Inviting Users with Pre-Applied Data Permissions

Related Tags: project administration mandatory user filters user management provisioning data modeling data permissions

When a user is invited to join a project, an invitation is sent to the user who, if interested, can immediately join the project. When the user opens the project, however, no Data Permissions have been applied by default, which means that the user can see all data in the project. As a result, the invitation mechanism is not useful for inviting new users to projects where Data Permissions have been applied.

NOTE: Data Permissions were formerly called Mandatory User Filters.

  • A Data Permissions filter is a data access control that pre-filters data returned to any user, based on specified values for an attribute. For more information, see Data Permissions for Beginners.
  • For more information on setting up Data Permissions, see Let’s get started with Data Permissions.
  • Invitations may be extended through the GoodData Portal or through API calls. An invitation generates a standard welcome email from GoodData, which includes a direct link to accept the invitation.

This article describes a simple way of inviting users into a project with predefined Data Permissions. The basic approach is to do the following:

  1. Create (do not invite) a user into the organization, if the user doesn’t already exist.
  2. Apply the Data Permissions filter to the user in the organization.
  3. Invite the user to the project.

NOTE: The innovation in this process is to use an extension of the invitation API, which enables you to apply the Data Permissions filter at the time of invitation.

Steps:

  1. Suppose you are inviting a new user (new-user@example.com) to your project.
  2. The Data Permissions filter you wish to apply to this user is the following:
    /gdc/md/{project-id}/obj/{filter-id}
  3. First, you must apply a project role to the user. To list all roles in the project, use the following API:
    /gdc/projects/{project-id}/roles
  4. In the returned JSON, retrieve the URI for the role you wish to assign to the user. There should be links to roles such as Admin, Editor, Viewer, and Embedded Dashboard Only roles.
  5. Roles should be in the following form:
    /gdc/projects/{project-id}/roles/{role-id}
  6. Now that you have retrieved the URIs for the Data Permissions filter and project role, you can build the JSON to create the invitation:
    {
       "invitations": [
           {
               "invitation": {
                   "content": {
                       "email": "new-user@example.com",
                       "userFilters": [
                           "/gdc/md/{project-id}/obj/{filter-id}"
                       ],
                       "role": "/gdc/projects/{project-id}/roles/{role-id}",
                       "action": {
                           "setMessage": "Hi, welcome to my project!"
                       }
                   }
               }
           }
       ]
    }
    
  7. Submit this request body as a POST using the following API call:
    /gdc/projects/{project-id}/invitations

If the POST is successful, the invitation is created and delivered to the user via email. When he logs into the project, all data in the project is filtered according the Data Permissions filter.

  • To verify that the Data Permissions filter has been applied, submit a GET to the following API endpoint:
    /gdc/md/{project-id}/userfilters

For more information, see Invitations API.