Dandi’s new roles and permissions enable granular user access controls across all parts of the Dandi product suite. It creates a centralized location for the creation and management of user roles. Each role can be assigned permissions around key product features and analyses. Roles and permissions is designed to comply with your security and data privacy requirements, as well as your internal access control guidelines.
Roles can be created and edited from within Admin -> Roles & Permissions. Only users with the Role:Edit permission will be able to create roles. This includes the initial administrator that your account was set up with.
The Create Role button will take you to the role creation interface. There are two types of permissions: feature and analysis. All roles require at least one feature permission. The analysis permission is optional. Note that all roles begin with no access to any feature or analysis by default.
Feature permissions control which features and the actions within that feature that a role has access to. For example, you could add a role that only has view access to Dashboards without the ability to edit them. In general, “View” permissions provide read-only access and “Edit” permissions allow write access (e.g. add, edit, delete).
(See appendix for full list of feature permissions)
Analysis permissions control which analyses, metrics, and data fields a role can access. This ensures users can only see the reporting that they are allowed to see. For example, a department leader may only be allowed to view reporting for employees within their department. These controls will be custom based on your list of analyses and data fields.
Each row of an analysis permission denotes the type of report that role can access. A selection of Any means that any field from the list will be allowed. A selection of specific fields means that only those fields are only allowed (if multiple fields are selected, then only the combination of those fields will be allowed). The Analysis and Segments are always required. The Filter and Breakdown are optional. If no Filter or Breakdown is selected, then they are not allowed. You can add as many rows as you’d like, and these will serve as individual permissions that allow the specific analysis access you specified.
Any role can be previewed prior to being saved. After configuring a role within the role creation interface, select the Preview button at the top right. A new window will open and will display the Dandi interface as if you were assigned that role. You’ll see a Role Preview banner at the bottom of the page. You can continue to edit your role and launch new previews until you are satisfied with the role configuration.
Users can be assigned roles on the Admin -> Users (you’ll need both Users and Roles permissions) page. You can assign multiple roles per user. The permissions are cumulative, so multiple roles will provide access based on the combined permissions of all the roles.
Identity Provider integration
Dandi supports Identity Provider integration to sync your users and groups. The following providers are currently supported: Google Workspace, Okta, OneLogin, Microsoft Azure. Once connected, all of your users and groups can be synced into Dandi, which you can view from the Users and Groups tabs under Admin. Roles can then be assigned to a group, which applies to all the users within that group. Users and groups will be administered from within your identity provider, and Dandi will perform a sync on a daily basis. An on-demand sync is available through the “Sync users and groups” button on the Users page. Please reach out to your customer support representative to get started with Identity Provider integration.
Follow these best practices and tips to ensure you’re building your roles in an efficient and scalable manner:
- Test your roles: before saving a role, use the Preview Role feature to ensure it's working the way you intended
- Certain features have dependencies on other feature permissions. Specifically, to allow access for Dashboards or Goal creation, you’ll also need to add the Explore:View feature permission and Analysis Permissions so the role has access to the appropriate reporting
- Try to standardize roles as best you can across same personas on your team, to simplify ongoing maintenance
- Remember that users can have multiple roles. The final set of permissions of a user are cumulative from all the permissions from each role. Use this concept to create modularized permissions that can be easily applied to your users
- For example, if you want to enable employee count masking for certain users, create a role that just has one feature and employee count masking enabled. Then you can easily apply (and remove) this individual role across any of your team members, without having to modify their existing roles.
- Configure your identity provider with appropriate internal groups. Then use Dandi’s integration to sync your users and groups, and apply roles to your groups
- If you were onboarded onto Dandi before June 2023, reach out to customer support to start configuring your custom roles. Going forward, roles and permissions configuration will be included during customer onboarding.