Google announced this feature today, but I don't see any docs for it. How can I grant row-level permissions to a user?
For example, let's say I have a table private.all_customers with the schema {customer:string, id:integer, is_secret:boolean}.
I like to give our salespeople access to the fields customer and id, but not is_secret, and moreover, I'd like to give to give them access to only those rows where is_secret = false. How can I accomplish this?
The key part of row-level permissions is that you're actually giving permission to a view. The view defines the rows and columns in that you want the delegated user to see, without giving them access to the underlying table.
To do this, create the view that will return the rows and columns that you'd like the user to see. For the example above, the view would look like:
SELECT customer, id FROM private.all_customers where is_secret = false
Then I can save this as the view "public.public_customers", and share the public dataset with the analysts.
Note that, so far, this does NOT mean that the analysts will have access to the data. If they try to run it now, they'll get an error. Merely having access to a view that reads a table doesn't give you access to the underlying data on that table. If it did, then anyone could just create a view to read any data that they wanted to see.
The second step is adding that view to the ACL of the private dataset. What this does is records that the view should have access to the data. This way the owner of the private dataset can audit who has access to their data, and revoke it if necessary.
The easiest way to add the view to the ACL is to use the BigQuery Web UI. If you click on the arrow next to the private dataset name in the Web UI and click "Share this dataset", it will bring up a dialog box that lets you edit the ACL.
At the bottom of that dialog it will show "Add People" and a clickable icon on the left. If you click on that icon, you should be able to select "Authorized View". Once that is selected, you should enter the fully-qualified name -- project:dataset.view of the view. In our example, that would be my-project:public.public_customers. Hit 'Add' and it will show up in the list, and then hit "Save Changes" to commit.
Once the view has been added to the ACL, anyone with access to the 'public' dataset should be able to run queries against the public.public_customers view.
For more advanced usage of this feature, which will allow you to give different answers to different users, see this question: How do I give different users access to different rows without creating separate views in BigQuery?
Related
I have a Sharepoint list that I'm using as a form. Everyone in the company needs to view/modify the form to submit information, but I would like to keep the response from the form viewable to just a few people. Is there a way to do that, without clicking each item and managing permissions for that item? Can that be done with a workflow?
One approach:
Set up the list so users can only see and edit their own responses. (List settings > Advanced settings > set Read Access and Create and Edit access to "Items that were created by the user".
Create a SharePoint group for people who should see all items, e.g. ListManagers
Set up list permissions so that Visitors (everyone in the company) have Contribute access and the ListManagers group gets full access for the list.
Another option:
Leave the Advanced settings at the default, so that everyone can see all items.
Change the default view of the list to show only items created by the current user.
Create a page that shows an XLV with the default view and serve that to everybody.
Create another page that shows an XLV with all items and give permissions for that page only to the limited group of people.
The second method is more for convenience than for security and will not prevent savvy users from accessing the data they cannot see in the default view.
I have created a task manager view in Microsoft Outlook which contains user defined fields as well as other Pre-defined fields in the view. I am trying to share this task manager with the rest of my team however, I cannot get it to show all of the columns as they appear on my screen on their screens. I am able to share the task manager but many of the columns are missing. It seems to be because the custom view I created isn't being shared with the other users. On my computer, the custom view is displayed and selected above "Simple list" under the Current View menu on the left and the others do no seem to have that as an option. Does anyone know how I can share the view? The tasks are already being shared I just need the View to be shared so my team can see all the columns properly. Thanks for any input you may have to offer.
Views are defined and customized using the View object's XML property. The XML property allows you to create and set a customized XML schema that defines the various features of a view.
Use the CurrentView property of the Explorer or Folder classes to customize the View in Outlook. An XML definition of the view can be exported and transferred to another PC.
Ok essentially what I did was I went to view - current view - define views and created a new view selecting Table and This folder, visible to everyone. Then I found pre-definied columns that weren't user defined columns that allowed free text typing like subject, milage, and billing information. Once finished adding all the columns I needed I applied the view. Then I went and changed the name of the columns by right clicking each column header in the task manager and selecting format column. there you chan change the label name to whatever you want the column to be titled. This way you did not have to worry with using user defined columns that can be tricky to share. After that I went back to view - current view - define views, and made a copy of the view I created selecting this folder, visible to everyone. Then you will want to right on the tasks manager name you created under the My Tasks list and select properties. Make sure to give everyone your sharing it with full permissions as owners so that they can all edit the task manager as they finish each task. Then I shared this task manager by right clicking on the name of my newly created tasks manager (listed under the My Tasks menu) and selecting "share". I checked the box in the email stating recipient can add, edit, and delete items in this tasks folder. Now everyone can see all information displayed in each column and edit it as well hope this helps.
When deleting records within the platform, this action is not reversible via the front end. Is there a way to allow users to remove a record from their view without actually deleting the record?
You can simulate recycle bin functionality within Archer GRC by adding a record permission field that grants read access to "Everyone". If read access is no longer required then an editor of the record can go in and change "Everyone" to a group called "Recycle Bin."
Please note that if there are other record permission fields in the application, users or groups may still have access if they are selected in those fields. Perhaps You can set up a dropdown status field for the user to select "Recycle Bin" and use this condition for automatic record permissions to revoke permission to the record depending on the requirements or workflow of the application.
Solution shared by Igritte might be somewhat confusing for end users.
End user will see greyed out "Delete" button in the top toolbar, but he has to select "Recycle Bin" in the form. This solution was not accepted by my business owner at some point.
As a work around for "Soft delete", I wrote a custom object overriding "Delete" button functionality.
1. User doesn't have delete access to the record, so JavaScript code will make "Delete" button look like active and available.
2. Once the button is clicked, custom object will populate value in the
hidden value list and simulate the click on the "Save" button.
Update: Note that Custom object needs to hide the value list first once the page is loaded. Here you will need to use a JavaScript and do the following: [a] locate the value list DOM object and [b] set display attribute to none. I used jQuery library to do both. This way your value list is not displayed, but you still can use it to control data driven events.
3. With hidden value populated and submitted, record permission will hide this record from the end user.
Note that custom object hides one value list on the layout as well.
If for some reason JavaScript doesn't load properly, user simply will not be able to click on the grayed out "Delete" button.
Update: Hidden value list can be populated by custom object using JavaScript code as well. You need to identify the form tag "input" in HTML code of the page and set attribute "value" to the desired state. I used jQuery library to do this as well.
I have this solution in production working fine with IE11, FF and Chrome.
I can't share the code, but with WC3Schools JavaScript guides and 4 hours you can write and test it yourself with very little JavaScript skills.
Sometimes you have to use custom objects when you want to get a user-friendly solution of not available functionality.
Good luck!
I have created an InfoPath 2010 form which is published to doc library in SharePoint 2010. I want for this form to become read-only ie once it has been submitted.
None of what I have done so far seems to work. I have:
Created a new view and re-named it to Read-Only and in its properties I have ticked
the "Read-Only" check box in InfoPath.
I have a "Submit Form" button and in here I have added rules for submitting the form,
switching the view to the read-only view.
To test this I fill out the form with sample data and submit it, then when I go to
the doc library where the forms gets submitted to when I open the submitted form I
find that the Read-Only view has not taken effect and that it is still possible to
edit the form.
Ideally what I am trying to achieve is to have the submitted forms turned into read-only when they are submitted and still be in read-only mode when these are opened from the document library where they get submitted to.
Any ideas where I'm going wrong with this? if there is a better and simpler way to achieve this please let me know.
Thanks in advance.
It might be too late to answer this question, but if someone is still looking for an answer you could try the below steps
Before you begin please verify that you have one of the following permissions:
a. You are a member of the Administrators group for the site collection.
b. You are a member of the Owners group for the site.
c. You have the Manage Permissions permission.
On the Site Settings page, Go to the Users and Permissions and look for settings
Under Settings you will be able to see Permission Levels
Select Add a Permission Level
Give a Name to you new Permission Level
Under the Select the Permissions to include to this permission level, select the Add Items and View Items Permissions to this group.
After the group is created, for your form library, stop inheriting the permissions from the parent site and create a new group with the new Permission Level that you just created. Add all the users to the group.
This should enable the users to submit a form but not edit it. Hope this helps.
There is an easier way to solve this. Create two views of this form on InfoPath Designer. And make sure when the form is submitted, the view is flipped to the Read-Only view; which has the salient feartures of the form such as the answers you would like to be recorded.
So anyone who opens the form once submitted wil only see the Read-Only view. You can set a rule on the form to have an administrator see a Edit mode.
I just went through this. the submit rule doesn't work, you have to create a form load rule. In the file toolbar, you'll see a form load button in the rules block.
I activated restrict_owner to change the textfield to a dropdown when creating a new ticket. Is there a way to change the contents of that dropdown from user id's to user names?
The reason is, that all user id's that we use to log in are somewhat cryptic (something like xyz01, xyz02 and so on). If that list could show the associated user names, that you can enter in the prefs, that would be perfect.
Regards,
Sascha
To get around that, I installed the Auto-Complete Users Plugin. This will allow you to more easily select a user by account name, real name, or email address, plus it seems to have better performance than using restrict_owner.
I'm not sure if the plugin covers all of the same form fields as the restrict_owner option. If there's one that it misses, it shouldn't be too difficult to modify the code and add another field.