Pigment Security Basics

  • 21 December 2021
  • 0 replies

Userlevel 5
Badge +3

Pigment’s security is comprised of Roles, Permissions, and Access Rights. These settings let you configure what Members can do, see, or modify within your Applications. All applications have a pre-built set of Roles with assigned Permissions and Access Rights. This article will go over the basics of Pigment Security.


Table of Contents


Members must have the Define Application Security Permission to view the Roles, permissions & access page.


Roles, permissions & access 


Each Pigment Application has its own individual security settings, these can be found in the Roles, permissions & access page within an Application.  To access the page, click on Settings from the sidebar in your application,  then select Roles, permissions & access. This page outlines all Application specific security settings that allow admins to control which Members can access an Application, what actions they can perform within the Application, and which data they can interact with. 


The Roles, permissions & Access page is divided into four different sections:

  • Overview: Shows the Members with access to this Application, their roles, and the number of Members and associated Roles. This is also where you add new Members to the Application
  • Roles: Provides an overview of the different Roles for the Application, including the assigned permissions and default access rights.
  • Board access: Manage and control which users can access specific boards and what actions they can perform within those boards.
  • Board access configuration: Determines what actions a user can perform on a board, such as opening, commenting, or configuring, based on their assigned Role.
  • Data access rights: Shows rules and settings that define which data users can access and if they can read or write in that data.




The overview tab highlights key information about Members and their access to this Application:

  • Application’s Members shows the number of Members who have been invited to this particular Application.
  • Security shows the number of different Roles.
  • Owner displays which Member is the Application owner.




To make sure that there is always a user who can configure the Permissions and Access Rights of all Applications, each application has an owner. This owner will always be an Application Admin and thus have all Permissions in the application, disregarding any other configuration. The owner is also the only Role that can delete the Application. Any member with the “Define Application Security” permission will be able to update the owner.

Any Member with the Security Admin Account Type will be able to manage ownership of any Application within the workspace.


In order to grant Members access to an Application, you need to invite and assign them a role.


Add an existing Member to an Application


To add an existing Member to an Application, follow these steps:

  1. From the Overview tab on the Roles, permissions & access page, click Invite Members.
  2. Use the Member dropdown to select the Member you want to add. You can select multiple Members if you are going to assign them the same Role. To be included in this dropdown, a Member must first be added to your workspace.
  3. Select the Role you want to assign those Members.
  4. Click Add. You can add more Members to your Application by repeating steps 2 and 3 or adjust any newly added Members roles, using the dropdown next to their name.
  5. Select Invite.


If you want to invite a new Member to your Pigment Application, go to the Members Management section in the Sidebar and follow the guidelines provided in Add and Switch Accounts.


Add an existing Member via Groups


You can add existing Members to an Application by assigning them to one of its associated Groups at Workspace level. To do this:

  1. Go to your Workspace and click Settings.
  2. In the Settings sidebar, go to Members Management and click Groups.
  3. Select the specific Group you want to add a Member to, then click Members in the Group Details pane.
  4. Click + Invite Members.
  5. Select the Member from the Members of this Group dropdown and click Add.
  6. Click Save.


After a Member is added to an application with a Role, you can adjust their Role by using the Role dropdown next to their name.




Roles are comprised of Permissions and Access Rights.  Permissions define the actions a user can take, such as building new Metrics or writing formulas.  Access Rights define how a user interacts with data, can they read it, write or edit it, or whether should it remain hidden from them. 


There are 5 default Pigment Roles: 

  • Admin: This role has all permissions applied to it, allowing the user to perform all application-level functions. 
  • Contributor: Designed for users who will be interacting with data, this role focuses on inputting actions.
  • Designer: Focused on the creation of the end-user experience, this role allows for Board specific creation actions.  
  • Modeler: This role is designed for Application builders. All actions are allowed except Security configuration and Block update history.  
  • Reader: This role is designed for those who only need to read data on Boards, all other actions are denied.  This is the only role with Write access turned off, meaning users can only read, not write on data. 

These roles can be entirely customized for your needs. Click + New Role to create a new role. 


Members can only have one role per Application assigned through groups. Learn more here.




Permissions define the actions that a user can perform in Pigment.  When a user is assigned a role, they will get all the permissions associated with that role. From the Roles tab, you can hover over a Role and click View details on the right side to see which Permissions are assigned to a Role.

After hitting View details, the Details section will show you the permissions of that role.  The Members section will show which members have that role and allow you to invite others. 


From the detailed view of a Role, you can click more options (…) to Invite members, duplicate or delete a role. 


Here is a list of all permissions and what they do. 

Permission Name Actions Granted
Display Application Application visible in Pigment Workspace
Configure Application  Can edit the Applications Settings
Define Application security Can edit the application security and assign Roles

Configure Automations

Can add/edit/delete Automations
Configure calendars
Can manage the calendar settings of the Application
View History Can view Block and model History (Including formulas updates and data imports). Can take Snapshots
Create & Delete Folders Can manage folders for both blocks and boards.

​Create scenarios

Can activate Scenario functionality, create new Scenarios and place Scenarios into Read Only 
​Delete scenarios Can Delete Scenarios

Formula playground

Allows users to access the Formula Playground without having the Configure Block permission they will  need to create the metric.
Open Block Explorer Can see the all Blocks in the Sidebar 
Configure Blocks Can write and edit formulas. If disabled, users can still write formulas in the formula playground. It also allows users to create and delete blocks.
Configure Views Can create and edit saved views of blocks
Add List Items Can add items to Dimension and Transaction Lists
Remove List Items Can delete items in Dimension and Transaction Lists
Reorder List Items Can reorder items to Dimension and Transaction Lists
Import Data Can Import data into blocks and Schedule Imports.
Board permissions 
Can open Can open Boards. This can be applied to specific boards through the Security panel.
Can comment

Can open and comment on Boards.

Can configure Can access the “Edit board” button to be able to add widgets to a Board.


Read/ Write in Roles 


The Read and Write columns within the roles show the default Access Rights. Access Rights allow you to control what data is hidden from users and what data they can read or edit. Each role has a default application-level Access Right assigned to it. This setting applies to the entire application. 

Access Rights can be customized in much greater detail and can be different for every user, regardless of their role. Go to the Setting up custom Access rights configurations article to learn how to set custom security rules. 


How to create and edit a Role

  1. From the Roles tab of the Roles, permissions & access page, click + New Role.
  2. Give the Role a name.
  3. Toggle on the different permissions the Role should have.                                                  Permissions are broken down into three sections. Application and Blocks permissions define how users can interact with Application settings and configure blocks and views.  Board permissions define the default permissions a Member has across all Boards. 
  4. Set the Default Access Rights a Member should have for the Application. 
  5. Click Create Role


How to delete a Role

  1. From the Roles tab of the Roles, permissions & access page, hover over a role and click more options (...) from the right side.
  2. Click Delete Role. 

If Members have already been assigned that Role, you will receive a prompt with the names of those Members.  Once the Role is deleted, those members will lose access to the Application until they are given a new Role. 


Board Permissions 


Member’s access to Boards is controlled by Board Permissions.  This section shows all of the rules that have been set up to manage access to Boards.  For more information check out the dedicated article on Board permissions.


Complement these permissions with rules for Boards

This section will show all Metrics that are used to apply Board permissions, it will also showcase which Boards these Metrics are applied to.


Boards without default permissions applied

When the default role is removed from a particular board, a new section will appear in the security settings page to easily help you identify which boards this applies to. If the User roles Metric is used in all Boards, this section will not be visible. 


Data access rights



By default, The Users roles Metric defines the Access Rights configuration for the entire Application.  This section allows for a more granular approach where you can specify which Data is either hidden, readable, or writeable for individual users.  Through the creation of a Metric with a data type of Access Rights, you can establish a more custom approach to your data security.  You can learn more here.


Inheritance options

Allow the removal of inherited access rights for Blocks coming from other Applications using the function RESETACCESSRIGHTS().

This toggle is for Security Admins only, it allows for cross-application use of the RESETACCESSRIGHTS function to remove inherited access rights through shared dimensions. Check out this article on Inheritance of Access rights and when to use RESETACCESSRIGHTS



Remove access rights inherited through formulas within this Application

This option is only available after the cross application inheritance is disabled.  This will remove all inheritance of access rights.

For more information on these two settings, please refer to the Application level access rights inheritance options article.



Public Blocks 


Every block in Pigment has a Data visibility management setting option for Public. This setting will override all other Access Rights configurations and allow all users with access to the Application to be able to read data in that block.  This section will show you all blocks that have that functionality enabled. 

Note: Inherited Access Rights will still apply.


Learn More


This topic has been closed for comments