Applying PDP and Publication Groups

We are using publication groups to give external users access to their, and only their, data.  Since Publication groups can't be accessed via the current API endpoints we also thought to programatically define PDP to guarantee a second layer of protection against people seeing data they shouldn't. We tested this and it looks like the access defined under the publication group policies overrides those defined on the dataset's pdp...

 

Is this intentional? Is there a way to make this work such that the Publication group applies appropriate PDP policies to the datasests used in the cards in the publication group, then the publication group access rules are applied as well?

Thanks,

Comments

  • AS
    AS 🔵

    Good question.  I've wondered how the two methods interact but never asked.  I figured both would apply, as in the strictest possible combination.

     

    Following for any responses.

  • I'm going to take this one step further.  We had a dataset with PDP on it, and a user setup as Participant.  The user couldn't see the data on the card shared with them because of PDP.  Updated PDP to allow that user, which seemed to override the Participant setting and allowed the user to create and edit cards.