Skip to main content

Managing data access with connection permissions

At a high level, permissions in Omni are set at the database connection, data model, and content levels. On this page we will work through how to set up database connection permissions. Refer to Organization settings and Data access control guides for more information.

User permissions are first set on the individual database connection then more fine-tuned permissions can be assigned to individual users or groups within the organization, streamlining the management process.

Connection permission basics

Who can define connection permissions?

Organization Admins and users who have Connection Admin permissions for a connection can define connection permissions.

What are the connection roles?

Omni currently supports five connection roles, ordered from the least permissive to the most permissive:

  • No access
  • Viewer
  • Restricted Querier
  • Querier
  • Modeler
  • Connection Admin

For the specifics of what each role can and cannot do, refer to the Connection roles section in the Permissions reference section of this guide.

Can default permissions be applied to a connection?

Yes. Using the Base access setting, you can assign the minimum role users will have for the models in the connection. More permissive roles can be set in the connection's Model access section. Note: The base role will override a less permissive role set in the Model access section.

Can permissions be set at the model level?

Yes! In the Model access section, you can assign granular permissions to users and user groups for specific models. Note: The base role will override a less permissive role set in the Model access section.

What permissions should I set to do [thing]?

It depends on what you want to achieve! Do you want to lock everything down, or only restrict access for some things? Or perhaps it varies by team or dataset?

In the Common permissions scenarios guide, we've outlined some common scenarios and how to use permissions to achieve the desired result. For example, limiting access to folders based on the team a user belongs to.

Do connection permissions impact a user's license type?

Yes. Refer to the User license types section for more information.

Defining permissions for a connection

info

Organization Admin or Connection Admin permissions for the connection are required to define connection permissions.

To access the connection's Permissions tab:

  1. Click Settings > Connections.
  2. Click the connection.
  3. Click the connection's Permissions tab. On this page, you can define default access for the connection (Base access role) and assign permissions to users and user groups for specific models (Model access).

Not sure what permissions to set? Check out the Common permissions scenarios guide to learn what permissions to set in specific scenarios, such as restricting access to datasets based on team.

Testing data access

As you assign connection roles to users, you can impersonate them to test what users can see. This can be helpful in preemptively surfacing access warnings, which will display when users attempt to access specific types of content. Refer to the Access warnings guide to learn what an access warning is and how to resolve it.

Understanding user license types

Omni's licensing structure has three tiers: Viewer, Creator, and Administrator/Developer.

To calculate a user's license type, Omni looks at:

  • The user's highest Connection role across all connections, and
  • Whether the user is an Organization Administrator. These users will have an Administrator license by default.

Refer to the Licenses & Connection roles section to see how user licenses map to each connection role.

Permissions reference

Licenses & Connection roles

License typeConnection rolePermissions
NoneNo Access
  • ❌ Cannot view content built on the connection
  • ❌ Cannot query (topics)
  • ❌ Cannot use SQL queries
  • ❌ Cannot modify shared model files
  • ❌ Cannot modify connection settings
ViewerViewer
  • ✅ Can view dashboards built on topics
  • ❌ Cannot query topics
  • ❌ Cannot use SQL queries
  • ❌ Cannot modify shared model files
  • ❌ Cannot modify connection settings
CreatorRestricted Querier
  • ✅ Can create and view workbooks and dashboards
  • ✅ Can query topics
  • ❌ Cannot use SQL queries
  • ❌ Cannot modify shared model files
  • ❌ Cannot modify connection settings
Querier
  • ✅ Can create and view workbooks and dashboard
  • ✅ Can query topics
  • ✅ Can use SQL queries
  • ❌ Cannot modify shared model files
  • ❌ Cannot modify connection settings
Admin/DeveloperModeler
  • ✅ Can create and view workbooks and dashboards
  • ✅ Can query topics
  • ✅ Can use SQL queries
  • ✅ Can modify shared model files
  • ❌ Cannot modify connection settings
Connection Admin
  • ✅ Can create and view workbooks and dashboards
  • ✅ Can query topics
  • ✅ Can use SQL queries
  • ✅ Can modify shared model files
  • ✅ Can modify connection settings

Documents

This section describes the actions different connection roles can take regarding documents.

Loading data...

Workbooks

This section describes the actions different connection roles can take in the workbook section of a document.

Loading data...

Dashboards

This section describes the actions different connection roles can take in the dashboard section of a document.

Loading data...

Modeling

This section describes the actions different connection roles can take when interacting with the connection's model.

Loading data...

Branches

This section describes the actions different connection roles can take when interacting with branches.

Loading data...

Administration

This section describes the actions different connection roles can take regarding the connection's settings.

Note: Managing users, such as inviting them to your Omni instance, is handled by Organization Admins.

Loading data...