Published at: 2025-10-30
BI Platform Data Permissions
The BI platform inherits data permissions from business permissions.
What data scope can I see for objects involved in analysis?
- Primary objects: visible data follows business permissions (same as what you see on the object list page)
- Related objects: if you can see the primary object, you can view related object data in charts. Details:
- In Reports, this means you can see fields from related objects that are included in report columns. However, when you click the primary attribute to view object details, the related object’s data permissions still apply;
- In Statistic Charts, this means you can see metric values computed from related-object data, but when you drill into metric detail records, the related object’s data permissions still apply.
*For Sub-object subjects (for example, Sales Order Product subject), data permissions follow the Primary Object. If you can see the Sales Order, you can see its Sales Order Product data.
Report administrators: can view all object data in charts, including voided records (equivalent to CRM administrators).
</img>1. General Subject Data Permissions
Use Account subject as an example:
| Scenario | Consistent with Account list page |
|---|---|
| My Responsibilities | Accounts where I am the owner |
| Responsible by My Subordinates | Accounts where my subordinates are the owners |
| My Responsible Departments | Accounts whose owning Dept. is my responsible Dept. or its sub-departments |
| Shared With Me | Accounts shared with me (all sharing methods) |
| All | All of the above |
- Under Account subject analysis:
- Account is the Primary Object. Contract, Payment Collection, Opportunity, and Sales Order are related objects. Therefore, the Account data you can analyze matches the Account list page, and within charts you can aggregate Opportunity and Sales Order data for those Accounts you have access to;
- When you drill into Opportunity amount or Sales Order amount metric details, the current viewer’s data permissions on those objects still apply.
</img>2. Data Permissions for Special Subjects
2.1 People Subject Data Permissions
People subject data permission logic is special.
| Scenario | Description |
|---|---|
| Myself | Data where I am the owner |
| My Subordinates | Data where my subordinates are the owners |
| My Responsible Departments | Data for people whose primary Dept. is my responsible Dept. or its sub-departments, where those people are the data owners |
| Shared With Me | 1. Only counts data shared with me via "Source" sharing, and does not include other sharing methods (for example, conditional sharing) 2. When multiple metrics are present, use the intersection of each metric’s shared-object scope |
| All | All of the above |
Note: Because objects can have many-to-many relationships with people, the owner relationship mentioned above can be replaced by other person-relationship rules in permission rules.
Scenario example: Why can’t Amy see shared data in People subject even though data was shared with her via Source?
- Scenario reconstruction:
- Org Structure: Level 1 Dept.: Sales Center; Level 2 under Sales Center: South China Region and North China Region; Level 3 under South China Region: Guangzhou Branch and Shenzhen Branch; Level 3 under North China Region: Hebei Branch;
</img>-
The administrator shared Opportunities from the North China Region and Sales Orders and Payment Collections from the South China Region with Amy. When Amy views Statistic Charts under People subject and selects "Shared With Me", she still cannot see Opportunity amount, Sales Order amount, or Payment Collection amount data.
-
Reason analysis:
- Because the shared scopes for Opportunity, Sales Order, and Payment Collection under People subject intersect to an empty set;
- If the administrator instead shares Opportunities from Shenzhen Branch with Amy, then when Amy selects "Shared With Me" she can see Opportunity amount, Sales Order amount, and Payment Collection amount for Shenzhen Branch, because the intersection becomes Shenzhen Branch.
-
Summary: The BI "Shared With Me" permission enforcement is relatively strict. When aggregating multiple objects simultaneously, you can only view all metrics if the shared data scopes have a non-empty intersection. Otherwise, you cannot view them.
*Note: Sharing People object data does not grant access to all business data related to those people; it only grants permission to view that person’s target and achievement values.
2.2 Dept. Subject Data Permissions
Dept. subject data permission logic is special.
- Primarily applies to roles with broader permissions, such as Dept. leaders, executives, and administrators.
- Report administrators and CRM administrators can view all Dept. data;
- Dept. leaders can view data for the Depts. they are responsible for;
- Dept. assistants can view data for Depts. where they serve as assistant;
- Regular employees can analyze data shared based on owning Dept.
2.3 Account Pool and Lead Pool Data Permissions
- To analyze Account data that an employee accesses through Account Pool admin/member roles, use the dedicated "Account Pool Account Statistics" template to create reports:
- Reports created from this template show data permissions consistent with the Account Pool list page; when filtering by "Affiliated Account Pool", the selectable range matches the list page;
- Similarly for Lead Pool: use the "Lead Pool Lead Data Summary" template to create reports. The data permissions and filterable Lead Pool ranges match the Lead Pool list page.
</img>
</img>
</img>
</img>