modify basic information. |
Managers can modify the report structure. |
| View | Has read permission for the metric dashboard. | Can only view results and cannot edit. |
9. Analysis Views
The user who creates an analysis view is the analysis view owner. Users with the Data Management permission are equivalent to owners.
| Permission Point | Permission Description | Additional Notes |
|---|---|---|
| Owner | 1. Exclusive to the analysis view creator and can be transferred. 2. View analysis view data. 3. Copy the analysis view. 4. Edit the analysis view structure. 5. Modify basic information. 6. Adjust the analysis view category. 7. Grant administrator and user permissions to other users. 8. Delete the analysis view. |
Exclusive highest permission. |
| Manage | 1. View metric dashboard data. 2. Edit metric dashboard structure. 3. Grant user permissions to other users. 4. Copy metric dashboard. 5. Modify basic information. 6. Adjust the analysis view category. |
Managers can modify the display logic. |
| View | Use the analysis view. | Can use but cannot modify. |
10. Acceleration Tasks
The user who creates an acceleration task is the acceleration task OWNER. Users with Data Management can view all acceleration tasks.
| Permission Point | Permission Description | Additional Notes |
|---|---|---|
| Owner | 1. Exclusive to the acceleration plan creator and can be transferred. 2. Backfill data. 3. Adjust the acceleration plan category. 4. Edit acceleration plan content. 5. Copy the acceleration plan. 6. Transfer the acceleration plan. 7. Delete the acceleration plan. |
|
| Manage | 1. Exclusive to the acceleration plan creator and can be transferred. 2. Backfill data. 3. Adjust the acceleration plan category. 4. Edit acceleration plan content. 5. Copy the acceleration plan. 6. Transfer the acceleration plan. 7. Delete the acceleration plan. |
|
| View | Acceleration tasks do not have separate View permissions. All metadata is public. | Metadata is visible to everyone. |