Data permissions

Permission grants are integral to keeping your data secure. As an organization Admin, you have control over who has access to your connection's data in Sigma at each level of the connection tree. This means you can grant users full access to a connection or individual schemas, or you can limit their access to only certain warehouse tables. 

Sigma's broader permissions and sharing model also protects data access at the Dataset and workbook levels. However, this article will focus primarily on permissions to connections, schemas and warehouse tables. 

Contents

• Requirements
• Overview
  • Permissions are additive
  • Teams and users
• Permission levels
• Grant permissions
• Related resources

Requirements

• You must be an organization Admin to assign or revoke connection data permissions.

Overview

When you add a warehouse connection to Sigma, you and your fellow Admins have access to all warehouse data granted per that connection. All other users must be granted full or partial access permissions to the connection data.

The only exception to this is if you are running a Snowflake connection using OAuth for permission inheritance; see OAuth with Snowflake.

Permissions are additive

Permissions in Sigma are additive. If you grant an organization member permission at the connection level, they will subsequently have the same level of permission on all underlying schemas and Tables.  Similarly, if you grant them permission to access an individual schema, that permission will cascade down to all Tables in the schema.

These inherited permissions cannot be revoked at the inherited level. For example, if you want a user to have access to three of four Tables in a schema, you will need to grant them access to each Table individually. If you instead grant access at the schema level, there will be no way for you to restrict access to that one remaining Table.

Teams and users

Permission grants can be given to teams, or to individual users in your organization. In addition to individual permissions, users inherit all permissions granted to their team(s).

For new organizations, the Sigma team recommends creating teams first, and then granting data permissions. This simplifies the task, allowing you to grant permissions in bulk. See Manage teams.

Permission levels

Can Use

Organization members with this permission type can view Table data and create referencing Sigma datasets and workbooks. 

Can Use & Annotate

Organization members with this permission type have all the privileges of Can Use. They can also annotate Tables (e.g. hide columns, add column descriptions, create links to other Tables, etc). Annotations are local to Sigma, and are not reflected back to your warehouse.

Grant permissions to a table

1. Open your Connection from the left hand navigation panel.
   
2. Open your connections target warehouse Table through the connection tree.
3. Open the Table's Permissions tab.
4. Click Add Permission Grant.
5. Search for the team(s) or individual member(s) you would like to grant permissions to.
   
   
6. Select a permission to grant. You can grant Can Use, Can Update, or Can Use & Annotate. Users with annotation permissions can edit descriptions and column descriptions on tables. 
7. Click Save.
   
   

Related Resources

Folder and Document Permissions