Permissions
Organization (Global) Permissions
Your organization will set global permissions for your administratiors in the environment. Every Omni user has an Organization role of either Admin or Member.
Organization permissions are set on the Users page, for example environment.omniapp.co/users.
Organization Admins have full access to all Connections in the Organization. Organization Admins can manage Users and other Organization-level settings like the Organization name.
Members are the baseline role in Omni. They can be given default permission to a dataset, but will only recieve access to data on a connection by connection basis. By default, a member will not have access to any data in the environment until connection defaults have opened permissions to members.
Connection (Model) Permissions
Permissions can be controlled at two levels: by connection (the base role) and by user. The individual user’s permissions will be added to the connection-level base role that is applied to all users of the connection.
Note that there are no specific model permissions, they are set at the connection level.
Data permissions can be set at several levels, in ascending order of querying flexibility for users:
No Access
These users will not be able to query or view content built on this connection.
Viewer
These users can view dashboards built on predefined Topics.
Restricted Querier
These users can create and view workbooks and dashboards, but can only query through predefined Topics.
Querier
These users can create workbooks and dashboards, and query both modeled data (Topics) or unmodeled data (SQL) to the connection. These users cannot touch the shared model files on the connection.
Connection Admin
These users have Querier access to query both modeled or unmodeled data, and can additionally edit the connection model and settings, including setting other users' permission to the given connection or adjusting the default permissions. These are the only users that can touch the shared model files on a connection.
Connection Permissions Matrix
| Permission | No Access | Viewer | Restricted Querier | Querier | Connection Admin |
|---|---|---|---|---|---|
| View names of workbooks on homepage | X | ✓ | ✓ | ✓ | ✓ |
| Run Topic-based queries in a dashboard / workbook | X | ✓3 | ✓ | ✓ | ✓ |
| Run all queries in a dashboard / workbook | X | X2 | X2 | ✓ | ✓ |
| View custom SQL results | X | X2 | X2 | ✓ | ✓ |
| Build a dashboard / workbook | X | X | ✓ | ✓ | ✓ |
| Export CSVs | X | X | ✓ | ✓ | ✓ |
| Write SQL | X | X | X | ✓ | ✓ |
| Stage workbook changes | X | X | X | ✓ | ✓ |
| Edit the shared data model | X | X | X | X | ✓ |
| Manage permissions to the connection | X | X | X | X | ✓ |
| Manage users globally1 | X | X | X | X | X |
| Content Permissions (Doesn't Currently Exist) | Working on Now | Working on Now | Working on Now | Working on Now | Working on Now |
- Viewers can only access dashboards, not workbooks↩
- Viewers and Restricted Queriers can only run Topic-based queries. They are not permitted to run queries defined outside of Topics, or run any query in a workbook which has altered Topic or Join Relationship definitions. In the future, escalated privileges may be granted to a specific workbook or dashboard, allowing one-off access to specific users (or all users).↩
- User management is controlled by global admins, not at the connection level by connection admins.↩