Resource Permissions Overview
Overview
What Is a Resource?
In Guandata BI, a resource refers to the various types of analytical content created or uploaded by users, as well as the organizational structures used to manage that content. Examples include Dashboards, Data Screens, Datasets, Dashboard folders, and Dataset folders.
What Are Resource Permissions?
Resource Permissions are used to control which resources a user can view and what operations the user can perform on those visible resources.
By configuring resource permissions properly, administrators can finely control how users access and operate on different resources, improving both data security and collaboration efficiency.
Resource Permission Types
For each resource such as a Dashboard or Dataset, as well as resource folders such as Dashboard folders, the system supports different resource permission types. These permission types determine what operations users can perform on the resource. For detailed behavior, see Resource Permission Details.
| Permission Type | Definition | Notes |
|---|---|---|
| Owner | Has full permissions on the resource, for example modifying dashboard or Dataset content, creating or deleting cards, adjusting card layout, and editing fields in cards | If the user is an administrator, they always have full permissions on the resource, regardless of whether they are the owner or only a viewer |
| Viewer / User |
| If the user is an administrator, they always have full permissions on the resource, regardless of whether they are the owner or only a viewer |
| Exporter (not available for folders) | Export permissions can be globally controlled in Admin Center > System Settings > General Settings > Export.
|
Resource Permission Authorization Methods
This section introduces authorization methods only. For step-by-step operations, see Resource Permission Details.
Single-Resource Authorization
Configure permissions directly for users or user groups on a specific resource. This is suitable for personalized and precise permission assignment.
Configuration entry points
Admin Center > Resource Management > Resource Permission Management, then select a resource for authorizationAdmin Center > Users / User Groups > Permission Information > Resource Permissions- Click the
Permission Managementbutton on a page, Dataset, or folder
Batch Authorization Based on Folders
Batch authorization is used to manage distributed data resources in a unified way. Since large numbers of Datasets and Dashboards are typically organized into folders, and resources in the same folder are often accessed by the same users, folder-based batch authorization makes permission management more efficient.
- For pages and Datasets in the same folder, once a batch authorization list is configured on the folder, it can take effect for all resources inside it.
- If a page or Dataset requires separate control, it can be configured not to inherit the batch authorization list from its parent folder.
In the current version, only Dashboards, Data Screens, and Datasets support batch authorization. If you need support for more resource types, please contact your Guandata representative.
Folder permission inheritance rules
- Permissions must be revoked at the same level where they were granted. For example, if User A obtains access to a Dashboard, Data Screen, or Dataset through batch authorization, that permission must also be revoked from the batch authorization entry rather than directly from the page or Dataset.
- Inheriting from the parent folder means inheriting from the nearest parent folder with a batch authorization setting. For example, suppose folder
F1 Sales Departmentcontains subfolderF2 East China Sales Group, andF2contains dashboardP3 East China Target Achievement:- If F1 has batch authorization and F2 does not, then when P3 is set to
Inherit from Parent, it inherits F1's batch authorization. - If both F1 and F2 have batch authorization, then when P3 is set to
Inherit from Parent, it inherits F2's batch authorization.
- If F1 has batch authorization and F2 does not, then when P3 is set to
Configuration entry points
Admin Center > Resource Management > Resource Permission Management, then select a folder for batch authorization- Click the
Batch Authorizationbutton on a folder
Resource Permission Authorization Rules
To standardize resource permission management, the system also provides resource permission authorization rules that control which users can grant permissions and the scope of recipients.
Entry: Admin Center > User Management > Permission Rules
Scope of Authorization Recipients
There are three recipient scope options:
- Allow authorization to all user groups and users. Regardless of whether this option is selected, administrators can always authorize all users and user groups.
- Allow authorization only to the current user's own user group, users in that group, child user groups, and users in those child groups. This applies when the current user is a normal member or a group administrator. The visible range in the permission list is limited to the current group, its users, and its child groups.
If the target exceeds the allowed scope, the platform shows an error. - Allow authorization only to the user groups managed by the current user, as well as their users and child groups. This applies when the current user is a group administrator. The visible range in the permission list is limited to the managed groups, their users, and their child groups.
If the operator is only a normal user, authorization is not allowed.
Types of Authorization Recipients
The system can also restrict whether resource permissions may be assigned to user groups. If assignment to user groups is disallowed, you can add exceptions in a whitelist. Users in the whitelist are still allowed to assign permissions to user groups.
- If assigning permissions to user groups is allowed, user groups can be searched directly on the permission configuration page.
- If assigning permissions to user groups is not allowed, only individual users can be searched on the permission configuration page.