Combining data permissions
You can specify multiple data permissions for a user or user group for specific table columns. However, unlimited permission at group level will supersede data permissions applied to specific table columns.
Note
These permissions can supersede a user's admin access. And if a user is a member of two groups, the higher permission level will apply to both groups. For example, if a user has limited access to one group and is then given unlimited access to a second group, they will then automatically have unlimited access to both groups.
We'll use an example data set to explain what happens when you give multiple data permissions to the same user or user group. The data set consists of two tables, one that links purchase orders to company codes, and one that links purchase orders to individual ordered items and their material number codes. We'll reference these tables in a permission table that we create to give data permissions to users.
po_number | company_code |
---|---|
p1 | c1 |
p2 | c1 |
p3 | c2 |
p4 | c2 |
p5 | c2 |
po_number | po_item | material_number | c1_or_m1 |
---|---|---|---|
p1 | i1 | m1 | yes |
p1 | i2 | m2 | yes |
p2 | i1 | m3 | yes |
p3 | i1 | m2 | no |
p4 | i1 | m4 | no |
p4 | i2 | m5 | no |
p4 | i3 | m6 | no |
p4 | i4 | m1 | yes |
p5 | i1 | m1 | yes |
p5 | i2 | m3 | no |
In the table of purchase order items, you can see that an extra column c1_or_m1
has been added. This column has the value yes
if the purchase order involves either the company code c1, or the material number m1, or both. We'll use this for an OR permission that involves more than one table and column.
Case 1: Permission for a single value in a single table column
Here's a basic use case with a permission table that gives user test-user@celonis.com
permission to see purchase orders from company C1:
User_Mail | Table_Name | Column_Name | Value |
---|---|---|---|
test-user@celonis.com | purchase_orders | company_code | c1 |
With this data permission, purchase orders P3, P4 and P5 from the example data set are filtered out for the user, because their company code is not C1. Only purchase orders P1 and P2, from company C1, are available for this user to view. Note that the table of purchase order items is also filtered - the user can only see the items from purchase orders P1 and P2.
po_number | company_code |
---|---|
p1 | c1 |
p2 | c1 |
po_number | po_item | material_number | c1_or_m1 |
---|---|---|---|
p1 | i1 | m1 | yes |
p1 | i2 | m2 | yes |
p2 | i1 | m3 | yes |
Case 2: Permission for multiple values in a single table column (OR condition in one column)
The PQL engine receives data permissions for a single table column as a chain of FILTER statements. If you specify multiple values that the user can see for a single column, they are combined into a list, for example, FILTER table1.col1 IN (val1, val2, val3)
. In this situation, users can see the entries with val1
, val2
, or val3
in column 1 of table 1, but they can't see entries with val4
or val5
in that column.
If you are manually setting data permissions for a user or group, you specify these as multiple values for the same rule. If you are using a permission table, you specify them as multiple rows for the same user, with a different value in each row.
In this permission table we give the user test-user@celonis.com
permission to see purchase order items involving either material number M1 or material number M6:
User_Mail | Table_Name | Column_Name | Value |
---|---|---|---|
test-user@celonis.com | purchase_order_items | material_number | m1 |
test-user@celonis.com | purchase_order_items | material_number | m6 |
With this data permission, items with materials other than M1 and M6 are filtered out for the user. The table of purchase orders is also filtered - the user can only see the purchase orders that included items with materials M1 and M6.
po_number | company_code |
---|---|
p1 | c1 |
p4 | c2 |
p5 | c2 |
po_number | po_item | material_number | c1_or_m1 |
---|---|---|---|
p1 | i1 | m1 | yes |
p4 | i3 | m6 | no |
p4 | i4 | m1 | yes |
p5 | i1 | m1 | yes |
Case 3: Permissions for multiple values in a single table column and a single value in another table (AND condition between tables)
You can define multiple data permissions for a user or group that reference more than one table column in the data. For example, you could restrict a user to viewing invoices in a specific country and from a specific company. When you define permissions for more than one table column, the user is restricted by all of these permissions. So if you give a user data permissions to see invoices from country CY1 and invoices from company A1, they can't see invoices sent by company A1's subsidiary in country CY2.
In this permission table we give the user test-user@celonis.com
permission to see purchase order items involving either material number M1 or material number M6, when they are associated with company C1:
User_Mail | Table_Name | Column_Name | Value |
---|---|---|---|
test-user@celonis.com | purchase_orders | company_code | c1 |
test-user@celonis.com | purchase_order_items | material_number | m1 |
test-user@celonis.com | purchase_order_items | material_number | m6 |
With these data permissions, items with materials other than M1 and M6 and purchase orders other than those associated with company C1 are filtered out for the user. This leaves only one purchase order and one purchase order item.
po_number | company_code |
---|---|
p1 | c1 |
po_number | po_item | material_number | c1_or_m1 |
---|---|---|---|
p1 | i1 | m1 | yes |
Case 4: Permissions for a single value in one table column or a single value in another table column (OR condition between tables)
What if the example in Case 3 isn't what you want? What if you want a user to see all of the invoices from country CY1, and also all of the invoices from company A1, whichever subsidiary of company A1 sent them? So, invoices involving either CY1, or A1, or both.
If you want to define an OR permission like this that works across more than one table column, you'll likely need to add a column in a referenced table in the Data Model that just flags what users are allowed to see. In the example data set, the extra column c1_or_m1
does this job. This column has the value yes
if the purchase order involves either the company code C1, or the material number M1, or both.
In this permission table we give the user test-user@celonis.com
permission to see any row where the c1_or_m1
column has the value yes
:
User_Mail | Table_Name | Column_Name | Value |
---|---|---|---|
test-user@celonis.com | purchase_orders | c1_or_m1 | yes |
The user gets to see all the purchase orders and items that are connected to company C1 or material M1.
po_number | company_code |
---|---|
p1 | c1 |
p2 | c1 |
p4 | c2 |
p5 | c2 |
po_number | po_item | material_number | c1_or_m1 |
---|---|---|---|
p1 | i1 | m1 | yes |
p1 | i2 | m2 | yes |
p2 | i1 | m3 | yes |
p4 | i4 | m1 | yes |
p5 | i1 | m1 | yes |