Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            AskQ User Security Guide

            Created by Robert Cross, Modified on Sun, 14 Dec, 2025 at 10:07 AM by Robert Cross

            How to Apply User Security in AskQ


            This guide explains how to control what data users can see in AskQ using Security GroupsColumn-Level Security, and Row-Level Security.


            AskQ’s security model is designed to be:

            Flexible

            Explicit

            Safe by default

            Easy to manage at scale

            Key Concepts


            Security Groups (Foundation)


            All security in AskQ is driven by Security Groups.

            • Security Groups are defined by an Admin in the settings screen

            • Users can belong to multiple security groups

            • Permissions are additive, never subtractive

            • Groups control:

              • Which datasets users can access

              • Which columns they can see

              • Which row level security settings are used


            If a user is not granted access through any group, they see no data.

            Column-Level Security


            Controls which datasets and fields a user can see.


            Examples:

            • Sales users can see Revenue but not Cost or Profit

            • Analysts and Executives can see all fields


            Column-level security is always evaluated before row-level security  .

            Row-Level Security


            Controls which rows of data a user can see within a dataset.


            Examples:

            • A sales rep sees only their own customers

            • A regional manager sees only their region

            • A site manager sees only assigned sites


            Row-Level Security is implemented using Security Variables, which are mapped to dataset columns.

            Step 1: Create Security Groups

            1. Go to Settings → Security Groups

            2. Click + Security Group

            3. Give the group a clear, role-based name

              (e.g. Sales Team, Analysts, Administrators)

            4. Add users to the group


            A user may belong to multiple security groups

            Group effects are combined automatically

            Step 2: Define Security Variables (for Row-Level Security)


            Security Variables define how rows will be filtered.


            They represent categories, not values.


            Examples:

            • site_code

            • sales_rep_code

            • region_code


            To create a Security Variable:

            1. Go to Settings → Security Variables

            2. Click + Security Variable

            3. Define:

              • Name

              • Description

            Step 3: Assign Security Variable Values to Users


            Security Variable values determine which rows a user can see.


            Example


            User John Smith:

            • site_code → SITE_ASITE_B

            • sales_rep_code → SR001


            This translates to a filter on all data of:

            site IN ('SITE_A','SITE_B')
AND sales_rep_code IN ('SR001')

            To assign values:

            1. Go to Settings → User Security Variables

            2. Click a user cell

            3. Add one or more values

            4. Save


            Multiple values are supported

            Missing values result in zero rows for filters using that variable (safe-by-default)

            Step 4: Configure Column-Level Security


            1. Go to Settings → Data Set Security

            2. Select a dataset

            3. Ensure Column-Level Security is selected

            4. For each column, choose which security groups can see it


            Permissions are additive across groups

            If any group grants access, the column is visible

            Step 5: Configure Row-Level Security

            1. In Data Set Security, switch to Row-Level Security

            2. For each dataset:

              • Select a Security Group

              • Map a dataset column to a security variable


            Each rule represents:

            dataset_column IN (user’s variable values)

            How RLS is evaluated


            AskQ evaluates RLS in four steps  :

            1. Identify user’s security groups

            2. Build row filters per group (combined with AND)

            3. Combine groups using OR

            4. Return zero rows if all groups evaluate to FALSE


            This ensures:

            No accidental data leakage

            Clear, predictable results

            Common Patterns


            Sales Rep

            • Group: Sales Team

            • Variables: sales_rep_code

            • Sees only their own sales


            Regional Manager

            • Group: Managers

            • Variables: region_code

            • Sees all reps in region


            Executive

            • Group: Executives

            • No Row-Level Security filters

            • Sees all rows, limited columns

            Best Practices


            Use role-based security group names

            Keep variables generic and reusable

            Start restrictive, then expand access

            Test with a non-admin user

            Document group intent internally

            Summary


            AskQ security is:

            • Group-driven

            • Additive

            • Safe by default

            • Enforced consistently across all queries and AI responses


            By combining Security Groups, Column-Level Security, and Row-Level Security, you can precisely control who sees what—without duplicating datasets or writing custom logic.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0