To provide access to specific objects of a given object type in Object Explorer, set a Restricted View as the backing dataset in the Ontology Manager. To successfully configure and save an object type backed by a Restricted View, you must have View access to the input dataset of the Restricted View.
To create and edit Restricted Views, you must meet the following criteria granted within the Granular Permissions Administration workflow in the Roles interface. To access the Roles interface, navigate to Settings and select Roles in the Platform Settings section of the sidebar. Access to the Roles interface requires special platform permissions; contact your Palantir representative if you require this level of access.
| Role | Description |
|---|---|
| Create restricted view resource | Needed on the folder/Project. |
| Create restricted view for dataset | Needed on the dataset upstream of the Restricted View. |
| Edit resource granular policy | Edit the granular policy on resources. |
| Read resource granular policy | Read the granular policy on resources. |
| Edit restricted view resource | Needed to make edits on the Restricted View (policy, assume Markings). |
| View restricted view resource | View the properties of a Restricted View (policy, assume Markings). |
| View restricted view transaction | See historical transaction metadata (policy, assume Markings). |
To build a Restricted View, you must have view access on the input dataset and edit permissions on the output Restricted View.
To use a Restricted View in a Contour analysis, you need the Read restricted view permission.
To configure and save an object type backed by a Restricted View, you must have:
To use granular policies on dataset-backed objects in Object Explorer, you must have View ontology datasource permissions on the dataset to see any objects of this type.
Restricted View policies support the following comparison types:
Policies are defined as templates into which user attributes, group memberships, and data values can be filled:
When the consuming application of a granularly-permissioned resource requests data (such as in Contour), the policy template is converted into a query that only returns rows specific to the user’s attributes and permissions.
A single policy can have up to ten comparisons. Restricted View policies weigh each comparison in the policy depending on whether the policy is comparing a collection or a constant against a field:
For example, in a basic policy:
The current policy construction limit is designed to put a minimal amount of constraints on a particular policy design; it provides little protection against a policy that could overwhelm weight limits.
If you receive weight limit errors when constructing policies, contact your Palantir representative for assistance.
Changes to policies are recorded as new transactions on the Restricted View, but some users may require additional controls around policy change management.
When you manage Restricted View policies consider two goals:
Restricted View policies introduce a set of assumptions about the data that backs them. Therefore, Restricted View policies will only correctly control access to data as long as these assumptions are true. Consider whether the use case requires building out machinery to ensure that those assumptions hold and data stays secured if those assumptions are broken.
One way to solve this problem is by introducing a step in the pipeline directly upstream of the Restricted View that checks the assumptions made about the data. These checks might include:
event_occurred_in_state has the value NY, another column in the dataset called state_name should have value New York. Have the Transform check that this is true before surfacing this data to users.Restricted Views are similar to datasets but have some key differences. The contents of a Restricted View combine two dynamic factors: (1) the policy definition and (2) the attributes and group memberships of the particular user accessing the Restricted View at a specific point in time. While the policy definition history is maintained in a Restricted View’s transaction history, it is not possible for the transaction history to maintain a complete history of all user attributes and group memberships.
Restricted Views are designed to simplify the analytical consumption of pipelines by individual users and cannot be used as inputs to data transformations. Pipelines built in Foundry should be reproducible and agnostic to the specific user running them, which is incompatible with the nature of Restricted Views in providing row-level permissions that depend on user attributes.
The following list summarizes the current limitations of Restricted Views:
| Operation | Is this supported by Restricted Views? | Explanation |
|---|---|---|
| Reading | YES | Restricted Views can be read via objects or in Contour |
| On-the-fly calculations | YES | With Restricted Views, calculations can be performed from accessible rows via objects (such as in Quiver or Functions) or on datasets (with tools like Contour) |
| Writeback | YES | Objects based on Restricted Views can have defined writebacks |
| Exporting | YES | Data from Restricted Views can be exported via Quiver, Contour, and other applications |
| Batch-processing | NO | Batch processing is not supported with Restricted Views, given that different users see different subsets of data |
| Saving outputs as a Foundry dataset | NO | Saving outputs based on transformations performed to Restricted Views is not supported; since Spark does not natively support row-level permissions, there is no way to enforce that subsequent transactions maintain the guarantees of restrictions |
| Syncing to Postgres | NO | Syncing a Restricted View to Postgres is not supported because row-level permissions that depend on user attributes would not be maintained |