User Access, Permissions & Security

Knowi provides a variety of powerful options on user rights, access management and external authentication methods for both internal usage and embedded usage modes.

Please contact your account manager for any questions on mapping out the permissions model to your own enterprise level permissions model.

User Roles

We offer three types of roles by default: viewer, user and admin.

Viewers: Viewers are limited to consuming dashboards. While they can download data associated to widgets and run their own analysis on data they have access to, they cannot save or create their own dashboards. This role also cannot create any data assets, including datasources, queries, agents etc. In addition, they cannot invite or manage other users or groups.

Notice the menu structure on the left is limited.

Users: User roles can

  • Invite other users

  • Create and share dashboards, widgets, queries, datasources, agents

  • Create Email Reports

  • Create and manage Trigger Notifications

  • Create their own groups

  • Set Filters (dashboard or user level)

Example dashboard for a User level role. Note the menu options at the top of the dashboard, as well as on the left.

Admin Users: Admin get all rights to that of the user, plus the ability edit/modify other users and their associated rights.

Team management for an Admin viewer:

User Groups

User groups are logical groupings of users that data related assets (dashboards, queries, datasources, agents) can be shared to. A user can belong to one or more groups.

Groups can be created and modified from the Team Management menu. Example:

Adding Users

Users can be added from the team menu:

  1. Specify the email address, Role and associated Groups to the new user.

  2. Add any optional user filters. User filters enable row level security to filter out data. Read more about User Level Filters.

  3. If Two factor authentication is required, you can set it during the invite (or you can enable it later).

  4. Invite the user. Once the user has accepted the invite, they?ll see all their data assets (dashboards, datasources, queries, agents) shared to them or their group.

Editing Users

Each user can customize their timezone and change passwords. Admin users can also edit user roles, groups, timezones and user filters for any other user.

Login as Users

This option allows Admin users to login into the application on behalf of any foreign user account that they have access to on the administration page. There is a number of restrictions that come along with that feature.

1. user must be authenticated 
2. user must possess a role of ADMIN
3. user can use the feature only providing active customer account
4. user can NOT use the feature on behalf of a foreign account (in a chain)

The 'Login as this user' icon is supposed to be visible on the right hand action bar of the user list.

As soon as authentication is passed the informational banner is attached to the top of the page including basic information of the user account selected.

At any point in time you can release the user account and get back the the original one by clicking on the 'Release user' button, in such a way you will be redirected back to the user administration page.

Two Factor Authentication

For added security, admin users can enable Two factor Authentication, which will send an SMS code to the phone number on record for that user that they must enter before login.


All data assets (dashboards, queries, datasources, agents) are private to the user by default, unless shared to other users or groups. Furthermore, each asset can be configured for granular read or edit access at a group or an individual user level.

Dashboard Sharing

Dashboards can be shared to an specific user, or a group. In addition, you can specify if the user has View access or Edit. View access restricts the user to a view mode where they can consume the dashboard, analyze the data, apply temporary filters (for their session), download the data behind the visualizations but cannot make any changes to the dashboard.

Datasource Sharing

A datasource, for example, a database connection can be shared to another user or group, with edit or consumption rights. With Edit, the user (or the group) will have access to modify the datasource (not common). With consumption only rights, the user can create new queries from the datasource, but will not be able to see or edit, or clone the datasource details.

You can add a query against source.

Setting permissions :

Consume vs Edit: The first datasource in the following screenshot is consume only (note the actions that can be performed on the right) vs. full edit privileges on the other datasource.

Query Sharing

Queries can be shared with Edit or View only rights to groups and/or users. Edit rights enable collaboration on the same query by multiple users and includes edit, clone and delete rights for that query. A query shared with view only rights can be executed and cloned to create a user?s own version of the query.


Consume vs. Edit rights: The first query in the screenshot below is consume only, the second has edit rights.


User Group Publish/Consume Permissions

A user can belong to one or more groups, and marked with either consumption or publish rights for the specific group. In consumption mode, the user has read access to assets shared, but cannot publish into the same group. This allows publishing of assets from one user into a group, but does not allow the consumer to publish it back into the parent group.

Example: Let's say an "engineering" group writes and publishes baseline queries to an analyst and wants to maintain the original queries and does not want that user to publish queries back to the engineering group. This can be done by setting the rights during the user invite. The analyst can publish it to their own groups, but cannot post back to the parent group.

Assigning user-group consume/edit rights:

Automatic Sharing

There may be cases when any asset that the user creates needs be automatically shared to other groups, instead of sharing a specific asset explicitly (query etc.). In such cases, you can apply an 'Automatic Share to Group' setting that will automatically publish any assets created by the user to those groups that can be used by other users. This is available during user creation as well as within the edit menu.

User Level Filters & Security

User filters can be set that limits the data returned to the user across all their dashboards. There are two modes:

Query Parameters: Helps you define query parameters that can be passed in all the way into direct queries against your datasource. These parameters can be set at the user level and replaced during query execution.

Filter on Query Results: This post processes the data returned any any query to filter by the parameters set.

For an in-depth look at content filters, see section on Filters & Query Parameters.