The Everyone Group

Hi,

I’m trying to give different tenants access to content within the global folder by setting up a group, and then adding this group against the dashboard I need that group to have access to. However the dashboard is only made available when I set “Allow” for all settings within the “Everyone” group and this then makes it appear for every single tenant and every single user attached. Not the outcome I need.

The everyone group as a default security permission seems a bit counter-intuitive won’t this counteract all other groups associated with that dashboard?

Best,

Jack

Hi Jack,

If you only want certain tenants to have access but not everyone, the best thing to do would be to remove (not deny) any privilege assignments from the project for the Everyone group. Then, start adding privilege assignments only for those who should have access. If you want all accounts from a specific tenant to have access, you can grant it to the “Tenant Members” group corresponding to that tenant.

In order for a user to be able to find and view dashboards in a project, you would typically only need to allow the “Read” and “List Folder Contents” privileges.

Hope that helps,
Rob.

Rob,

Is it possible to remove privilege assignments from the everyone group at the dashboard level instead of the project level? I have one dashboard in a project that I want to restrict access to, and I can’t figure out how to do that, since deny takes precedence over allow and currently the everyone group inherits the allow privilege from the project. I want to only allow a certain subset to see the dashboard.

You can certainly deny object privileges (read, write, etc.) at the dashboard level. But remember, even though “deny” takes precedence over “allow”, administrators implicitly have access to everything, regardless of any “deny” privilege, so make sure you’re testing with a non-admin user.

Hope that helps,
Rob.

I guess my question is how do I allow a certain group read privilege and deny everyone else, at the dashboard level, given that deny takes priority? The only way I could see to do it is to create a group that is “everyone except those I want to see the dashboard” and deny them access. I get that I can see everything as an admin, and have been attempting to test with a user, but that makes the process more cumbersome, as I have to try changing a setting, testing with the user that it works, then rinse and repeat when it doesn’t work, so I’m trying to figure out the best way to do it.

The best practice here is not to use Deny at all. Rather, remove the “Allow” from the “Everyone” group, and then allow it to a group containing the people who you want to see the dashboard.

Anyway, it’s usually simpler to do things that way - that is, only grant/allow the privilege to the people that need it (ideally groups).

If you’re frustrated testing with a non-admin user, I would suggest having another browser open (either a different browser, or an “incognito”/private browsing window if using the same browser). That way, you can be logged on as an admin and a regular user at the same time.

2 Likes