Role-Based Database Credentials
Role-based credentials can be used to restrict access to certain tables, or even certain rows or columns within a table, based on a user's role.
All Hashboard data connections can be optionally configured to use additional credentials which can be assigned to users on a per-role basis. This enables you to control what data Hashboard users can access when viewing models, saved explorations, and dashboards built from the same data connection.
Adding credentials
- First, create a database connection. The credential specified in the top-level of the database connection form is the default credential.
If a user doesn't have any specified credentials within their roles, they will use the default credential for the data connection. Default credentials are also used in public links.
We recommend making your default credential the most restrictive credential. Make sure your default credential doesn't allow access to sensitive data that you would not want accessible to all users in your organization.
-
At the bottom of the data connection form, in the section for Role-based credentials, click Add credential.
-
Give the credential a unique and descriptive name, as it will be used to assign to roles later on.
-
Fill out the credential fields.
-
Make sure to Test the credentials before saving to ensure they are connecting properly. If your credentials connect, you'll see a check mark. Otherwise, you'll see an error message.
-
Finally, click Save.
Credential fields
The fields for a role-based credential depend on which data warehouse you're connecting to.
-
Snowflake: User, password, and role are required.
-
BigQuery: JSON key is required.
-
PostgreSQL/Redshift: User and password are required.
-
MySQL: User and password are required.
-
Athena: AWS Access Key ID and AWS Secret Access Key are required.
-
ClickHouse: User and password are required.
-
MotherDuck: Service token is required.
Assigning credentials to roles
Once you've created your credentials, you can assign them to a Hashboard role. For information about how to set up and assign roles, see Managing users and roles.
-
Navigate to the People page.
-
Scroll down to Roles and find the role you want to assign a credential to.
-
Click the Edit icon. You'll see a list of Permission Rules.
-
Click to edit the Permission Rule you'd like to add the credential to, or click Add Permission Rule to create a new one.
-
In the Permission Rule editor, you'll see a section for Role-based credentials. Click the Add button to the right.
-
Select the data connection you want to assign a credential to. You'll see a list of credentials you've created for that data connection.
-
Select the credential you want to assign.
Users cannot have multiple credentials for the same data connection. Assigning a user multiple roles that specify different credentials for the same data connection will result in an error.