Workspace administrators can control access to features of a model via the Users pane and model Contents.
You can control user access at the tenant, workspace, and model level.
From Administration, tenant administrators assign administration roles. Users with administration roles control access within a tenant.
You can control access to a workspace both from Administration and within a model. User administrators provision user access to a workspace from Administration. Workspace administrators add users within a model and control access to model content.
You can manage user access to workspaces in three ways:
- A user administrator can create users, add them to workspaces, or delete them from workspaces in Administration.
- A workspace administrator can add or remove users from the Users pane in a model.
- A workspace administrator can import a list of users to add users and update user details in a model.
If a user administrator and workspace administrator input user changes that conflict, the most recent transaction determines the user account status.
To avoid user status conflicts, we recommend that your organization use the User Administrator role to add or remove users. Workspace administrators can then refine model-level access from the Users pane in a model.
Note: If a tenant administrator turns on the user management switch in Administration:
- Only user administrators can add or remove users from the Internal page in Administration. They can also invite or remove visiting users from the Visiting page in Administration.
- Workspace administrators can't add or remove users from within models. They also can't add users through an import. However, they can run an import to update user attributes.
Access within a model
In a model, you're either a workspace administrator or an end user.
Some model features are only available to workspace administrators, and they control the level of access for other users. Workspace administrators can:
- Add users to a workspace
- Remove users from a workspace
- Assign access to other features of the model via model roles, Selective Access, and model Contents
- Designate other workspace administrators
- Control exceptions to Single Sign-on for users
- Import a file containing user account data
- Export user information
Most user access in models is defined by model roles. These enable you to manage the access for users who perform the same business function and share common data access needs. You can also set landing dashboards and the order of model Contents, so users view the most relevant data first.
As you plan how to control access to your model, follow a process flow:
- Create model roles that align with business functions that share common data needs.
- Assign module, version, list, and action permissions to your model roles.
- Specify a landing dashboard for each model role.
- Select the content to display in the Contents panel.
When you need to apply more specific control you can then use Selective Access to restrict access to lists and list items on a user-by-user basis.
