Row-Level Permissions
When multiple departments or roles share the same analysis domain, you may not want everyone to see the full dataset — a sales rep in the North China region should only see North China data, and a store manager should only see data for their own store. Row-level permissions let you define each user's visible data range without splitting data tables or creating multiple analysis domains.
Feature Overview
Row-level permissions work by configuring filter rules that restrict users to only the data rows that meet specified conditions. Once a rule takes effect, queries generated by the Agent automatically include the corresponding filter conditions, transparently to the user. For example, when both a North China user and a South China user ask "What are this year's orders?", the North China user sees only North China data and the South China user sees only South China data.
Configuration Process
| Step | Demo | Logic Description |
|---|---|---|
| 0. Feature entry |  | |
| 1. Define permission rule |   | Specify the data table and filter field for the permission rule 1. Go to the "Row-Level Permissions" page 2. Click the "+ Define New Row-Level Permission" button in the upper right 3. Enter the permission rule name 4. Select the data table to control 5. Select the field enum (static data) or expression (for dynamic data retrieval) for filtering 6. Save the rule |
| 2. Configure permission scope |   | Apply the permission rule to specific users and set their accessible data scope 1. In the permission rule list, select the created rule 2. Add the users to apply the rule to 3. Set the accessible field values for each user 4. Save the configuration |
Permission Effects
| Scenario | Data Visibility Scope |
|---|---|
| No row-level permission configured | Users can view all data in the data table |
| Row-level permission configured | Users can only see data within the permission scope |
Example
Taking the Hong Kong food and beverage industry as an example:
-
Before configuration: Users can view order data from 2018 to 2025
-
After configuration (accessible years set to "2022, 2023"): Users can only see order data for 2022 and 2023
Notes
1. Use meaningful names for permission rules (e.g., "North China Region Data Permission") for easier management
2. After row-level permissions take effect, query results generated by the Agent are automatically filtered by the permission scope
3. A user can be covered by multiple permission rules; verify that the combined data scope meets expectations
4. Permission rule changes take effect immediately; no restart or additional operations are required
5. It is recommended to periodically review permission configurations to ensure consistency with business requirements
Related Documentation
- Configure Row-Level Permissions — Detailed guide for permission point definitions and user authorization
- Governance Overview — Permission layering, domain isolation, and audit closure
- Metrics and Answer Builder — Relationship between metric configuration and row-level permissions