PDP question

Sorry for the vague title. My brain just couldn't think of anything else.
I have a commission report and I just can't seem to come up with a path to get the PDP setup correctly.
I have 3 distinct levels of access:
Role level: Salesperson can see only their personal rows. Supervisor can see the rows of everyone that reports to them. Same for Division Manager and Regional Manager. I have this setup using managed attributes. All users are in a Commission AD Group that gives them access to the report.
Corporate/Admin level: Commission Admin AD Group assigned to the All Rows policy.
Office Manager level. This is the one I can't figure out. I need office managers to be able to see all records for their Division. I have an AD group for Office Managers and different AD groups for all of the Divisions. I have given the Office Mangers access to the report, but if I use the Division AD Groups for the PDP won't that give everyone in the above mentioned Commission AD Group (salesperson, supervisors, etc) access to those rows?
How can I limit the Role level users to very specific row level access while giving Office Managers a higher level of row level access. Note that the Division AD Groups are used company wide therefore I can't change who is in them.
Answers
-
@ARosser - I had something similar to this and the best way I've found to do this was to get my AD group data into a dataset. Then I could use MagicETL to parse out people into my own domo groups and output that to a dataset. I used the Governance Toolkit to generate domo groups based on my dataset. You can read about that here.
Once I had the groups automated in Domo, I made a MagicETL to write PDP policies based on those domo groups. Again, you do this with the governance toolkit via the PDP Automation feature.
Once I had all of that, PDP would automatically refresh when groups were updated via my MagicETL processes. I had to have this because our AD groups really don't align to data security needs so I had to work around it.
I hope this gives you some clues to proceed further :)
0 -
I don't see it in the documentation for Group Management so I'll ask here. Can you create/manage Dynamic Groups? Essentially I would like to create a group where the user is in both the Office Manager AD group as well as the Division AD group.
0
Categories
- All Categories
- Product Ideas
- 2.1K Ideas Exchange
- Connect
- 1.3K Connectors
- 309 Workbench
- 7 Cloud Amplifier
- 10 Federated
- Transform
- 664 Datasets
- 120 SQL DataFlows
- 2.3K Magic ETL
- 823 Beast Mode
- Visualize
- 2.6K Charting
- 86 App Studio
- 46 Variables
- Automate
- 194 Apps
- 484 APIs & Domo Developer
- 90 Workflows
- 24 Code Engine
- AI and Machine Learning
- 23 AI Chat
- 4 AI Projects and Models
- 18 Jupyter Workspaces
- Distribute
- 119 Domo Everywhere
- 283 Scheduled Reports
- 11 Software Integrations
- Manage
- 143 Governance & Security
- 11 Domo Community Gallery
- 49 Product Releases
- 13 Domo University
- Community Forums
- 41 Getting Started
- 31 Community Member Introductions
- 116 Community Announcements
- 5K Archive