Sigma has a team based permission model, where access to the database connections is determined based on what teams an Organization Member is part of, as well as their role in the organization. Creating an architecture for how you want permissions set up before you start inviting members and creating teams will help save time in the long run.
When planning out your teams, keep in mind that in Sigma all permissions are additive. What that means is that if you grant the default team“AllMembers” Author permission to a database, every member will have access to the connection. You can’t create a team that takes away database access permissions.
Similarly it means that if an Org Member is in one team that grants them permission to Author Worksheets on a database connection, they will be able to create Worksheets in all the teams that they are a member of. If someone is designated an Organization Admin then they automatically have Admin permissions on all database connections, even if they aren’t in any teams that grant them those permissions.
This permissions model allows for many different ways to set up permissions. Let’s look at a few.
You have one database connection and you want all users to be able to see the connection and Author Worksheets with the data.
When setting up your connection, set the team “All Members” to have Author permissions. Now all members of your organization will be able to view and analyze the data.
You have one database connection. You’d like most users to only see Worksheets that have been created for them, and have those users only be able to create references to existing Worksheets and copies of existing Worksheets. You’d like a handful of people to be able to publish new Worksheets that others can reference.
We can accomplish this easily with teams.
Create a Team called “Publishers”. Add everyone that you would like to be able to author a Worksheet directly.
Next, set up the connection and set the permissions so that the “Publisher” team has Author permissions and “All Members” have Reader permissions.
This set up means that only members of the Publisher team will be able to access the database directly to create new Worksheets. Everyone else will be able to create references to worksheets they have access to but will not be able to start from scratch.
You have one connection. You want most people to be able to see all of the Worksheets and to Author their own Worksheets, but you have a few people from outside the Organization that you want to see a few Dashboards.
All Sigma permissions are additive, which means you can’t add someone to a team to give them fewer permissions. That means that you can’t use the“AllMembers” team to give most of your Organization Author access, then take that away from a few. Everyone in your instance has all of the permissions granted to“AllMembers” and can see all of the Worksheets in your Organization folder.
To separate off the External Users, you will have to manage all members via custom teams.
First create a “CompanyMembers” team and a “External Users” team. Set “CompanyMembers” as Authors on the database connection and“ExternalUsers” as readers. All members of your company will need to be manually added to the “CompanyMembers” group.
All Organization Members can see everything in the Organization folder. That means that your Organization members will need to use Team folders for all internal documents, and ensure that the only things in the Organization Folder are okay to be seen by External Users.
By default, new members of your organization will be able to see that Worksheets exist in the Organization folder, but they will not be able to see any data until you add them to a team, because there are no default permissions set for the“AllMembers” team.
You have two database connections. One you want everyone to have access to Connection 1 and one you want only the managers to be able to access Connection 2.
To achieve this, set Connection 1 permissions so that the default Sigma team “All Members” have Author level access to the connection.
Next, create a team called Managers and add all your managers. For Connection 2, set the access permissions so that Managers have Author access.
If you would like organization members to be able to see the data in the Worksheets created on Connection 2, but not create new Worksheets directly from the connection, you can set “All Members” to have Reader access. That way, if a Manager creates a Worksheet on Connection 2 and places it in the Organization folder, all Organization Members will be able to see the data in the Worksheet.