Every Pigment Application has specific Roles with assigned permissions and access rights. This article explains where you can configure these in Pigment, and introduces you to the concepts of Roles, permissions, and data access rights. Data access rights are assigned in a Role while specific access rights require you to set up new Metrics.
⚠️ Important
Members with a Primary Owner, Security Admin or Workspace Admin account type can manage Role settings.
Only these account types are authorized to add and remove Members, and to change Member permissions and access. Pigment Support does not have the authority to perform these actions.
Where are the Roles, permissions and access settings?
In your Application, select the three-dot Settings menu in the sidebar.
Select Roles, permissions & access.
The Roles, permissions & access settings are divided into the following sections:
Overview
The Overview page summarizes key details, including the total number of Members and Roles in the Application. It also allows you to invite new Members and shows the Application Owner.
The Application owner is the Owner and automatically holds the Admin role. The Owner is the only Member who can delete the Application. Workspace Security Admins can transfer or manage Application ownership.
Depending on your account type, the page also provides some or all of the following Member and Role information:
Application’s Members. The number of Members who have been invited to this particular Application.
Security. The number of different Roles in the Application.
Owner. Members with the Define Application Security permission can update the owner, while those with the Security Admin Account Type can manage ownership across the Workspace. To give members access to an Application, you need to invite them and assign a Role.
Members. A list of which Members have been invited to this particular Application.
Role. The Role which has been assigned to each invited Member.
Roles
The Roles page provides an overview of the different Roles for your Application. You can also add and edit Roles, edit associated permissions and access rights, and invite Members to Roles. Use the default Roles as the basis for creating Roles for your organization or create Roles from scratch.
By default, there are five Pigment Roles:
Admin. All permissions are applied to this Role, allowing the Member to perform all Application-level functions.
Contributor. Designed for Members who will be interacting with data, this Role focuses on inputting actions.
Designer. Focused on the creation of the end-user experience, this Role allows for Board-specific creation actions.
Modeler. Designed for Application builders. All actions are allowed except Security configuration and Block update history.
Reader. Designed for those who only need to read data on Boards, all other actions are denied. This is the only Role with Write access turned off, meaning that Members can only read, but cannot write on data.
It also provides the following detailed information on Members, permissions, and access rights:
Members. Shows how many Members are assigned to each Role. When assigning Members through Groups, Members can have only one Role per Application. For more information, see Add and Switch Member Accounts in Pigment.
Permissions. Indicates the number of Application and Blocks permissions tied to the Role. Hover over the Permissions column to see specific permission names.
Boards. Shows the default Board permissions for the role.
Read Access. Shows the default read access rights assigned to this Role. For more information, see Introduction to Access Rights.
Write Access. Shows the default write access rights assigned to this Role. For more information, see Introduction to Access Rights.
To manage the Roles’ permissions and default access rights:
Hover over the Role you want to edit. A pop-up appears to the right.
Select the blue pencil from the pop-up.
From the dialog that opens, edit the name of the Role and its permissions and default access rights. See below for more information.
Permissions
These determine the specific actions Members can take, such as viewing, editing, or managing data within an Application or Blocks. When a user is assigned a Role, they automatically receive all the permissions tied to that Role.
Below is a list of all the permissions and their functions:
Permission Name | Actions Granted |
|---|---|
Sensitive permissions (see note beneath for more information) | |
Configure Application | Can edit the Applications Settings. |
Define Application security | Can edit Application access and assign Roles. |
View History | Can view Block and model History, including formulas updates and data imports. |
Formula playground | Allows Members to access and test formulas the Formula Playground, even if they don't have the Configure Block permission that’s required to create or edit a Metric. |
Configure Blocks | Allows Members to create Metrics. |
Application permissions | |
Display Application | Make an Application visible in the Pigment Workspace. |
Configure Automations | Can add, edit, or delete Automations. |
Configure Calendar | Can manage the Application calendar settings. |
Create & delete folders | Can manage folders for both Blocks and Boards. |
​Create scenarios | Can activate Scenario functionality, create new Scenarios, and make Scenarios read only. |
​Delete scenarios | Can delete Scenarios. |
AI analysis | Allows Members to access Pigment’s AI tools. Requires activation. See What is Pigment AI? for information on activation and access. |
Blocks permissions | |
Open Block Explorer | Can see the all Blocks in the sidebar. |
Configure Public Views | Can create and edit saved Views of Blocks. |
Add List Items | Can add Items to Dimension and Transaction Lists.
|
Remove List Items | Can delete Items in Dimension and Transaction Lists. |
Reorder List Items | Can reorder Items in Dimension and Transaction Lists. |
Import Data | Can import data into Blocks and can schedule imports. |
Clone Data | Can clone inputs and overrides data in Metrics. |
Board permissions | |
Can configure | Can access the Edit board button to add widgets to a Board. |
Can comment | Can open and comment on Boards. |
Can open | Can be restrictively applied to specific Boards through the Security panel. |
ℹ️ Note
Sensitive permissions are those that allow Members to directly or indirectly expose data that is locked via access rights. Therefore these permissions should only be given to modelers who can be trusted with all the data accessible within the application.
Read & Write data access
See Introduction to Access Rights for full information.
Board access
The Board access page is where you view which Members have access to your Application’s Boards, and their respective permissions.
Only Members with the Define Application Security permission can edit the Board access page. For example, they can add a new Metric to apply permissions on each Board.
Additionally, these Members can limit certain Board functionalities for Members with the Can comment and Can open permissions. These functionalities include Block exploration and View customization.
For more information, see Use Board Permissions to Grant Board Access.
Board access configuration
The Board access configuration page lets you add an extra layer of control to your Board access.
Application homepage. Define which Board each Role sees as the Application homepage.
For more information, see Use Board Permissions to Grant Board Access.Additional Board permissions. Use Permission Metrics to add rules for specific Boards. These rules will apply on top of Roles’ default permissions.
For more information, see Additional Options.
Data access rights
The Data access rights page allows you to define how Members can interact with data. Specifically, which Members can access which datasets, ensuring that sensitive information remains secure. See Introduction to Access Rights for full information.
Public Blocks
This displays all the Blocks that have the Data visibility management setting toggled on to Public. This option is located under Access Rights in each Block’s setting. When enabled, this overrides all other access rights configurations, and allows all Members with access to the Application to be able to read data in that Block.
ℹ️ Note
Inherited Access Rights still apply.