Permission Hierarchies

User groups can be nested into one another and their respective permissions can be inherited. This allows you to manage permissions of multiple user groups at once. By assigning permission to a parent user group, all of its child user groups inherit that permissions as well.

Example: Make Dashboards Easily Sharable With Everyone

This example describes how you can combine nested user groups with the SEE permission to ensure the creators of dashboards can easily share their dashboard everyone else in their workspace hierarchy.

Scenario

Suppose we have the following workspace hierarchy:

overview of a sample workspace hierarchy

The hierarchy consists of three workspaces. One is a parent workspace, and two are child workspaces. The parent workspace contains a dashboard that is inherited by the child workspaces.

There are three user groups. Each group can access one workspace:

Analytics User Group
Users in this group have a permission (ANALYZE or higher) to the Parent workspace, which means they can create, edit and share dashboards without restrictions.
Sales User Group
Users in this group have a permission (VIEW or higher) to the Sales workspace.
Dev User Group
Users in this group have a permission (VIEW or higher) to the Devs workspace.

How can you ensure that a user in the Analytics User Group is able to easily share the dashboard with users of the child workspaces?

Implement a Solution

A solution is to combine user group parent-child relationships with SEE permissions.

Steps:

Create a new user group called super_group, see Create a User Group.
Make super_group the parent to sales_group and dev_group.
In the super_group object, assign SEE permission to the analytics_group.
This will let users in the analytics_group see the super_group in the list of possible user groups when sharing a dashboard.

Once you are done, you can GET your user groups using the /api/v1/layout/userGroups API endpoint and verify that it looks similar to this:

[
    ...,
    {
        "id": "analytics_group",
        "permissions": []
    },
    {
        "id": "sales_group",
        "parents": [
            {
                "id": "super_group",
                "type": "userGroup"
            }
        ],
        "permissions": []
    },
    {
        "id": "dev_group",
        "parents": [
            {
                "id": "super_group",
                "type": "userGroup"
            }
        ],
        "permissions": []
    },
    {
        "id": "super_group",
        "permissions": [
            {
                "assignee": {
                    "id": "analytics_group",
                    "type": "userGroup"
                },
                "name": "SEE"
            }
        ]
    }
]

Shortcut!

You can do all three steps at once using the /api/v1/layout/userGroups API endpoint:

GET your current user group layout
Create a definition similar to the example shown above
PUT the updated definition back to the server

Result

Once you have implemented the super group hierarchy, the analytics users can share dashboards from the parent workspace with all users and user groups, including the super_group itself for an easy way to share the dashboard with everyone at once:

selecting who to assign dashboard permission to

Alternatively, to update the dashboard permissions using the API, you can use the /api/v1/actions/workspaces/<workspaceId>/analyticalDashboards/<dashboardId>/managePermissions endpoint.

Create a Multitenant Environment