OneAnalytics docs

Link sharing

Every report, dashboard, dataset, and workspace in OneAnalytics can be shared via a sharing grant — the same API primitive regardless of audience (user, team, exec role, public link, embed).

From the UI

Click Share (top-right) on any report:

  • To specific users — type an email. Existing users get access instantly; non-users get an invite email.
  • To a team — picks up SCIM-synced groups or manually-created teams.
  • To an executive role — the grant is evaluated per user based on role at query time (not copy-at-grant-time).
  • As a public link — anyone with the link. Optionally require a password and/or watermark.
  • As an embed — generates a signed JWT and an <iframe> snippet; see Embed.

Actions

Each grant carries a list of allowed actions:

  • view — open the report
  • download — CSV/PDF/Excel export
  • comment — add threaded comments
  • edit — modify the report definition (not the underlying data)
  • share — re-share to others

A grant with view only gets a read-only render with download and comment UI hidden.

Expiry

Grants can expire — pick a date or "in 7 days". After expiry the grant is tombstoned (kept for audit), and the principal gets a 403 with problem code share/expired.

Watermark

Enable watermark and every viewer sees their email address faintly tiled across the report. Good for sensitive material. The watermark is rendered server-side for PDF/PNG exports so it cannot be stripped client-side.

Password

Public links can require a password. Password is hashed with Argon2id server-side; failed attempts are rate-limited (5 per 5 minutes per IP).

API

curl -X POST https://api.analytics.rstglobal.in/v1/sharing/grants \
  -H "Authorization: Bearer $OA_TOKEN" \
  -H "Idempotency-Key: $(uuidgen)" \
  -H "Content-Type: application/json" \
  -d '{
    "subject_type": "report",
    "subject_id": "b3d3...uuid",
    "principal_type": "link",
    "actions": ["view", "comment"],
    "watermark": true,
    "expires_at": "2026-05-01T00:00:00Z"
  }'

Response includes a link_url suitable for sending.

Revoke

From Share → Manage, click Revoke next to any grant. Takes effect on the next request — cached sessions are invalidated within 60 s.

Audit

Every grant create/update/revoke is written to the audit log with the actor, timestamp, and full grant payload.