Skip to main content

Celonis Product Documentation

Combining data permissions

You can specify multiple data permissions for a user or user group for specific table columns. However, unlimited permission at group level will supersede data permissions applied to specific table columns.

Note

These permissions can supersede a user's admin access. And if a user is a member of two groups, the higher permission level will apply to both groups. For example, if a user has limited access to one group and is then given unlimited access to a second group, they will then automatically have unlimited access to both groups.

We'll use an example data set to explain what happens when you give multiple data permissions to the same user or user group. The data set consists of two tables, one that links purchase orders to company codes, and one that links purchase orders to individual ordered items and their material number codes. We'll reference these tables in a permission table that we create to give data permissions to users.

Table 1. Purchase Orders

po_number

company_code

p1

c1

p2

c1

p3

c2

p4

c2

p5

c2



Table 2. Purchase Order Items

po_number

po_item

material_number

c1_or_m1

p1

i1

m1

yes

p1

i2

m2

yes

p2

i1

m3

yes

p3

i1

m2

no

p4

i1

m4

no

p4

i2

m5

no

p4

i3

m6

no

p4

i4

m1

yes

p5

i1

m1

yes

p5

i2

m3

no



In the table of purchase order items, you can see that an extra column c1_or_m1 has been added. This column has the value yes if the purchase order involves either the company code c1, or the material number m1, or both. We'll use this for an OR permission that involves more than one table and column.

Case 1: Permission for a single value in a single table column

Here's a basic use case with a permission table that gives user test-user@celonis.com permission to see purchase orders from company C1:

User_Mail

Table_Name

Column_Name

Value

test-user@celonis.com

purchase_orders

company_code

c1

With this data permission, purchase orders P3, P4 and P5 from the example data set are filtered out for the user, because their company code is not C1. Only purchase orders P1 and P2, from company C1, are available for this user to view. Note that the table of purchase order items is also filtered - the user can only see the items from purchase orders P1 and P2.

Table 3. Purchase Orders - Case 1

po_number

company_code

p1

c1

p2

c1



Table 4. Purchase Order Items - Case 1

po_number

po_item

material_number

c1_or_m1

p1

i1

m1

yes

p1

i2

m2

yes

p2

i1

m3

yes



Case 2: Permission for multiple values in a single table column (OR condition in one column)

The PQL engine receives data permissions for a single table column as a chain of FILTER statements. If you specify multiple values that the user can see for a single column, they are combined into a list, for example, FILTER table1.col1 IN (val1, val2, val3). In this situation, users can see the entries with val1, val2, or val3 in column 1 of table 1, but they can't see entries with val4 or val5 in that column.

If you are manually setting data permissions for a user or group, you specify these as multiple values for the same rule. If you are using a permission table, you specify them as multiple rows for the same user, with a different value in each row.

In this permission table we give the user test-user@celonis.com permission to see purchase order items involving either material number M1 or material number M6:

User_Mail

Table_Name

Column_Name

Value

test-user@celonis.com

purchase_order_items

material_number

m1

test-user@celonis.com

purchase_order_items

material_number

m6

With this data permission, items with materials other than M1 and M6 are filtered out for the user. The table of purchase orders is also filtered - the user can only see the purchase orders that included items with materials M1 and M6.

Table 5. Purchase Orders - Case 2

po_number

company_code

p1

c1

p4

c2

p5

c2



Table 6. Purchase Order Items - Case 2

po_number

po_item

material_number

c1_or_m1

p1

i1

m1

yes

p4

i3

m6

no

p4

i4

m1

yes

p5

i1

m1

yes



Case 3: Permissions for multiple values in a single table column and a single value in another table (AND condition between tables)

You can define multiple data permissions for a user or group that reference more than one table column in the data. For example, you could restrict a user to viewing invoices in a specific country and from a specific company. When you define permissions for more than one table column, the user is restricted by all of these permissions. So if you give a user data permissions to see invoices from country CY1 and invoices from company A1, they can't see invoices sent by company A1's subsidiary in country CY2.

In this permission table we give the user test-user@celonis.com permission to see purchase order items involving either material number M1 or material number M6, when they are associated with company C1:

User_Mail

Table_Name

Column_Name

Value

test-user@celonis.com

purchase_orders

company_code

c1

test-user@celonis.com

purchase_order_items

material_number

m1

test-user@celonis.com

purchase_order_items

material_number

m6

With these data permissions, items with materials other than M1 and M6 and purchase orders other than those associated with company C1 are filtered out for the user. This leaves only one purchase order and one purchase order item.

Table 7. Purchase Orders - Case 3

po_number

company_code

p1

c1



Table 8. Purchase Order Items - Case 3

po_number

po_item

material_number

c1_or_m1

p1

i1

m1

yes



Case 4: Permissions for a single value in one table column or a single value in another table column (OR condition between tables)

What if the example in Case 3 isn't what you want? What if you want a user to see all of the invoices from country CY1, and also all of the invoices from company A1, whichever subsidiary of company A1 sent them? So, invoices involving either CY1, or A1, or both.

If you want to define an OR permission like this that works across more than one table column, you'll likely need to add a column in a referenced table in the Data Model that just flags what users are allowed to see. In the example data set, the extra column c1_or_m1 does this job. This column has the value yes if the purchase order involves either the company code C1, or the material number M1, or both.

In this permission table we give the user test-user@celonis.com permission to see any row where the c1_or_m1 column has the value yes:

User_Mail

Table_Name

Column_Name

Value

test-user@celonis.com

purchase_orders

c1_or_m1

yes

The user gets to see all the purchase orders and items that are connected to company C1 or material M1.

Table 9. Purchase Orders - Case 4

po_number

company_code

p1

c1

p2

c1

p4

c2

p5

c2



Table 10. Purchase Order Items - Case 4

po_number

po_item

material_number

c1_or_m1

p1

i1

m1

yes

p1

i2

m2

yes

p2

i1

m3

yes

p4

i4

m1

yes

p5

i1

m1

yes