User Attributes
User attributes give Omni the ability to map user-specific variables to operations in the application - querying, dashboarding, or general permissions. There are six default system user attributes generated by Omni, and Admin can create new user attributes. These attributes can be used in filters on dashboards or workbooks or to filter embedded content.
Default System User Attribute Types
Attribute Type | Modeling Reference | Description | Parameters Restricting Data Access with User Attributes |
---|---|---|---|
Is Omni Administrator | omni_is_org_admin | Indicates if the user has a connection role of Admin | access_grants , access_filters |
Omni User Email | omni_user_email | User's email address | access_grants , access_filters |
Omni User Embed Entity | omni_user_embed_entity | User's embedded entity information | access_grants , access_filters |
Omni User Groups | omni_user_groups | Groups associated with the user | access_grants , access_filters |
Omni User ID | omni_user_id | Unique identifier for the user | access_grants , access_filters |
Omni User Name | omni_user_name | User's name | access_grants , access_filters |
Default User Attribute Examples
Access Grants
User Groups Attribute
An example of how to utilize the User Groups attribute to limit access to content via access grants.
- In the model file define your
access_grant:
:
access_grants:
docs_access:
user_attribute: omni_user_groups
allowed_values: [Docs]
- Choose whether to implement the access grant on a topic or on a specific field: a. Topic implementation
order_items:
label: Transactional
required_access_grants: [docs_access]
b. Field implmentation
is_completed:
sql: CASE WHEN ${order_items.status} IN ('Complete') THEN true ELSE false END
required_access_grants: [docs_access]
Access Filter
Access filters allow users to use user attributes to filter access to a topic based on a user attribute value.
users:
joins: {}
access_filters:
- field: state
user_attribute: region
Creating User Attributes
To define a new user attribute, click the 'New Attribute' button on the Attributes admin page. Each user attribute has the following settings:
- Name: The name of the user attribute, how it will be displayed in the UI
- Reference: How the attribute will be referenced in code, such as in the model
- Type: Used to check that valid values are assigned to users. String and Number data types are allowed.
- Multiple values: Specifies whether multiple values can be assigned to a user for this attribute
- Description: Explanation of the attribute or how it will be used
- Default value: Optionally, set a default value that all users will inherit if a value is not directly assigned to them
Assigning values to individual users
After defining a user attribute, assign a value for each user:
- Select the Users tab
- Select 'Edit Value' for the user you'd like to set
- Enter the new value
- The source field will show whether the user's value was set by inheriting the attribute default value (Default setting), or if the value was set specifically for the user (User setting)
Where can user attributes be used?
Access Filters
Access filters allow you to restrict the rows of data a user can access within a topic. Access filters apply the values assigned on a user attribute to the where clause of every SQL query a user runs, filtering out to only the data designated to that user. This is often the use case when building customer facing applications and transactions are collected across customers in a single table vs a schema per table.
Access Grants
Access Grants define topic and field level permissions can be controlled by creating an access_grant:
in the model file. Omni will map user-specific variables, user_attributes, to a corresponding allowed value and determine if the user has the necessary permissions to access that topic or field.
Fields
User attributes can be referenced in fields using mustache syntax {{ omni_attributes.<attribute-name> }}
. This construct can be used to either provide conditional access to a field, or to hash a field based on a user attribute. This can be done via a case statement in the SQL definition for a field, such as two options below for either hiding or hashing a name field as an alternative to removing access to the column entirely via an access grant.
name:
sql: ${users.full_name}
name_hidden:
sql: |+
CASE
WHEN {{omni_attributes.see_names}} = 'true'
THEN ${users.name}
ELSE 'No Access'
END
name_hashed:
sql: |+
CASE
WHEN {{omni_attributes.see_names}} = 'true'
THEN ${users.name}
ELSE MD5(${users.name})
END