Understanding data permissions
Data permissions allow you to define granular access by specifying the tables, columns, and values a user or group can view within your data pool. You can apply these permissions to individual tables, specific combinations, or provide unlimited access to the entire data model.
Important
Granting a group unlimited permissions can supersede an individual user's default data access. If a user is a member of two groups, the higher permission level applies to both groups. For example, if a user has limited access in one group and is given unlimited access in a second group, they will automatically have unlimited access within both groups.
By default, a permission limits access to the specific data within that individual table. However, these permissions are not isolated, and if a table is part of a Parent-to-Child (1:N) relationship, the permission automatically cascades the filter to all associated child records.
Note
Depending on your use case, see the corresponding Configuring permissions on related tables (1:N) section on either Loading data permissions from permission tables or Setting data permissions manually for users and groups for more information.
To demonstrate these concepts, the following examples use a Parent-to-Child relationship between the Purchase Orders table (linked to company codes) and the Purchase Order Items table (linked to material codes). These tables are joined by the po_number column in a 1:N (One-to-Many) relationship, extending the reach of the permission table defined in each example across both tables (permission cascading).
po_number | company_code |
|---|---|
p1 | c1 |
p2 | c1 |
p3 | c2 |
p4 | c2 |
p5 | c2 |
In the Purchase Orders table, you can see a po_number column, which represents the order number, and the company_code column, which represents the company associated with each order.
po_number | po_item | material_number | c1_or_m1 |
|---|---|---|---|
p1 | i1 | m1 | yes |
p1 | i2 | m2 | yes |
p2 | i1 | m3 | yes |
p3 | i1 | m2 | no |
p4 | i1 | m4 | no |
p4 | i2 | m5 | no |
p4 | i3 | m6 | no |
p4 | i4 | m1 | yes |
p5 | i1 | m1 | yes |
p5 | i2 | m3 | no |
The Purchase Order Items table also includes the po_number column and the additional po_item, material_number, and c1_or_m1 columns. The c1_or_m1 column contains the value yes if the company_code is c1, the material_number is m1, or both.
The most limited permission scope gives users access to data filtered by a specific table, column, and value. In the following permission table, the user test-user@celonis.com is given permission to see data from the Purchase Orders table if the company_code column has a value of c1:
User_Mail | Table_Name | Column_Name | Value |
|---|---|---|---|
test-user@celonis.com | purchase_orders | company_code | c1 |
Because of permission cascading, this filter on the Parent table (Purchase Orders) automatically restricts the user's view of the Child table (Purchase Order Items) to only those items belonging to company c1. This also means all other purchase orders and their associated items in the Child table are restricted.
With this data permission, the user is granted access to the following data:
Note
If the purchase_orders table had no associated child tables, the user's access would be limited strictly to the records shown in the Purchase Orders - Case 1 table.
po_number | company_code |
|---|---|
p1 | c1 |
p2 | c1 |
To understand the results in the child table below, note that the c1_or_m1 column serves as a logic flag. For this example, assume records marked with yes are associated with company c1 to satisfy the parent-level permission.
po_number | po_item | material_number | c1_or_m1 |
|---|---|---|---|
p1 | i1 | m1 | yes |
p1 | i2 | m2 | yes |
p2 | i1 | m3 | yes |
When you specify multiple values for a single column, permissions are combined into a logical OR condition. This is processed as an IN list (for example, FILTER table.column IN (val1, val2)). Under this logic, a user can see any record that matches at least one of the specified values.
In a permission table, these are defined as multiple rows for the same user. In this example, the user test-user@celonis.com is granted permission to see entries in the Purchase Order Items table that involve either material m1 or material m6:
User_Mail | Table_Name | Column_Name | Value |
|---|---|---|---|
test-user@celonis.com | purchase_order_items | material_number | m1 |
test-user@celonis.com | purchase_order_items | material_number | m6 |
With this configuration, the engine restricts the Purchase Order Items table to the permitted materials. Because of the relational link, the Purchase Orders (Parent) table is also filtered; the user only sees orders that contain at least one permitted item.
With this data permission, the user is granted access to the following data:
po_number | company_code |
|---|---|
p1 | c1 |
p4 | c2 |
p5 | c2 |
po_number | po_item | material_number | c1_or_m1 |
|---|---|---|---|
p1 | i1 | m1 | yes |
p4 | i3 | m6 | no |
p4 | i4 | m1 | yes |
p5 | i1 | m1 | yes |
Note
Notice that while orders p4 and p5 contain restricted materials (such as m5 as seen in the Data Example table), they remain visible because they also contain at least one permitted material (m1 or m6).
When you specify permissions for multiple columns within the same table, the engine combines them using a logical AND condition. This is a restrictive configuration where the user can only view rows that satisfy all criteria simultaneously.
In this example, the user test-user@celonis.com is granted permission to see items in the Purchase Order Items table only where the po_number is p4 AND the material_number is m1:
User_Mail | Table_Name | Column_Name | Value |
|---|---|---|---|
test-user@celonis.com | purchase_order_items | po_number | p4 |
test-user@celonis.com | purchase_order_items | material_number | m1 |
Using the reference data, the permissions are evaluated against each row using both conditions:
po_number | po_item | material_number | c1_or_m1 (Flag) |
|---|---|---|---|
p1 | i1 | m1 | yes |
p4 | i4 | m1 | yes |
p4 | i3 | m6 | no |
With this configuration, the user can only access the middle row (item i4 of order p4). The other rows fail to meet both conditions and would be excluded. For instance, items from order p1 would be excluded because the order number is not p4, and item i3 would be excluded because it lacks the material m1 (as seen in the Data Example table).
Permissions can also be enforced that span multiple columns across different tables. When permissions are defined for more than one table or column, they are combined using a logical AND condition. This means a user can only view data that satisfies the criteria in all specified permissions.
In this example, the user test-user@celonis.com is granted permission to see data only when the Purchase Orders (Parent) match company c1 AND the Purchase Order Items (Child) involve either material m1 or material m6:
User_Mail | Table_Name | Column_Name | Value |
|---|---|---|---|
test-user@celonis.com | purchase_orders | company_code | c1 |
test-user@celonis.com | purchase_order_items | material_number | m1 |
test-user@celonis.com | purchase_order_items | material_number | m6 |
Because of the cross-table AND logic, this permission filters out any material (including m1 or m6) if it belongs to a company other than c1. Likewise, it filters out company c1 records if they do not contain the specified materials (m1 or m6).
With this data permission, the user is granted access to the following data:
po_number | company_code |
|---|---|
p1 | c1 |
po_number | po_item | material_number | c1_or_m1 |
|---|---|---|---|
p1 | i1 | m1 | yes |
Note
Notice that while orders p4 and p5 contain material m1, they are now excluded because they belong to company c2 (as seen in the Data Example table), which fails the first permission rule.
Standard permission configurations combine different columns using AND logic (as seen in Case 4). However, you may need a user to see records matching criteria from either one column or another; for example, they may need access to orders for company c1 OR all items involving material m1.
Note
By default, permissions are combined using AND logic when evaluating multiple columns or tables. If you require an OR condition across different columns or tables, you must consolidate that logic into a single flag column within your Data Model as demonstrated in this case.
To achieve this cross-column OR logic, you must add a "flag" column to your Data Model. In our reference data, the column c1_or_m1 serves this purpose. This column is pre-calculated to contain the value yes if the record matches company code c1, material number m1, or both.
In the permission table, you then grant access based solely on this flag column. This allows the complex logic to be handled by the Data Model while keeping the permission rule simple:
User_Mail | Table_Name | Column_Name | Value |
|---|---|---|---|
test-user@celonis.com | purchase_orders | c1_or_m1 | yes |
By filtering on this single flag, the permission table grants the user access to every purchase order and item connected to either company c1 or material m1:
po_number | company_code |
|---|---|
p1 | c1 |
p2 | c1 |
p4 | c2 |
p5 | c2 |
po_number | po_item | material_number | c1_or_m1 |
|---|---|---|---|
p1 | i1 | m1 | yes |
p1 | i2 | m2 | yes |
p2 | i1 | m3 | yes |
p4 | i4 | m1 | yes |
p5 | i1 | m1 | yes |
Note
Notice that unlike Case 4, orders p4 and p5 are visible here even though they belong to company c2. This is because they satisfy the OR condition by containing material m1.