More Granularity in the 'Manage' Role Grants

PWeed
PWeed Member
edited August 2023 in Governance & Security Ideas

We have end users with the required access to view all data assets in Domo to fulfill their job description. For example, we have some users that need to be able to see all datasets and dataflows in lineages with the ability to navigate freely as part of their job as Technical Program Managers. However the only way to allow that is to provide them with Manage Dataset and Manage Dataflow role grants. This gives them too much access as they can not only view but also edit and delete any dataset or dataflow respectively.

With Domo as part of our footprint for housing upcoming SOX compliant reporting, we need the ability to provide view access to all datasets and dataflows without the ability of users to edit or delete these assets. Requesting the enhancement of adding 2 new role grants:
View Datasets - View any datasets in this instance
View Dataflows - View any dataflows in this instance

Tagged:
23
23 votes

In Review · Last Updated

We are reviewing feasibility for this request and a few similar governance requests that are related to 'view only' or 'view as' that we are trying to evaluate holistically. Will send clarifying questions in the thread below to ensure we clearly understand the 'jobs to be done' and desired outcomes.

Comments

  • I think this is a great idea. I have seen other customers ask for this as well. Please consider this enhancement.

  • This is a serious concern for us as well!

    Please allow for distinction to view vs edit vs delete. It’s a serious risk to have them bundled into an all or nothing privilege.

  • I agree with @user078903 about the view/edit/delete distinction. For example, it would be very helpful to create a custom role for business users to share content with other users by adding them to a group without the risk of accidentally deleting the group or sharing sensitive content with that group.

  • I agree it would be nice to give blanket read only permission for these. It would also be great to have the ability to share individual DataFlows as read only. Given the new ability to share a DataFlow coming to beta soon, if it isn't already part of that sharing process, hopefully that wouldn't be a large additional lift.