---
title: "Create Access Rights Metric and Rules in Pigment for Secure Permission"
slug: "create-access-rights-metric-rules"
description: "Set up access rights Metrics and rules in Pigment to manage data access in your model using Block Explorer or the wizard for enhanced security and control."
tags: ["Access Rights", "Access Rights Rules", "Metric Configuration"]
updated: 2025-11-25T09:07:30Z
published: 2025-11-25T09:07:30Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://kb.pigment.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create an Access Rights Metric and Rules

There are two methods for creating an access rights Metric:

1. in Block Explorer
2. in the access rights configuration wizard

These are both explored in this article. To complete your access rights Metric set-up, you also need to create access rights rules. These rules define the areas within your model where data access should be applied or ignored. See [Create Access Rights Rules](/v1/docs/create-access-rights-metric-rules#create-access-rights-rules) for more information.

### Create an access rights Metric in Block Explorer

For this method, you create a Metric in Block Explorer like any other Metric in Pigment. However, an access rights Metric has specific requirements, as described below.

> [!NOTE]
> ℹ️ **Note**
> 
> Need a refresher on creating a Metric? Take a look at [Measure What You Need with Metrics](/v1/docs/measure-data-metrics).

1. In Block Explorer create your Metric with the following criteria:

> [!NOTE]
> ℹ️ Note
> 
> When your new access rights Metric opens, all values are displayed as `No Read/ No Write` . These are in fact blank values. Even though you see text in these cells, these can be hidden if you select the [Hide empty rows and columns](/v1/docs/filter-data-pigment) option in the Filter panel.

Next, you need to create access rights rules, specifying where in your model data access should be applied or ignored. When you create a Metric in Block Explorer, you need to locate your access rights Metric in your Application Settings.
  - **Data type.** Access rights
  - **Dimension.**
    - Select the **User Dimension**. This must be present so you have different security settings for different users.
    - You also need to select the Dimension to which you’re applying your security. For example, a Dimension called Department, Country, and so on.
2. In your Application, go to **Roles, permissions and access**, and open the **Data access rights** tab.
3. Find and hover over your new access rights Metric, and click **Apply configuration.** The **Apply…** pane opens. It displays the new access rights Metric, and its prepopulated values `No Read/No Write`.
4. Select the required data access rights for each Member.
5. When you’re finished assigning the Member access rights, click **+ Add a rule to apply the configuration.**
6. Create rules for your access rights Metric. This is described below in [Create Access Rights Rules](/v1/docs/access-rights-metrics-rules).

### Create an access rights Metric in the access rights configuration wizard

You can also create an access rights Metric using the access rights configuration wizard. It also enables you to create Access Rights rules, specifying where in your model data access should be applied or ignored.

1. In your Application, go to **Roles, permissions and access**.
2. Open the **Data access rights** tab and click **+ Add access rights.**
3. Click **+ Create a new configuration.**
4. Select the Dimensions to which you want to assign access rights. The User roles Dimension is already selected for you.
5. Click **Configure Access**. The **Step 1/2: Assign access rights** pane opens. It displays the new access rights Metric, and its prepopulated values: `No Read/No Write`
6. Select the required data access rights for each Member.
7. When you’re finished configuring the Member access rights, click **Continue to Step 2.**
8. The **Step 2/2: Apply this configuration to your model** pane opens. This is where you create a rule (or rules) to apply your data access right configuration to specific areas of your model.
9. Create rules for your access rights Metric. This is described below in [Create Access Rights Rules](/v1/docs/access-rights-metrics-rules).

### Create access rights rules

After you create access rights Metric from Block Explorer or from the access rights configuration wizard, you need to create a rule (or rules) to apply your data access configuration to specific areas of your model.

1. Select `Apply` or `Ignore.` This determines if the access rights rule is used to apply the Metrics configuration to data, or if it’s used to remove your access rights configuration from data. For example, if you select only `Read` access for a rule type, the `Write` value is ignored in your Metric, regardless of how the Metric is configured.
2. Select `Read accesses`, `Write accesses`, or `Read &amp; Write accesses` .
3. Define to which Blocks in your Application the rule applies or does not apply:
  - **Specific Metric(s).** Select one or more Metrics that contain the Dimensions used in your access rights Metric.

If you created an access rights Metric that used the User list and the **Country** list, you could select **Specific Metric(s)** that contained the **Country** list.
  - **Specific List**. Select one List on which these access rights should apply.

This rule can be applied on all Properties of this List or only on specific Properties. For example, you can specify access rights for the **Annual Salary** Property belonging to the Employee List.
  - **All Metrics using specific Dimension(s).** Assign this rule to all present and future Metrics that contain Dimensions used in your access rights Metric. For example, if your access rights Metric contained a Dimension called Department, then this rules is applied to all Metrics containing the Department Dimension.
  - **List Items values.** This rule filters out values in the List according to the access rights Metric. It allows you to protect data in List based on its Properties.

This rule can be applied to all Properties of this List or only on specific Properties.

For example, you can set `Read` access on an Annual Salary property based on a Dimension formatted Country Property. This allows certain Members to view some Salaries depending on the Country Property.
4. Enter a name for your new rule. We recommend that you give your rule a name that describes its purpose. For example: *Restrict employee access to salary data.*
5. *(Optional)* Click **+ Add another access right rule** to add more access rights rules.
6. Click **Save configuration** when you’re finished.