Team-based access controls

You can use teams to manage access to activities, dashboards, and crosstab reports.

Watch a video

Teams are an optional feature that can be used to limit access to activities, dashboards, and crosstab reports to a subset of users based on team membership. If the activity or report has teams associated with it, Power Users, Authors, and Analysts must belong to at least one of the same teams in order to access it. Use teams to ensure that users only access resources that should be available to them and are relevant to them. To change access settings for a resource the user must also have the Can Change Access Settings permission on their user account.

Note:
  • Admins can access all activities, dashboards, and crosstab reports, regardless of access settings.
  • The Everyone access setting can be used to make an activity, dashboard, or crosstab report available to all users.
  • Teams only limit access to activities, dashboards, and crosstab reports through the user interface. It does not limit access through APIs.

  • Team-based access controls is an enhanced version of the tags feature available in earlier releases. Existing tags will be converted to teams and continue to function the same way.

  • All user accounts with the Power User or Author role on October 26, 2021 will be automatically assigned the Can Change Access Settings permission so that the behavior when they create new content remains consistent, meaning that new content is available to everyone. Admins can remove this permission from any of these user accounts that should not have the ability to change access settings.

Admin users are responsible for configuring teams for your organization:

  • They set up the teams required by your organization, and assign the appropriate users to each team.
  • They assign the Can Change Access Settings permission to specific users to give them the ability to manage access settings for activities, dashboards, and crosstab reports they created or have been granted access to based on their team membership.
  • They assign access settings for activities, dashboards, and reports directly when required.

Admins, and Power Users and Authors with the Can Change Access Settings permission, can set the access settings for an activity, dashboard, or crosstab report when they create it.

  • Admins can assign an activity to any available team, restrict it to Admin Only access, or make it available to Everyone.
  • Power Users and Authors can assign an activity to one or more teams they belong to, keep it Private so only they can access it, or make it available to Everyone.
    Note: Existing users with the Power User and Author roles will be assigned the Can Change Access Settings permission by default, so they can continue to make activities available to everyone.

Default access settings

When a user creates a new activity, dashboard, or crosstab report, there are two possibilities for default access settings based on the user's permissions:

  • If the user does not have the Can Change Access Settings permission, the default access settings will be applied:
    • If the user is assigned to one or more teams, the activity is accessible to users on the same team(s).
    • If a user does not belong to any teams, the activity is accessible to all other users.
  • If the user has the Can Change Access Settings permission, they are able to set the access settings as they create the activity. The access settings they can choose from depend on the user role they have been assigned.

Users that have the ability to specify access settings when they create an activity also have the ability to update the access settings for an activity at any time with the same access setting options.

Configuring teams

Team-based access controls provide a flexible way to define teams that work solely on the content they have access to. You can set up teams based on business unit, project, or any other criteria that makes sense for your organization.

Users can be assigned to multiple teams, but wherever possible assign a user to only one team to make it easer to understand who has access to specific content. Users responsible for creating or managing content can be assigned the Can Change Access Settings permission so that they can specify the access control settings when they create an activity, and they can update the access control settings for content then have access to.

When planning and configuring teams, take special care with users that belong to multiple teams and have access to sensitive activities, crosstab reports, or dashboards through their team memberships. For example, if User 1 belongs to Team A and Team B and User 2 belongs to Team B and Team C, User 2 has the ability to give Team C access to activities that User 1 has restricted to Team A and Team B. User 1 only has the ability to change access settings for the teams they are part of, so they will need to have an Admin or User 2 remove access for Team C.

Your organizations policies should determine if users can belong to multiple teams, which users should be assigned the Can Change Access Settings permission, and who should have access to sensitive content.