Skip to main content

Celonis Product Documentation

Data Permissions

Data Permissions are used to limit the data that users can see in Analyses and Views. For instance, user 1 in region A and user 2 in region B both work in Accounting and they both deal with supplier invoices. Therefore, they should both be able to see the Accounts Payable analysis. However, user 1 should only see the invoices from region A and user 2 should only see the invoices for region B respectively.

There are two ways to define data permissions:

  • Manually set user/group permissions: You define on a user or group level within the user interface which data points users can see.

  • Load permissions from table: You define and configure tables in the Data Pool from which permission information should be retrieved and synchronized.

If you specify multiple data permissions for a user or user group, the user will be restricted by all of them. Example: The user can only see company code 1000 and vendor 200. Then, only entries matching both conditions will be displayed to the user, so e.g. an entry with company code 2000 and vendor 200 is not visible.

Applying data permissions

If you maintain groups to update your data permissions, i.e. you only make changes in Admin and Settings to update data permissions and not directly in the Data Permissions tab, then there may be latency in reflecting data permission changes. Please plan accordingly in your schedule that the changes will not be reflected immediately.

Activating data permissions

If you have defined data permissions, it is important that you activate them using the switch on the top of the data permission page. Otherwise, they will not be applied and therefore, users will not be restricted.

Manually defining data permissions
16482795.png
  1. Choose the option to manually define user and group permissions.

  2. Add a user or group from the team that you are working in. You can add multiple users and/or groups.

  3. The name of the group or user will be displayed.

  4. Giving the user or group unlimited access means that they will be able to see all the data in the data models that they have access to.

  5. You can delete the user or group permission.

  6. Adding a rule allows you to specify what exactly the user or group is allowed to see.

  7. First you need to define the table and column in the data model that should be restricted.

  8. Secondly, you need to define the values of this column that the user is allowed to see.

  9. After saving a rule you can still edit or remove it from the user or group permission.

Defining permission tables from a Data Pool

Limit

There is a limit of 100,000 rows which can be imported from a Data Pool to be able to offer good performance of queries in the Process Mining Engine. Please consider to reduce the number of permission rows by using groups instead of single users.

41192282.png

In the tab "Load permissions from tables" you find the following options:

  1. You can add new permission tables that cover a specific area (see point 7 below).

  2. After having made changes to the table definitions or the tables themselves have changed, you need to apply the settings which will fetch the data from the database using your configuration. A warning will be shown in case you have made changes and they are not applied yet.

  3. First, you need to select a table in which the permission data can be found.

  4. After the permission table is applied, you will see the result in a panel below the table name. It has three states:

    1. Success: The permission table has been successfully applied to the data permissions.

    2. Warning: The permission table has been successfully applied to the data permissions. However, there might be undesired consequences which are outlined in the message (e.g. a typo in an email).

    3. Error: The permission table could not be applied. Please refer to the message for details on how to solve this.

  5. Then, you have to specify whether the permission table contains user (emails) or group (names) for which data permissions should be applied.

  6. Depending on your choice in 6) you either need to specify the column containing user email addresses or group names.

  7. The second choice needs to be made between value assignment and unlimited assignment:

    1. Value Assignment: Define what value the users or groups are allowed to see in which table column.

    2. Unlimited Assignment: Define which users have unlimited access to the data of the data model.

  8. Lastly, depending on whether you have chosen "Value assignment" or "Unlimited assignment" you need to provide the relevant columns in the permission table:

    1. Value Assignment:

      1. table: the technical name of the table that should be restricted or the table alias if the flag "'Reference table' refers to alias in Data Model" is active

      2. column: the column of the table that should be restricted

      3. values: the value of the column that the user should be able to see

    2. Unlimited assignment:

      1. unlimited column: a flag (true/false) that defines whether the user should have unlimited access (true) or not (false). False is the default which does not need to be specified explicitly.

Examplary permission table

Column Name

User_Mail

Table_Name

Column_Name

Value

Variable Type

string

string

string

string

row 1

m.mustermann@celonis.com

O2C_VBAK

VKORG

500

row 2

m.musterfrau@celonis.com

O2C_VBAK

VKORG

400

...

...

...

...

...

Example table with row descriptions (italic text only for description)

The uploaded (or created) permission table could look something like the example on the left.

Please be aware:

  • The column data type should be the same as what you compare with. The "Value" is often a number / integer which is why Celonis usually automatically recognizes the column as integer (e.g. in the file upload). You will have to select "string" instead, or cast the column later (e.g. in a transformation in the global scheme).

  • The column, containing table names must be filled with the real table name of the table in the Data Model or the alias displayed in the Data Model Graph . You can see the table name by clicking on the three dots next to the alias name in the Data Model Graph. This needs to be consistent for the whole permission table and if you choose the alias you need to activate the respective flag when setting up the permission table.

  • Best practice of column names: It might be of advantage to not use "Table" as column name, as this is a functional word in Vertica.

(Don't forget to synchronize your table after any edits)

Combining permissions

You might want to use not only one dimension for defining data permissions, but multiple.

In the general the PQL engine receives multiple entries as a chain of FILTER statements. If multiple entries for one column exist, they are combined into a list, e.g. FILTER table1.col1 IN (val1, val2, val3).

Four different types of data permissions are assigned to a sample data set below.

Exemplary data set

The data sample consists of two tables: purchase orders (PO) and purchase order items (POI). POs are assigned to a company code and POIs to a material number. These two dimension will be used below to set data permissions for a user.

41191214.png

Note

In the following data permission tables from Data Pools are used. The same can be achieved by using manual user or group assignments.

A) Simple filter on parent table: only one company code

Using the data permission table

User_Mail

Table_Name

Column_Name

Value

test-user@celonis.com

purchase_orders

company_code

c1

leads to the purchase orders p3, p4 and p5 being filtered out for the user. Only POIs for the filtered POs are available for this user.

41191215.png
B) OR condition in one column: Multiple material numbers

Using the data permission table

User_Mail

Table_Name

Column_Name

Value

test-user@celonis.com

purchase_order_items

material_number

m1

test-user@celonis.com

purchase_order_items

material_number

m6

leads to the material numbers except m1 and m6 being filtered out for the user. This also has an effect on related tables like POs: The user can only see POs with POIs that have the respective material numbers.

41191216.png
C) AND condition between tables: Only one company code and two material numbers

Using the data permission table

User_Mail

Table_Name

Column_Name

Value

test-user@celonis.com

purchase_orders

company_code

c1

test-user@celonis.com

purchase_order_items

material_number

m1

test-user@celonis.com

purchase_order_items

material_number

m6

leads to only POIs being displayed which belong to POs from company code c1 and material numbers m1 or m6.

41191217.png

D) OR condition between tables: A specific company code or material number

Using the data permission table

User_Mail

Table_Name

Column_Name

Value

test-user@celonis.com

purchase_orders

c1_or_m1

yes

leads to the all values being available that are connected to the PO with company code c1 or with POIs with material number m1 or both.

Tip

If you want to define an OR permission like above, you will likely need to create such an additional column such that it identifies the values which the user should see.

41191218.png