Role management

更新时间:
复制 MD 格式

Quick BI provides a customizable role and permission system to help your organization operate securely and flexibly. Supporting both organization-level and workspace-level roles, Quick BI allows you to implement granular permission controls for different feature modules, ensuring each user operates securely within their designated scope. This article describes how to create custom organization and workspace roles and add users to them.

Limitations

  • Custom roles are available only in the Quick BI Professional Edition.

  • Only an Organization Administrator can configure custom roles.

  • The open API for roles currently supports only system-preset roles. Support for custom roles will be added in a future release.

Features

  1. System-preset user roles: Quick BI provides default roles. You cannot delete the default system-preset roles, but you can create custom roles to supplement or replace their usage.

    • At the organization level, Quick BI includes three system-preset organization roles: Organization Administrator, Permission Administrator, and General User.

    • At the workspace level, Quick BI includes four system-preset workspace roles: Workspace Administrator, Workspace Developer, Workspace Analyst, and Workspace Viewer.

  2. Custom roles: You can create custom organization-level and workspace-level roles and assign multiple roles to a user to fit your specific business scenarios.

  3. Function permissions: Define the scope of function permissions for specific roles based on your business needs.

  4. Resource permissions: Centrally authorize access to resources at both the organization and workspace levels.

Access

On the Quick BI homepage, navigate to the Role Management page.

image

Organization roles

  1. Create an organization role.

    On the Role Management page, create a new organization role.

    image

  2. Configure function permissions.

    On the Role Management page, configure the function permissions for the role.

    imageOrganization Management: Workspace Management, Enterprise Security (includes Centralized Authorization, Collaborative Authorization Configuration, and Data Security), Intelligent O&M, Appearance Settings, Report Settings, and Map Configuration.

    Enterprise Applications: Q-Robot (includes Centralized Management, Dataset Q&A Configuration, and Q&A), Q-Robot - Exploration Edition (includes Centralized Management and Q&A), Intelligent Builder (includes the Q-Robot feature within dashboards), Exploratory Analytics, Intelligent Report, Metric Monitoring, Subscription Management, Self-Service Data Retrieval, Resource Pack Management, and dataset (Use).

    Note

    The "Use" permission for datasets is available in both organization and workspace roles. A user can use a dataset if they have this permission from either role.

    Open Integration: access key pair, open API, Data Service, embedded analytics, Custom Visualizations, and Custom Template.

    Note
    • By default, a new organization role has the following function permissions enabled: Q-Robot (Q&A only, excluding Centralized Management and Dataset Q&A Configuration), Q-Robot - Exploration Edition (Q&A only, excluding Centralized Management), Intelligent Builder, Exploratory Analytics, Intelligent Report, Metric Monitoring, Subscription Management, Self-Service Data Retrieval, open API, Data Service, and embedded analytics. You can grant or revoke permissions for any module.

    • You cannot modify the function permissions of a system-preset organization role.

      • The Organization Administrator is the most privileged role in an organization and can manage all features. This role has permissions for Workspace Management, Enterprise Security (includes Centralized Authorization, Collaborative Authorization Configuration, and Data Security), Intelligent O&M, Appearance Settings, Report Settings, Map Configuration, Q-Robot (includes Centralized Management, Dataset Q&A Configuration, and Q&A), Q-Robot - Exploration Edition (includes Centralized Management and Q&A), Intelligent Builder (includes the Q-Robot feature within dashboards), Exploratory Analytics, Intelligent Report, Metric Monitoring, Subscription Management, Self-Service Data Retrieval, Resource Pack Management, dataset (Use), access key pair, open API, Data Service, embedded analytics, Custom Visualizations, and Custom Template.

      • The Permission Administrator has permissions for Enterprise Security, Q-Robot (Q&A only, excluding Centralized Management and Dataset Q&A Configuration), Q-Robot - Exploration Edition (includes Centralized Management and Q&A), Intelligent Builder, Exploratory Analytics, Metric Monitoring, Subscription Management, Self-Service Data Retrieval, dataset (Use), open API, Data Service, and embedded analytics.

      • The General User has permissions for Q-Robot (Q&A only, excluding Centralized Management and Dataset Q&A Configuration), Q-Robot - Exploration Edition (Q&A only, excluding Centralized Management), Intelligent Builder, Exploratory Analytics, Metric Monitoring, Subscription Management, Self-Service Data Retrieval, open API, Data Service, and embedded analytics.

  3. Add users to a role.

    • On the Role Management page, add users to the role.

      image

      After you click Add User, the selected users appear in the Role Users list. You can click the User Type filter to quickly view all users of a specific type, or continue selecting users from the list on the right.

      image

    • You can switch to the User Group tab to add members from user groups in batches.

      image

      You can Expand a user group (①), Select all users in the current group (②), or select individual users within the group (③).

      image

      After you click Add User, the selected users appear in the Role Users list.

  4. Remove users from a role.

    • In the Role Users list, hover over a user, click the image.png icon in the upper-right corner, and then click OK in the Unassign Organization Role dialog box.

      image

    • You can also remove users in batches.

      image

  5. Change user roles in batches.

    • From the Role Users list, you can select users and click Batch Change Roles.

      image

    • On the Batch Change Roles page, select the target role from the Change to drop-down list and click OK.

      image.png

Workspace roles

  1. Create a workspace role.

    On the Role Management page, create a new workspace role.

    image

  2. Configure function permissions.

    On the Role Management page, configure the function permissions for the role.

    image

    Note
    • By default, a new workspace role has view permissions for all modules. You can grant or revoke permissions for each module, including New (Edit) permissions and "Use" permissions for datasets and data sources.

    • You cannot modify the function permissions of a system-preset workspace role.

      • As the most privileged role in a workspace, a Workspace Administrator has New (Edit), Use, and View permissions for all modules and can also manage permissions and assets for other members.

      • A Workspace Developer has New (Edit), Use, and View permissions for all modules.

      • A Workspace Analyst has New (Edit) and View permissions for Data Portal, dashboard, Data Screen, spreadsheet, Ad Hoc Analysis, Self-Service Data Retrieval, Data Preparation, Business Insights, and Metric Insights. This role also has View permissions for Data Filling and data sources, and Use and View permissions for datasets.

      • A Workspace Viewer has View permissions for all modules.

    • Users with the New (Edit) permission for a module can also create, rename, and delete folders within that module. Users with only view permissions, such as a Workspace Viewer, cannot perform folder operations.

  3. Add users to a role.

    After you create a custom workspace role, its user list on the Role Management page is initially empty. You must add users on the Workspace Members and Information page.

    image

    • Navigate to the Workspace Members and Information page and add users to the role.

      image.png

    • In the Add Workspace Member dialog box, select a Member and a Workspace Role.

      You can add members from User and User Group.

      image.png

      For more information, see Add a workspace member.

    • Click OK to add the user to the workspace.

      image.png

    • The user now appears in the Role Users list on the Role Management page for the corresponding workspace role. You can click the User Type filter to quickly view all users of a specific type.

      image

  4. Remove users from a role.

    On the Workspace Management > Workspace Members and Information > Member Management page, click the image.png icon next to the target user to remove them.

    image.png

    For more information, see Remove a workspace member.

Use case 1: Data Screen Administrator

This section describes how to use a custom role to define permissions for an employee based on their job responsibilities, ensuring they use BI features only within their authorized scope.

Background

Suppose Alex is an employee in your company's marketing department. You want to grant him permission to use only Data Screens for external presentations.

Procedure

If you are a new customer, you can assign the appropriate role to Alex by following these steps:

  1. Create a new workspace. In this example, the workspace is named "Marketing Demo Workspace".

    image

  2. Create a new workspace role named Data Screen Administrator.

    image.png

    Configure this custom role with New (Edit) permission for Data Screen and Use permissions for datasets and data sources.

    image.png

  3. On the Workspace Management page, add Alex to the "Marketing Demo Workspace" and assign him the Data Screen Administrator role.

    image.png

Now, Alex can only see and use the Data Screen module, ensuring he operates within the scope of his job responsibilities.

image.png

If you are an existing customer:

Alex is already a workspace member with the General User organization role and the Workspace Developer workspace role. This allows him to see all feature modules in the workspace and create or edit all assets.

You can update Alex's permissions by following these steps:

  1. Create a new workspace role named Data Screen Administrator.

    image.png

    Configure this custom role with New (Edit) permission for Data Screen and Use permissions for datasets and data sources.

    image.png

  2. On the Workspace Members and Information page, change Alex's role from Workspace Developer to Data Screen Administrator.

    image.png

Now, Alex can only see and use the Data Screen module, ensuring he operates within the scope of his job responsibilities.

image.png

Use case 2: ETL Engineer and Resource Administrator

This section describes a complex scenario involving multiple roles and permissions.

Background

Sam works at an automotive company and has two distinct job responsibilities:

  1. ETL Engineer for the data department: He is responsible only for data development, including cleaning and processing. However, he currently has the Workspace Developer role, which grants unnecessary permissions to create and edit dashboards, Data Screens, and other assets.

  2. Resource Administrator: He is responsible only for managing and publishing resource packs for production deployment. However, he currently has the Organization Administrator role, which grants him permissions far beyond the scope of his duties.

With custom roles, an administrator can assign fine-grained permissions to Sam, creating dedicated ETL Engineer and Resource Administrator roles to resolve the issue of excessive permissions and role mismatch.

image.png

Procedure

  1. Create a custom workspace role and a custom organization role.

    1. Create a custom workspace role named ETL Engineer.

      image.png

      Configure this custom role with New (Edit) permissions for Data Preparation, Dataset, and Data Source.

      image.png

    2. Create a custom organization role named Resource Administrator.

      image.png

      Configure this custom role with permission for Resource Pack Management.

      image.png

  2. Assign the ETL Engineer and Resource Administrator roles to Sam.

    • On the Workspace Management > Workspace Members and Information page, change Sam's role from Workspace Developer to ETL Engineer.

      image.png

    • On the User Management page, change Sam's role from Organization Administrator to Resource Administrator.

      image.png

Now, at the organization level, Sam can only manage and publish resource packs for production. At the workspace level, he can only perform data development tasks like cleaning and processing data within the designated workspace.

image.png

Use case 3: Intelligent O&M Engineer

This section describes how to use a custom role to grant Intelligent O&M permissions to an employee, ensuring they can perform BI system analysis within the appropriate scope.

Background

Suppose Chris is responsible for your company's system operations and maintenance. He needs to regularly monitor the BI system and analyze performance logs. However, he should not have access to business data. You can create a custom role for him that grants only Intelligent O&M permissions.

Procedure

  1. Go to Organization Management > User Management > Role Management and click the image.png icon to create a custom organization role. You can then set a role name, such as Intelligent O&M Engineer.image.pngimage.png

  2. Select the newly created Intelligent O&M Engineer role. In the function permissions list, select the Intelligent O&M permission. Users with this role can then view all operational data in the organization, including audit data and lineage analysis.image.png

  3. In User Management, find the user Chris and assign them the new Intelligent O&M Engineer organization role.image.png

  4. Log in to Quick BI as Chris. In Organization Management, he can now see the Intelligent O&M features, including Monitoring and Inspection, Audit Logs, Statistical Analysis, Performance Analysis, and Lineage Analysis.image.png

Permission priority

This section explains the logic of permission priority through two scenarios.

Note

Permission priority

  • Function permissions act as a master switch that determines if you can use a feature module (e.g., dashboards). If you lack the function permission for a module, you cannot access it, regardless of your resource permissions.

  • Resource permissions control your access to specific items (e.g., individual dashboards) within a module. Even if you have the required function permission, you can only interact with the resources to which you have been granted access.

  • Scenario 1:

    • Current permissions: Alex is a member of Workspace A. He has the General User organization role and the Workspace Developer role. This allows him to see all feature modules in Workspace A and create or edit dashboards, spreadsheets, Data Screens, data sources, datasets, and other assets.

      image.png

    • Permission change

      • An Organization Administrator creates a new workspace role named No Dashboard Permission. This role does not have New (Edit) or View permissions for the dashboard module.

        image.png

    • On the Workspace Members and Information page, Alex's role is changed from Workspace Developer to No Dashboard Permission.

    • Now, Alex can no longer see the dashboard entry in Workspace A or perform any dashboard operations. His previous access to dashboard resources in the workspace is revoked.

      image.png

Therefore, function permissions take precedence over workspace resource permissions.

  • Scenario 2:

    • Current permissions

      • Alex is a member of Workspace A. He has the General User organization role and the Workspace Analyst workspace role.

      • He can see all modules in Workspace A but cannot operate on data sources. However, he has Use and View permissions for datasets. He can only manage reports that he creates.

        image.png

      • Separately, Alex has been granted Edit permission for three reports created by another user, Zhang, in Workspace A.

    • Permission change

      • On the Workspace Members and Information page, Alex's role is changed from Workspace Analyst to a custom role named Dashboard Administrator.

      • The Dashboard Administrator role has the following function permissions.

        image.png

      • Now, Alex can only see the dashboard module in Workspace A. Within that module, he can manage his own reports and the three reports he was granted access to from Zhang.

        image.png

Therefore, function permissions are constrained by workspace resource permissions.