Inviting Users with Pre-applied Data Permissions

When a user is invited to join a workspace, an invitation is sent to the user who, if interested, can immediately join the workspace. When the user opens the workspace, however, no Data Permissions have been applied by default, which means that the user can see all data in the workspace. As a result, the invitation mechanism is not useful for inviting new users to workspaces where Data Permissions have been applied.

  • A Data Permissions filter is a data access control that pre-filters data returned to any user, based on specified values for an attribute. For more information, see Data Permissions
  • Invitations may be extended through the GoodData Portal or through API calls. An invitation generates a standard welcome email from GoodData, which includes a direct link to accept the invitation.

This article describes a simple way of inviting users into a workspace with predefined Data Permissions. The basic approach is to do the following:

  1. Create (do not invite) a user into the domain, if the user doesn’t already exist.
  2. Apply the Data Permissions filter to the user in the domain.
  3. Invite the user to the workspace.

Steps:

  1. Suppose you are inviting a new user (new-user@example.com) to your workspace.

  2. The Data Permissions filter you wish to apply to this user is the following: /gdc/md/{workspace_id}/obj/{filter-id}

  3. First, you must apply a workspace role to the user. To list all roles in the workspace, use the following API:  /gdc/projects/{workspace_id}/roles

  4. In the returned JSON, retrieve the URI for the role you wish to assign to the user. See User Roles.

  5. Roles should be in the following form:  /gdc/projects/{workspace_id}/roles/{role-id}

  6. Now that you have retrieved the URIs for the Data Permissions filter and workspace role, you can build the JSON to create the invitation:

    {
        "invitations": [
            {
                "invitation": {
                    "content": {
                        "email": "new-user@example.com",
                        "userFilters": [
                            "/gdc/md/{workspace_id}/obj/{filter-id}"
                        ],
                        "role": "/gdc/projects/{workspace_id}/roles/{role-id}",
                        "action": {
                            "setMessage": "Hi, welcome to my project!"
                        }
                    }
                }
            }
        ]
    }
    
  7. Submit this request body as a POST using the following API call: /gdc/projects/{workspace_id}/invitations

If the POST is successful, the invitation is created and delivered to the user via email. When he logs into the workspace, all data in the workspace is filtered according the Data Permissions filter.

  • To verify that the Data Permissions filter has been applied, submit a GET to the following API endpoint:  /gdc/md/{workspace_id}/userfilters

For more information, see Invitations API.