PDP question
Sorry for the vague title. My brain just couldn't think of anything else.
I have a commission report and I just can't seem to come up with a path to get the PDP setup correctly.
I have 3 distinct levels of access:
Role level: Salesperson can see only their personal rows. Supervisor can see the rows of everyone that reports to them. Same for Division Manager and Regional Manager. I have this setup using managed attributes. All users are in a Commission AD Group that gives them access to the report.
Corporate/Admin level: Commission Admin AD Group assigned to the All Rows policy.
Office Manager level. This is the one I can't figure out. I need office managers to be able to see all records for their Division. I have an AD group for Office Managers and different AD groups for all of the Divisions. I have given the Office Mangers access to the report, but if I use the Division AD Groups for the PDP won't that give everyone in the above mentioned Commission AD Group (salesperson, supervisors, etc) access to those rows?
How can I limit the Role level users to very specific row level access while giving Office Managers a higher level of row level access. Note that the Division AD Groups are used company wide therefore I can't change who is in them.
Answers
-
@ARosser - I had something similar to this and the best way I've found to do this was to get my AD group data into a dataset. Then I could use MagicETL to parse out people into my own domo groups and output that to a dataset. I used the Governance Toolkit to generate domo groups based on my dataset. You can read about that here.
Once I had the groups automated in Domo, I made a MagicETL to write PDP policies based on those domo groups. Again, you do this with the governance toolkit via the PDP Automation feature.
Once I had all of that, PDP would automatically refresh when groups were updated via my MagicETL processes. I had to have this because our AD groups really don't align to data security needs so I had to work around it.
I hope this gives you some clues to proceed further :)
0 -
I don't see it in the documentation for Group Management so I'll ask here. Can you create/manage Dynamic Groups? Essentially I would like to create a group where the user is in both the Office Manager AD group as well as the Division AD group.
0
Categories
- All Categories
- 1.9K Product Ideas
- 1.9K Ideas Exchange
- 1.6K Connect
- 1.3K Connectors
- 305 Workbench
- 6 Cloud Amplifier
- 9 Federated
- 3K Transform
- 111 SQL DataFlows
- 649 Datasets
- 2.2K Magic ETL
- 4K Visualize
- 2.5K Charting
- 782 Beast Mode
- 76 App Studio
- 43 Variables
- 738 Automate
- 186 Apps
- 473 APIs & Domo Developer
- 65 Workflows
- 14 DomoAI
- 40 Predict
- 17 Jupyter Workspaces
- 23 R & Python Tiles
- 406 Distribute
- 117 Domo Everywhere
- 279 Scheduled Reports
- 10 Software Integrations
- 138 Manage
- 135 Governance & Security
- 8 Domo Community Gallery
- 44 Product Releases
- 12 Domo University
- 5.4K Community Forums
- 40 Getting Started
- 30 Community Member Introductions
- 113 Community Announcements
- 4.8K Archive