[Yandex Cloud documentation](../../index.md) > [Yandex DataLens](../index.md) > [Access management](index.md) > Access to data rows

# Row-level security (RLS)

RLS (_row-level security_) enables you to restrict data access for users or [user group](../../organization/concepts/groups.md) within a single dataset. For example, you can introduce data access control for different customers.

{% note warning %}

* When using RLS, restrict access to the connection by using the `Execute` permission. This will prevent changes to row access permissions and restrict access to opening the preview window and creating a new dataset based on the connection.

* RLS only supports access control for row values.

* The RLS limits apply to whole rows, not just the fields used to configure access control.

{% endnote %}

You can introduce row-level access control either in a [dataset](#dataset-rls) or a [data source](#datasource-rls).

## Configuring RLS at the dataset level {#dataset-rls}

You can control access to any dataset dimension. Each [user](#user-rls) or [user group](#group-rls) can be granted permissions for an unlimited number of measure values.

With RLS, a query to a dataset passes through the following filter:

```sql
where dimension in (value_1, value_2 ... value_N)
```



### User access {#user-rls}

For users, access control is based on the access configuration which looks like this:

```yaml
'value_1': user_1, user_2
'value_2': user_3
'value_3': user_1, user_2, user_3
```

For example, to configure `user-login` access to all rows with the `first-company` value in the `Company name` field, [set the following configuration](#how-to-manage-rls):



```yaml
'first-company': user-login@yandex.ru
```

{% note info %}

If your [organization](../concepts/organizations.md) has an [identity federation](../../organization/concepts/add-federation.md) configured, your domain name may be different from `yandex.ru`. If so, specify your domain name.

{% endnote %}


To configure access for multiple users, list their accounts in the access configuration separated by commas:



```yaml
'first-company': user-login-1@yandex.ru, user-login-2@yandex.ru, user-login-3@yandex.ru
```


### Access for user groups {#group-rls}


For user groups, access control is based on the access configuration which looks like this:

```yaml
'value_1': @group:group_1_name
'value_2': @group:group_1_name, @group:group_2_name
```

The configuration specifies the group name rather than its identifier. If a group is renamed, you will need to update its RLS configuration accordingly.

For example, to configure `group-name` user group access to all rows with the `first-company` value in the `Company name` field, set the following configuration:

```yaml
'first-company': @group:group-name
```



To configure access for multiple user groups, list them in the access configuration separated by commas:


```yaml
'first-company': @group:group-name-1, @group:group-name-2, @group:group-name-3
```



You can configure access for users and groups at the same time:


```yaml
'first-company': user-login-1@yandex.ru, user-login-2@yandex.ru, @group:group-name-1, @group:group-name-2
```

{% note info %}

If your [organization](../concepts/organizations.md) has an [identity federation](../../organization/concepts/add-federation.md) configured, your domain name may be different from `yandex.ru`. If so, specify your domain name.

{% endnote %}



### Wildcards and quotation marks in RLS configuration {#special-}

You can define values, users, and group names using wildcard characters:

* `User_1`, `user_2`, and `group_1_name` can access all the field's values

  ```yaml
  *: user_1, user_2, @group:group_1_name
  ```

  For example, to configure access to all rows with any value in the `Company name` field, set the following configuration:


  ```yaml
  *: user-login-1@yandex.ru, @group:group-name-1
  ```


* `value_1` is available to all users and groups

  ```yaml
  'value_1': *
  ```

  For example, to allow all users to access all rows with the `first-company` value in the `Company name` field, set the following configuration:

  ```yaml
  'first-company': *
  ```

Quotes in values are set using double quotes:

```yaml
'value in ''quotes''': user_1, user_2
```

For example, to set quotation marks for the `first-company "Example"` company name in the `Company name` field, specify the following configuration:


```yaml
'first-company ''Example''': user-login-1@yandex.ru, @group:group-name-1
```


You can also use the `"` character:


```yaml
'first-company "Example"': user-login-1@yandex.ru, @group:group-name-1
```



## Configuring RLS at the data source level {#datasource-rls}

Configuring RLS at the dataset level requires editing the datatset every time the RLS settings change.

To avoid this, you can move the row-level security logic to the data source side:

1. Add a new field for storing the DataLens user ID to the source data. All requests to the source will be filtered by this field.

   
   
   Use [this link](https://center.yandex.cloud/organization/users) to look up your ID. If you need another user's ID, ask them to open the link and send you the ID.



1. For each source data row, specify the ID of the DataLens user who should get access to this row. If multiple users must have access to the same row, you can move the access control logic to a separate table and [join](../dataset/settings.md#multi-table) it to the main table at the dataset level.


1. In the dataset RLS setting, enter `userid:userid` in the ID field. The `userid` variable can be used together with the regular RLS type in the dataset:

   ```yaml
   'value_1': user_1, user_2
   'value_2': user_3
      userid:userid
   ```


{% note info %}

You can transfer the RLS logic to the source side for sources where the data structure can be changed. In Yandex Metrica and AppMetrica, the data structure is closed, so this method is not available.

{% endnote %}

## How to change permissions to a row in a dataset {#how-to-manage-rls}

To configure access permissions to data rows:


{% list tabs %}

- In the dataset

  1. Open the dataset.
  1. Navigate to the **Fields** tab.
  1. On the right side of the row, click ![image](../../_assets/console-icons/ellipsis.svg) and select **Access permissions**.
  1. Enter the value of the field and users in the specified format and click **Save**.

      ```yaml
      'value_1': user_1, user_2
      'value_2': user_3
      ```

      For example, to configure access to all rows with the `first-company` value in the `Company name` field:

      
      ```yaml
      'first-company': login-to-access-your-row-data@yandex.ru
      ```


  1. Save the dataset.

- In the source

  1. In the source, add a field with the DataLens user IDs to use for filtering. You can add this field to a new table and join it using the `JOIN` operator.
  1. Add a field with user IDs to the dataset:
     
     * If you added a field to an existing table, go to the **Fields** tab in the dataset and click **Update fields** at the top of the screen. The user ID field will appear in the list.
     * If you added a field to a new table, join it using the `JOIN` operator. To do this, go to the **Sources** tab in the dataset and drag the new table to the workspace. The table will be automatically linked with the existing table. If required, edit the [link](../dataset/create-dataset.md#links) between the tables and [remove](../dataset/create-dataset.md#field-operations) duplicate fields left after the join.

  1. Configure field access permissions:
     
     1. In the dataset, go to the **Fields** tab.
     1. Find the field with user IDs. On the right side of the row, click ![image](../../_assets/console-icons/ellipsis.svg) and select **Access permissions**.
     1. In the access permissions settings, add `userid:userid` to the field and click **Save**.

  1. Save the dataset.

  {% cut "Example" %}

  Let's create a dashboard based on sales data by four regions (West, East, North, and South). Regional managers should only have access to their own data, while the company's CEO, to all data.

  1. Define DataLens user IDs.
  1. In the source, create a table named `MANAGER_ID`, where the region is mapped to the user ID. If a single ID is associated with multiple regions, add all unique pairs:

     | REGION | MANAGER_NAME | MANAGER_ID        |
     |--------|--------------|-------------------|
     | West  | Arkady      | 19287318273912873 |
     | East | Vassily      | 92877912837318927 |
     | North  | Olga        | 02993284928374346 |
     | South     | Dmitry      | 10836293849237642 |
     | West  | Maxim       | 71726123712891283 |
     | East | Maxim       | 71726123712891283 |
     | North  | Maxim       | 71726123712891283 |
     | South     | Maxim       | 71726123712891283 |

  1. Open the dataset and add the new table: on the **Sources** tab, drag the table to the workspace.
  1. Make sure the `JOIN` is based on the `REGION` field.

     ![image](../../_assets/datalens/security/rls-join.png =403x205)

  1. Based on the `MANAGER_ID` field, customize RLS and add `userid:userid`.

     ![image](../../_assets/datalens/security/rls-userid.png =364x187)

  Each user will only see data for regions they have access to.

  To change the access permissions, update the data in the source table.

  {% endcut %}

{% endlist %}