PDP tied to user?
Are PDPs tied to users or groups? I thought groups but it's not working that way.
Group Setup
I put one user in 2 groups
1) User Limited
2) User Unlimited
PDP Setup
On the same dataset,
1) I created a PDP that filtered data and applied this to the User Limited group
2) I created a PDP that included all data and applied this to the User Unlimited Group
Domo Dashboard Pages Setup
I created 2 dashboards with the same dataset
Page Access
Page 1) User was added by adding User Limited group with access to the page.
Page 2) User was added by adding User Unlimited group with access to the page
Expected Results
I expected to see the user have limited access on Page 1 and all access on Page 2 based on the two groups and which page they had access to.
Actual Results
The user could see all data on both pages
What am I doing wrong?
Answers
-
Hi @Jessica, PDPs can be applied to both users and groups. Have you looked through this article: https://domohelp.domo.com/hc/en-us/articles/360042934614-Creating-and-Deleting-PDP-Policies? It outlines step by step on how to create your policies, and it includes an example scenario to help with segmenting how certain data appears for certain users.
7 -
I read all documentation before posting here. If you look through my scenario above, it should work. But it is not. Please let me know if you need more information.
Group 1 with limited data (PDP) on a dataset on Page 1
Group 2 with unlimited data (PDP) on same dataset on Page 2
A user in both groups, should have Limited view on Page 1 and Unlimited view on Page 2
It's not working
If I am missing something please advise
0 -
Let's go step by step to determine if there was a step missing.
When you are in the 'PDP' section of your dataset, and you click on the 'Impact' button, are there clear differences in the outcomes outlined by Domo (i.e. Messages outlining what is being applied to limit the data) or does both your policies created say "Your current PDP policies on this DataSet will not have any affect on your Domo resources"?
Also, do you see this button next to 'Enable PDP'?
https://domohelp.domo.com/hc/article_attachments/360059655973/disable_pdp.pngIf not, then enable the policy to be applied to your dataset.
9 -
Yes, I selected enable PDP, at first I did not but I realized my mistake and corrected that a few hours ago in the very beginning.
You won't see any difference in the impact button because I am provisioning access to all cards but reducing the data that is visible on each card.
Last, I'm not sure where the message "Your current PDP policies on this DataSet will not have any affect on your Domo resources" would be visible as you didn't mention in your response, however, I do not see that message anywhere.
0 -
Sorry for any confusion in my last paragraph, I was trying to establish if there was any way of seeing the difference in policy settings on the 'PDP' section before you looked at Page 1 and 2.
So Page 1 and 2 have the exact same cards but you've applied a filter(s) on the data columns for Page 1 only, correct?
I believe this is a situation where someone will need to see you do the steps in your Domo view and then be able to troubleshoot because while your breakdown of scenario is clear, it is hard to pinpoint issues without seeing what is actually happening in your Domo.
Perhaps while your question is being looked at by others here, it is worth also raising a ticket to Domo Support [https://domo-support.domo.com/] so that they can organise a screen-share session to view your steps and work.
9 -
@Jessica PDP policies are additive, meaning that since your user is in both the limited and unlimited group, whenever they are viewing that dataset, they will see any data in the Limited group AND any in the unlimited group (this is outlined in the "Adding Users to Multiple PDP Policies" section of the kb document https://domohelp.domo.com/hc/en-us/articles/360042934614-Creating-and-Deleting-PDP-Policies). It doesn't matter what group you shared the page with, that just gives access to the page/cards/datasets. Since your user is in both groups, both PDP policies are applied anytime they access a card built on that dataset.
Also to your initial question - PDP can be tied to either people or groups, depending on how you define them. You can either add a person to a PDP policy or a group to a PDP policy - when you add a group, anyone in that group then has that PDP policy applied.
If you want your user to see a limited view on page 1 and an unlimited view on page 2, you will have to rework your datasets/PDP/filters (my first thought is you probably have to have different datasets for page 1 than page 2, but somebody else may have a more creative solution).
2 -
@mhouston super helpful, I was worried about exactly what you were saying.
I guess I figured that if
Group - limited was the Access Group on Page 1 created with dataset XYZ (PDP applied here to Group -Limited)
Group - Unlimited was the Access Group on Page 2 created with dataset XYZ
I was hoping that the PDP filter would be entirely Group driven and not by user.
My only other option is to create a duplicate dataset each time and add "Limited" to the name and put the limiting PDP filter/Group on that one. We would just have to determine when we build pages if we intend on having anything restricted as to which dataset we would need to build with.
Just to give you a real world example, we have a Financial Dataset that rolls up Net Income but can also drill down to granular level of Salaries. We always place restrictions on drilling to final dataset so we don't have any concerns there.
How we build, same dataset for both
Page 1 - Visuals at only a high level of Net Income, nothing that would display salary, limited drills to granular data.
Page 2 - Visuals at lower levels that show salary by cost center or division, drilling down to details and would need PDP
I was hoping that I wouldn't have to create 2 datasets AND two different groups to provide the necessary security.
0 -
Jessica,
your language is confusing. it sounds like you have one dataset, ID = abc.
Structure your data such that you have drillable and aggregated data (note 10+10+30 = 50) and you differentiate them using a column isAggregated.
Now John, a lowly analyst can have access to the rows where 'isAggregated' = 'other' OR 'Total'.
Suzan, the CFO can have access to the rows where isAggregated = 'other' or 'Drill'.
They both see 'the same data' just when Suzan drills she can see salaries... or whatever the granular detail is.
Jae Wilson
Check out my 🎥 Domo Training YouTube Channel 👨💻
**Say "Thanks" by clicking the ❤️ in the post that helped you.
**Please mark the post that solves your problem by clicking on "Accept as Solution"1
Categories
- All Categories
- 1.7K Product Ideas
- 1.7K Ideas Exchange
- 1.5K Connect
- 1.2K Connectors
- 294 Workbench
- 6 Cloud Amplifier
- 8 Federated
- 2.8K Transform
- 97 SQL DataFlows
- 607 Datasets
- 2.1K Magic ETL
- 3.8K Visualize
- 2.4K Charting
- 707 Beast Mode
- 49 App Studio
- 39 Variables
- 667 Automate
- 170 Apps
- 446 APIs & Domo Developer
- 44 Workflows
- 7 DomoAI
- 33 Predict
- 13 Jupyter Workspaces
- 20 R & Python Tiles
- 391 Distribute
- 111 Domo Everywhere
- 274 Scheduled Reports
- 6 Software Integrations
- 115 Manage
- 112 Governance & Security
- Domo Community Gallery
- 31 Product Releases
- 9 Domo University
- 5.3K Community Forums
- 40 Getting Started
- 30 Community Member Introductions
- 103 Community Announcements
- 4.8K Archive