You can control user access at the tenant, workspace, and model level.
From Administration, tenant administrators assign administration roles. Users with administration roles control access within a tenant.
You can control access to a workspace both from Administration and within a model. User administrators provision user access to a workspace from Administration. Workspace administrators add users within a model and control access to model content.
Note that you can manage user access to workspaces in three ways:
- A user administrator can create users and assign them to, or unassign them from, a workspace in the Administration console.
- A workspace administrator can add or remove users from the Users pane in a model.
- A workspace administrator can import a list of users to add users and update user details.
If a user administrator and workspace administrator input conflicting changes for a user, the most recent transaction determines the user account status.
To avoid user status conflicts, we recommend that your organization use the user administrator role to provision user access. Workspace administrators can then refine model-level access from the Userspane within a model.
Access within a model
In a model, you're either a workspace administrator or an end user.
Some model features are only available to workspace administrators, and they control the level of access for other users. Workspace administrators can:
- Add users to a workspace
- Remove users from a workspace
- Assign access to other features of the model via model roles, Selective Access, and model Contents
- Designate other workspace administrators
- Control exceptions to Single Sign-on for users
- Import a file containing user account data
- Export user information
Most user access in models is defined by model roles. These enable you to manage the access for users who perform the same business function and share common data access needs. You can also set landing dashboards and the order of model Contents, so users view the most relevant data first.
As you plan how to control access to your model, follow a process flow:
- Create model roles that align with business functions that share common data needs.
- Assign module, version, list, and action permissions to your model roles.
- Specify a landing dashboard for each model role.
- Select the content to display in the Contents panel.
When you need to apply more specific control you can then use Selective Access to restrict access to lists and list items on a user-by-user basis.