PDP question

ARosser · 2025-02-13T20:40:50+00:00

There was an error rendering this rich post.

Sorry for the vague title. My brain just couldn't think of anything else.

I have a commission report and I just can't seem to come up with a path to get the PDP setup correctly.

I have 3 distinct levels of access:

Role level: Salesperson can see only their personal rows. Supervisor can see the rows of everyone that reports to them. Same for Division Manager and Regional Manager. I have this setup using managed attributes. All users are in a Commission AD Group that gives them access to the report.

Corporate/Admin level: Commission Admin AD Group assigned to the All Rows policy.

Office Manager level. This is the one I can't figure out. I need office managers to be able to see all records for their Division. I have an AD group for Office Managers and different AD groups for all of the Divisions. I have given the Office Mangers access to the report, but if I use the Division AD Groups for the PDP won't that give everyone in the above mentioned Commission AD Group (salesperson, supervisors, etc) access to those rows?

How can I limit the Role level users to very specific row level access while giving Office Managers a higher level of row level access. Note that the Division AD Groups are used company wide therefore I can't change who is in them.

Find more posts tagged with

PDP

Accepted answers

All comments

DomoDork

@ARosser - I had something similar to this and the best way I've found to do this was to get my AD group data into a dataset. Then I could use MagicETL to parse out people into my own domo groups and output that to a dataset. I used the Governance Toolkit to generate domo groups based on my dataset. You can read about that here.

https://domo-support.domo.com/s/article/4415839663639?language=en_US

Once I had the groups automated in Domo, I made a MagicETL to write PDP policies based on those domo groups. Again, you do this with the governance toolkit via the PDP Automation feature.

https://domo-support.domo.com/s/article/4415800746391?language=en_US

Once I had all of that, PDP would automatically refresh when groups were updated via my MagicETL processes. I had to have this because our AD groups really don't align to data security needs so I had to work around it.

I hope this gives you some clues to proceed further :)

ARosser

I don't see it in the documentation for Group Management so I'll ask here. Can you create/manage Dynamic Groups? Essentially I would like to create a group where the user is in both the Office Manager AD group as well as the Division AD group.