PDP And Client Entitlements
Personalized Data Permissions are the Domo-native entitlement mechanism for client-specific data access inside a shared Domo instance.
Standard Customer Shape
Customer Acme
Domo group: client_acme_viewers
App/page access: Acme Client Dashboard
Dataset PDP:
Account ID in (...)
Group ID in (...)
Contract ID / pricing scope in (...)
Reporting period allowed
Optional column masking:
hide claim/member/PII-sensitive fields
Required PDP Policy Dimensions
| Dimension |
Purpose |
account_id / customer id |
Prevents one customer from seeing another customer's rows. |
group_id / group name |
Supports group-specific claims/audit dashboards. |
contract_id / pricing scope |
Keeps pricing and guarantee context scoped to the right contract. |
| reporting period |
Prevents unauthorized access to outside-window results. |
| column masking |
Hides or masks member, claim, PII, PHI, or other sensitive fields when not needed. |
Operational Rules
- A dashboard-level client selector is not security.
- PDP must be enabled on the underlying Domo dataset when Domo-native cards are used for client-specific data.
- Cards, pages, dashboards, and App Studio apps must be shared to the correct Domo group.
- Users/groups not included in the applicable PDP policy should not receive rows for that policy.
- Column policies should be used when a dataset includes fields that are not needed for the client-facing presentation.
Validation Checklist
| Check |
Expected result |
user in client_acme_viewers |
sees only Acme rows. |
| user in another client group |
does not see Acme rows. |
| user has page access but no PDP row match |
sees no unauthorized rows. |
| sensitive columns masked |
member/claim/PII-sensitive fields are hidden or masked. |
| dataset feeds multiple cards |
all cards inherit the same row/column entitlement. |