Approach to Managing Roles/Rights

Options

Hey there. Having some challenges determining a practical approach to managing internal peoples access within Domo.

Our use case:

External Client Facing: We have a number of dashboards and related cards utilizing various datasets that are high value and for client use. Our development/QA team fully develop and manage change control and QA for these - given the criticality of quality. They also are responsible for any/all ETL work that drives availability of datasets. Other internal staff within our organization will have Domo licenses and should only be able to view these but not be able to make any changes to them.

  • My understanding is that if we were to Lock the dashboards and related cards, then our Devs would require Admin role, which is not acceptable for our security standards (as that then gives them full admin privledges).
  • How do our Devs/QA have the edit rights to these dashboards/cards while ensuring other users in our company will not?

Internal Staff Viewers: As noted above, its ok for these users to be able to see the client facing dashboards/cards, but they will be focused on using other Dashboards/Cards established for internal reporting purposes. They will only ever view dashboards they have been permissioned to see.

  • These would be Domo Participants I would expect and given access to dashboards using groups etc.

Internal Domo SMEs: Small set of our internal staff are proficient enough in Domo to create dashboards/cards (from datatsets made available by our dev/qa team). This group of users can NOT be able to edit or manage the client facing pages or cards. However, it would be nice to let them copy existing cards to re-use for internal purposes.

  • My current understanding is that these SMEs would require a minimum of a Domo Editor role. However, once having the Domo Editor role, they can essentially edit the Client Facing Dashboards/Cards that could not be locked as a result of our inability to provide our Dev/QA Admin roles.

Are we missing something with Domo's Roles/Rights and configuration?

Appreciate any thoughts/help on this one including links to any already published best practrices.

Andy

Answers

  • Kristefor
    Kristefor Member
    Options

    It seems like you need some sort of share level based permissions, like this group gets the Domo Editor role for only a specific set of Dashboards and Cards - which I don't think you can do in DOMO. Perhaps you could split external facing stuff into a separate instance of DOMO and then give the internal users different access permissions in the external facing instance.

  • Ashleigh
    Options

    @afieweger have you tried custom roles? You can pick and choose which grants you want a role to have access to. We have a view only role, a role that can view and export, a role that can make cards, nd a role that can make data, and then of course an admin role.

    For the client facing cards/dashboard, you could utilizing the lock feature which only lets admins/owners make any edits.

    https://domo-support.domo.com/s/article/360043438973?language=en_US#:~:text=You%20can%20create%20as%20many,enabled%20to%20access%20this%20tool.

    **If this answer solved your problem be sure to like it and accept it as a solution!

  • Kristefor
    Kristefor Member
    Options

    Andy -

    In regards to this:

    • My understanding is that if we were to Lock the dashboards and related cards, then our Devs would require Admin role, which is not acceptable for our security standards (as that then gives them full admin privledges).

    The owner of the dashboard can also unlock the dashboard, so that owner would not need to be an admin.

    Cheers -

    Kristefor

  • afieweger
    afieweger Member
    Options

    Appreciate all the feedback.

    The issue with the Owner is that you can only have 1 from my understanding. So if security policy does not allow us to make Devs Admins, and you can only have 1 Owner, then we have an issue where only one of our Dev team members can be an owner thereby only permitting them to work on the object (dataset, card, dashboard).

    Perhaps we look into the separate instance - seems so drastic. (little surprised that there has not been a stronger need for Users to be able to be different roles for different objects (or groups of objects).

  • Kristefor
    Options

    You can have multiple owners.

    Cheers -

    Kristefor