PDP tied to user?

Are PDPs tied to users or groups? I thought groups but it's not working that way.

Group Setup

I put one user in 2 groups

1) User Limited

2) User Unlimited

PDP Setup

On the same dataset,

1) I created a PDP that filtered data and applied this to the User Limited group

2) I created a PDP that included all data and applied this to the User Unlimited Group

Domo Dashboard Pages Setup

I created 2 dashboards with the same dataset

Page Access

Page 1) User was added by adding User Limited group with access to the page.

Page 2) User was added by adding User Unlimited group with access to the page


Expected Results

I expected to see the user have limited access on Page 1 and all access on Page 2 based on the two groups and which page they had access to.

Actual Results

The user could see all data on both pages

What am I doing wrong?

Tagged:

Answers

  • I read all documentation before posting here. If you look through my scenario above, it should work. But it is not. Please let me know if you need more information.

    Group 1 with limited data (PDP) on a dataset on Page 1

    Group 2 with unlimited data (PDP) on same dataset on Page 2

    A user in both groups, should have Limited view on Page 1 and Unlimited view on Page 2

    It's not working

    If I am missing something please advise

  • Yes, I selected enable PDP, at first I did not but I realized my mistake and corrected that a few hours ago in the very beginning.

    You won't see any difference in the impact button because I am provisioning access to all cards but reducing the data that is visible on each card.

    Last, I'm not sure where the message "Your current PDP policies on this DataSet will not have any affect on your Domo resources" would be visible as you didn't mention in your response, however, I do not see that message anywhere.

  • mhouston
    mhouston 🟢
    edited September 2021

    @Jessica PDP policies are additive, meaning that since your user is in both the limited and unlimited group, whenever they are viewing that dataset, they will see any data in the Limited group AND any in the unlimited group (this is outlined in the "Adding Users to Multiple PDP Policies" section of the kb document https://domohelp.domo.com/hc/en-us/articles/360042934614-Creating-and-Deleting-PDP-Policies). It doesn't matter what group you shared the page with, that just gives access to the page/cards/datasets. Since your user is in both groups, both PDP policies are applied anytime they access a card built on that dataset.

    Also to your initial question - PDP can be tied to either people or groups, depending on how you define them. You can either add a person to a PDP policy or a group to a PDP policy - when you add a group, anyone in that group then has that PDP policy applied.

    If you want your user to see a limited view on page 1 and an unlimited view on page 2, you will have to rework your datasets/PDP/filters (my first thought is you probably have to have different datasets for page 1 than page 2, but somebody else may have a more creative solution).

  • @mhouston super helpful, I was worried about exactly what you were saying.

    I guess I figured that if

    Group - limited was the Access Group on Page 1 created with dataset XYZ (PDP applied here to Group -Limited)

    Group - Unlimited was the Access Group on Page 2 created with dataset XYZ

    I was hoping that the PDP filter would be entirely Group driven and not by user.

    My only other option is to create a duplicate dataset each time and add "Limited" to the name and put the limiting PDP filter/Group on that one. We would just have to determine when we build pages if we intend on having anything restricted as to which dataset we would need to build with.

    Just to give you a real world example, we have a Financial Dataset that rolls up Net Income but can also drill down to granular level of Salaries. We always place restrictions on drilling to final dataset so we don't have any concerns there.

    How we build, same dataset for both

    Page 1 - Visuals at only a high level of Net Income, nothing that would display salary, limited drills to granular data.

    Page 2 - Visuals at lower levels that show salary by cost center or division, drilling down to details and would need PDP

    I was hoping that I wouldn't have to create 2 datasets AND two different groups to provide the necessary security.



  • jaeW_at_Onyx
    jaeW_at_Onyx Budapest / Portland, OR 🔴

    Jessica,

    your language is confusing. it sounds like you have one dataset, ID = abc.

    Structure your data such that you have drillable and aggregated data (note 10+10+30 = 50) and you differentiate them using a column isAggregated.


    Now John, a lowly analyst can have access to the rows where 'isAggregated' = 'other' OR 'Total'.

    Suzan, the CFO can have access to the rows where isAggregated = 'other' or 'Drill'.


    They both see 'the same data' just when Suzan drills she can see salaries... or whatever the granular detail is.




    Jae Wilson
    Check out my 🎥 Domo Training YouTube Channel 👨‍💻

    **Say "Thanks" by clicking the ❤️ in the post that helped you.
    **Please mark the post that solves your problem by clicking on "Accept as Solution"