All objects in my Ontology are created via user edits, I don’t use datasets or pipeline builder for anything.
I need to make it so that only certain user groups can see certain ontology objects. I am attempting to use row-level permissions for this, but it would appear that this only works with the “backing dataset” which right now is completely empty for me.
Is what I am trying to do possible with objects that I personally create as opposed to ones that come from a backing dataset?
Thanks
Hey @willstone, what you are trying to do is possible. All object types require a backing dataset so that Foundry can at least derive the permissions for that object type. If you don’t define a backing dataset when creating your object type, you’ll just have a permissions dataset with a single primary-key column. Any objects created by user edits won’t show up here.
You can replace this existing permissions dataset with an RV that has the object type’s properties as columns. Define a row-level policy on this RV to restrict which objects certain users can see (objects created by user edits won’t show up in the RV either).
E.g. for an object type called Test, with primary-key, Title, and Species properties:
If you want to restrict based on a property of the current Foundry user, add something like a group id column that gets set when a new object is created, then write an RV policy that checks whether any of the user’s group IDs is in the group IDs for that row.
Yep, this worked. Thank you!
The thing I was missing was not completely replacing the original backing dataset (with single primary-key column) with the RV entirely.
I’ll add that you don’t have to add columns for all of the other edit-only properties in the new RV backing dataset, all it needs it the primary-key column and the column that you’re using to define permissions (ie group-id). You just need to go into the “source” tab for each property and make sure it’s permissioned to the new restricted view (see second screenshot).
Nice, glad it’s working!
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.
