There are two primary forms of access control and permissioning for Ontology data (object types): object input datasources and granular access controls.
The Check access panel in the sidebar can be used to check someone's access to a Workshop or Slate application, including access to dependent object types, their datasources, and granular access controls. For more information, see the Check access panel documentation.
Data permissions for object instances in the Foundry Ontology are controlled by the permissions applied to the input datasources. Object types in the Foundry Ontology can have three types of resources as their input datasources: Foundry datasets, Foundry restricted views, and Foundry streams. Development is ongoing to support additional datasource types in the Ontology.
Viewer permissions on the dataset will have access to all the object instances created from that dataset.Viewer permissions on the stream datasource has access to all the object instances created from that stream datasource.The most common Ontology input datasources are Foundry datasets; for these datasets, users can either access all or none of the rows and columns of the dataset, and similarly either all or none of the corresponding object instances and their properties. However, some use cases and workflows may require more granular object instance access control than all-or-nothing for a datasource or its corresponding objects.
To this end, Foundry restricted views (RVs) offer row-level access controls and Multi-datasource object types (MDOs) provide a solution for column- or property-level access controls.
Foundry restricted views (RVs) enable row-level access controls to certain rows in a Foundry dataset or a Foundry stream [Beta], and the corresponding object instances created from those rows. Access to an object instance with a specific primary key is governed by who can access that specific row in the input restricted view datasource.
For example, a healthcare employee may be allowed to view dataset rows and object instances containing PHI for patients that visit their care center, but restricted from viewing data for patients that only visit other care centers, even if both types of data exist in the same dataset and object type.
Using the Ontology Manager, restricted views can be selected as an input datasource of an object type in the same way as a Foundry dataset.
Foundry restricted views (RVs) support on top of Foundry streams is currently in a beta state and may not be available on your Foundry enrollment. Contact Palantir Support to learn more.
Learn more about setting up RVs and governing row-level permissions for object instances.
Multi-datasource object types (MDOs) are only available in Object Storage V2.
The Foundry Ontology offers support for mapping multiple input datasources to a single object type. Such object types are referred to as multi-datasource object types (MDOs).
MDOs enable you to map columns from different datasources to the various properties of an object type. This, in turn, enables you to apply multiple access controls (corresponding to separate input datasources) to a single object type. These input datasources can be any combination of Foundry datasets or Foundry restricted views.
For example, for a given care event object type, some healthcare employees may require access to object properties containing personal health information (PHI), while other employees should not have this access. This access control can be supported by backing the Care Event object type with two separate input datasources and applying different access controls and permissions on each input datasource. These different permissions will be respected and applied to the object instance, such that a user will not have access to the properties mapped from an input datasource if that user does not have access to the input datasource.
Learn more about setting up MDOs and governing column-level permissions for object instances.