Setting data permissions manually for users and groups
You can manually set data permissions for users or groups for each data model, providing granular, UI-based control over data access. This method is most suitable for Data Model Managers handling a limited number of users and columns where unique, user-specific assignments are required. It offers an easy overview of an individual's total permissions and allows for immediate modification directly within the interface.
Note
For large-scale management of permissions across many users or complex data models, you can also use permission tables to define access. For more information, see Loading data permissions from permission tables.
This page provides best practices and the steps for manually setting up data permissions.
Best practices for manually setting up data permissions
The following sections describe best practices for manually setting up data permissions.
If a user is a member of two groups, the higher permission level will apply to both groups. This means when applying manual permissions for a user, the manually granted permissions could supersede a user's overall Celonis Platform permissions.
For example, if a user has limited access to one group and is then given unlimited access to a second group, they will then automatically have unlimited access to both groups.
To set up data permissions involving multiple values or multiple table columns, see: Combining data permissions.
When defining permissions across tables with a 1:N (One-to-Many) relationship, such as Orders (Parent) to Order Items (Child), it is highly recommended to apply the primary permission to the Parent table.
If you apply a permission strictly to a Child table:
The system filters out any rows that do not have a matching entry in the permission table.
If a Parent object has no corresponding Child entries, the Parent object may become invisible in Studio views.
Rows without a join partner are automatically removed when the permission filter cannot find a match.
To ensure Parent objects remain visible even when they have no associated Child entries, always apply the primary permission to the Parent table.
When creating a permission rule, you are able to save Values for columns as empty, as shown below:
 |
However, if you leave Values empty, when your data is loaded, users will not be able to see any within this column. This also applies if this data table is related to other tables. It is critical that you do not leave the Values empty.
Configuring data permissions manually
To configure data permissions manually for your data models:
Select Data Models.
Locate the data model you want to manually set permissions for, and select Options (⋮) > Data Permissions.
Select Add User or Group, and then add user/group who should have access, and then select Done.
For users or groups you've added, decide if they should have unlimited access or whether a rule should be applied for them:
Unlimited access: If selected, users can see all data in all data models that they have access to.
Important
When applying the Unlimited access permission, this setting could supersede a user's overall Celonis Platform permissions. For more information, see Avoiding permission escalations.
Rules: Select the specific columns from your data tables and whether only individual column values should be available to these users. If adding a rule, select Save.
Important
Ensure you set the Values for each column. Leaving a value as empty will result in it not being visible to user. For more information, see Empty values in permission rules.
To enable the data permissions, select Use data permissions options.
Important
If you do not select Use data permissions options, the permissions will not be applied.
Once you select Use data permissions options, the data permissions are now active, without the need to reload your data model.