Content Sharing

Content can be shared directly from the content itself or by navigating to the folder the content is saved to.

Note: Publishing a document using the draft/publish workflow doesn't inherently grant document access. The document's folder location and document-level permissions determine who can access it. Refer to the Editing & publishing guide for more information.

Sharing from a document

To share from the document (workbook or dashboard), navigate to the Share button in the top right of the page (to the left of the user profile icon)

Share content from a folder

By navigating to the Home menu and locate your content within the folder it lives in. Then select the three-dot menu on the right side and select "Share..." in the drop-down menu.

When sharing content, users can determine how other users can interact with the content in two main ways: the access role of the user/group and the ability to interact with the content.

Access roles

The permission access role assigned to the folder acts as the base level permissions for all of the contents inside of the folder. This base level role is the minimum required permission role all documents will have inside said folder. A document may be assigned a more permissive role than the base role assigned to the folder the document is in; the reverse scenario is not allowed, i.e. a more permissive folder role and a less permissive document within that folder.

To assign a role, select Access in the Share modal then:

1. Type in the user(s) and/or group(s) that you want to have access
2. Choose the role: viewer, editor, or manager
3. Save those options in the bottom right hand corner

Default roles are set at the organization level and applied as default values when documents and folders are shared with the organization.

As an owner, users will be able to select a role that has more granular access than the default if they would like. For instance, if the default at the organization is “No Access” a user will have three roles they can choose to assign to other users/groups:

• Viewer: Users with this level can only view the content but cannot make changes.
• Editor: Users with editing permissions can view and make modifications to the content.
• Manager: This level provides full control, allowing users to view, edit, and manage permissions for others.

Managing content access by folders

Users can also control content access by assigning rules in various folders and then adding content to those folders. For example, a user shares content to the organization’s Shared folder to make content accessible to the entire organization or save the content to your Personal folder.

tip

When moving a document from your personal folder to a shared folder or from one shared folder to another shared folder, note that the document's owner will change to the new folder's content manager.

Document abilities

Beyond controlling the access roles, users can also choose what abilities users have to interact with the content by changing the Document Settings at the bottom left hand corner of the Share modal or under File > Document Settings on a dashboard or workbook.

There are four abilities user can control on a document:

• Schedule: Allow the creation of new deliveries and alerts on this document. Disabling will not remove existing deliveries or alerts.
• Download: Allow users to download this document or data from it
• Drill: Allow users to drill into various data points in this content.
• Viewers can see workbook: Allow users with the “Viewer” role to see a read-only version of the workbook. They will not be able to edit the workbook or see non-topic tabs or SQL tabs.

Admin can control the Ability settings for the whole instance by deciding the default settings and/or if the ability is disabled. If you do not see one of the options available, it may be disabled by your Admin.

Identifier

Under the document settings, users can also change the unique slug for this document. Changing this can give you a more readable name in the URL, but it must be unique. Updating this is reflected in real time. This could also be used for updates to an embedded dashboard without requiring an engineer to point from one identifier to another, by instead pointing to a fixed, immutable URL.

Admin Content Sharing Permissions

In the General > Settings, Admin can set a default access roles:

• No Access: Content will not appear in the content system or search results
• Viewer: Users with this level can only view the content but cannot make changes.
• Editor: Users with editing permissions can view and make modifications to the content.
• Manager: This level provides full control, allowing users to view, edit, and manage permissions for others.

Users who can manage content permissions (“Manager” or “Owner” roles in the document or folder) can set the organization access role higher or lower than the default on the shared content, if they so choose.

Admin document abilities

Admin can set which abilities can be selected by users by toggling on or off the ability and select the default behavior for shared content.

Content Organization

All Omni instances have a root Shared folder. Admin can allow users to create or add folders in that Shared folder by toggling this setting on. Otherwise they can only add content to folders they have been specifically granted access to.

AccessBoost

AccessBoost allows content managers to enable permission boosting. This has security implications. AccessBoost ignores an Omni user's database connection role. When enabled, the user can run a dashboard and view all of the data that dashboard shows even if they typically would not be able to see content built by SQL. AccessBoost only alters the access to the data on a dashboard. AccessBoost still respects a user's connection role when the user runs a query at the workbook level.

AccessBoost may be useful in scenarios where users with connection roles of Querier and Admins that want to share dashboard content with users that have lower level connection roles like Restricted Querier, Viewer and No Access.

AccessBoost does not allow users to bypass access_filters.

AccessBoost 🔥 Tips

Admin Restrictions

Only users with an Admin connection role can enable AccessBoost on content unless an Admin user enables the setting Non-administrators can enable AccessBoost on content in the Admin > Content Permissions settings.

Embed Considerations

• Enabling AccessBoost for the Organization role also applies on content that is embedded externally which can pose security implications to consider. Typically, for embedded content Omni applies the Viewer connection role - which would only allow users to see dashboard tiles that are tied to modeled topics; limiting data that is exposed to external customers.
• The good: the ability for embed users to view non-topic bound and SQL content in an embedded context.
• The bad: if AccessBoost is enabled on an embedded document, a user could inadvertently expose data they do not want to expose to embed users.

AccessBoost can be globally deactivated in the admin section of the app:

AccessBoost can be set as the default at the connection level:

AccessBoost Scenarios by Level

Level	Description	Enabled	Disabled
Organization	An admin user can enable or disable AccessBoost at the organization level in the Admin settings under Administration > Content Permissions	Allows users who manage content to enable AccessBoost at the folder and document levels	Prevents any users who manage content from enabling AccessBoost on the folder or document levels
Folder	Once an admin user has enabled AccessBoost in the Admin settings for Content Permissions the content manager users can choose to enable AccessBoost at the folder level.	Allows users with access to a folder to open any dashboards in that folder, view the content of those dashboards even if the user's connection role would prevent them from viewing that content. i.e. a dashboard built with SQL requires the user opening that dashboard to have a connection role of Querier or higher.	A user must have a viewer connection role or higher for dashboards built off of modeled topics. Any content on a dashboard built with SQL requires users to have a connection role of Querier or higher.
Document	A user managing their content can choose to enable AccessBoost at the document level	Allows users with access to the document to open and view the content of the document even if the user's connection role would prevent them from viewing that content. i.e. a dashboard built with SQL requires the user opening that dashboard to have a connection role of Querier or higher.	Without AccessBoost, a user must have a viewer connection role or higher for dashboards built off of modeled topics. Any content on a dashboard built with SQL requires users to have a connection role of Querier or higher.

Sharing Content Externally

Omni has robust sharing functionality through Delivery and Embedding which allows users and organizations to securely share the data in a variety of forms. Read more in the links above.

Access Warnings

Access Warnings will appear as a yellow asterisk (*) on a dashboard or a tile that has some content which may not be accessible to certain users. These warnings provide context that help make the dashboard viewing experience consistent for all users.

Generally Access Warnings will appear when there is some change made that escapes a topic:

• Queries built outside of a topic (All Views and Fields), or from raw SQL.

• Relationship changes in the workbook model that include new joins not present in the shared model.

• access_filters or access_grants.

• Changes to Dynamic Schemas.