Skip to main content

User Attributes

User attributes give Omni the ability to map user-specific variables to operations in the application - querying, dashboarding, or general permissions. There are six default system user attributes generated by Omni, and Admin can create new user attributes. These attributes can be used in filters on dashboards or workbooks or to filter embedded content.

Default System User Attribute Types

Attribute TypeModeling ReferenceDescriptionParameters Restricting Data Access with User Attributes
Is Omni Administratoromni_is_org_adminIndicates if the user has a connection role of Adminaccess_grants, access_filters
Omni User Emailomni_user_emailUser's email addressaccess_grants, access_filters
Omni User Embed Entityomni_user_embed_entityUser's embedded entity informationaccess_grants, access_filters
Omni User Groupsomni_user_groupsGroups associated with the useraccess_grants, access_filters
Omni User IDomni_user_idUnique identifier for the useraccess_grants, access_filters
Omni User Nameomni_user_nameUser's nameaccess_grants, access_filters

Default User Attribute Examples

Access Grants

User Groups Attribute

An example of how to utilize the User Groups attribute to limit access to content via access grants.

  1. In the model file define your access_grant::
access_grants:
docs_access:
user_attribute: omni_user_groups
allowed_values: [Docs]
  1. Choose whether to implement the access grant on a topic or on a specific field: a. Topic implementation
order_items:
label: Transactional
required_access_grants: [docs_access]

b. Field implmentation

is_completed:
sql: CASE WHEN ${order_items.status} IN ('Complete') THEN true ELSE false END
required_access_grants: [docs_access]

Access Filter

Access filters allow users to use user attributes to filter access to a topic based on a user attribute value.

users:
joins: {}
access_filters:
- field: state
user_attribute: region

Creating User Attributes

To define a new user attribute, click the 'New Attribute' button on the Attributes admin page. Each user attribute has the following settings:

  • Name: The name of the user attribute, how it will be displayed in the UI
  • Reference: How the attribute will be referenced in code, such as in the model
  • Type: Used to check that valid values are assigned to users. String and Number data types are allowed.
  • Multiple values: Specifies whether multiple values can be assigned to a user for this attribute
  • Description: Explanation of the attribute or how it will be used
  • Default value: Optionally, set a default value that all users will inherit if a value is not directly assigned to them

Assigning values to individual users

After defining a user attribute, assign a value for each user:

  1. Select the Users tab
  2. Select 'Edit Value' for the user you'd like to set
  3. Enter the new value
  4. The source field will show whether the user's value was set by inheriting the attribute default value (Default setting), or if the value was set specifically for the user (User setting)

Where can user attributes be used?

Access Filters

Access filters allow you to restrict the rows of data a user can access within a topic. Access filters apply the values assigned on a user attribute to the where clause of every SQL query a user runs, filtering out to only the data designated to that user. This is often the use case when building customer facing applications and transactions are collected across customers in a single table vs a schema per table.

Access Grants

Access Grants define topic and field level permissions can be controlled by creating an access_grant: in the model file. Omni will map user-specific variables, user_attributes, to a corresponding allowed value and determine if the user has the necessary permissions to access that topic or field.

Fields

User attributes can be referenced in fields using mustache syntax {{ omni_attributes.<attribute-name> }}. This construct can be used to either provide conditional access to a field, or to hash a field based on a user attribute. This can be done via a case statement in the SQL definition for a field, such as two options below for either hiding or hashing a name field as an alternative to removing access to the column entirely via an access grant.

  name:
sql: ${users.full_name}

name_hidden:
sql: |+
CASE
WHEN {{omni_attributes.see_names}} = 'true'
THEN ${users.name}
ELSE 'No Access'
END

name_hashed:
sql: |+
CASE
WHEN {{omni_attributes.see_names}} = 'true'
THEN ${users.name}
ELSE MD5(${users.name})
END