Honeycomb Maps DocsMap Ownership and Sharing
Overview
Honeycomb Maps provides fine-grained access control for maps, allowing owners to share maps with specific users or all users within the organization. Map permissions are enforced at the API level to ensure secure access control.
Map Ownership
When a user creates a map, they automatically become the map owner. Map ownership grants full control over the map, including the ability to:
- Edit the map
- Share the map with others
- Delete the map
- Transfer ownership (admin only)
Permission Levels
Honeycomb Maps supports three permission levels for map access:
| Permission | Capabilities |
|---|---|
| OWNER | Full control including editing, sharing, and deleting the map. Deleted maps can be restored by admins. |
| EDIT | Can edit the map and share it with other users. Cannot delete the map. |
| VIEW | Can view the map only. Cannot edit or share. The "Edit Map" button is hidden in the UI. |
Note: Map permissions are enforced at the API level, ensuring consistent security across all access methods.
Sharing Maps
Prerequisites
To share maps with specific users, those users must have logged into the Honeycomb Maps application at least once. This ensures they are registered in the application's user table.
How to Share a Map
- Navigate to the map list view
- Click the three-dot menu next to the map you want to share
- Select Control Sharing
- Choose the permission level (VIEW or EDIT)
- Select recipients:
- Specific users: Grant permissions to individual users
- All users: Grant permissions to everyone with access to the application
Sharing Options
Share with Specific Users
Grant permissions to individual users by selecting them from the user list. Users must have accessed Honeycomb Maps at least once to appear in the list.
Share with All Users
Grant permissions to all users who have access to the Honeycomb Maps application. This is useful for:
- Organization-wide dashboards
- Featured maps
- Reference maps used across multiple teams
Viewing Permissions with SQL
Map permissions are stored in the MAP_PERMISSIONS table within the CONFIG schema. Users with appropriate application roles can query this table to view and audit permissions.
For details on querying map permissions, see Accessing Map Metadata with SQL Queries.
Example Query
SELECT * FROM <HONEYCOMB_MAPS>.CONFIG.MAP_PERMISSIONS
WHERE MAP_ID = '<map_id>';SELECT * FROM <HONEYCOMB_MAPS>.CONFIG.MAP_PERMISSIONS
WHERE MAP_ID = '<map_id>';Map Permissions vs. Data Permissions vs. Application Roles
Honeycomb Maps incorporates separate permission systems:
- Map permissions: Control who can view and edit specific maps
- Data permissions: Control access to underlying Snowflake tables used by the map (this is managed outside Honeycomb Maps)
- Application roles: Control access to the Honeycomb Maps application itself, and what types of user experience is displayed (admin, editor, or viewer). Learn more about application roles.
How It Works
When you share a map with a user, they receive permission to access the map itself. However, they must also have the appropriate Snowflake permissions to query the underlying data sources referenced in the map.
Access Scenarios
Scenario 1: User has both map and data permissions
- The user can successfully load and interact with the map
- All data layers display correctly
Scenario 2: User has map permissions but lacks data permissions
- The user can open the map
- Data sources they cannot access will display error messages
- Other data sources with proper permissions will load normally
Important: When sharing maps, ensure recipients have the necessary Snowflake permissions to access the underlying data sources. Use Restricted Caller's Rights to manage data access permissions.
For more information on configuring data access, see Accessing Snowflake Tables with Restricted Caller's Rights.
Email-Based Sharing
Default Behavior
By default, Snowflake only shares the current user's Snowflake username with applications. This means users must know the exact Snowflake username of the person they want to share with.
Enabling Email-Based Sharing
To allow sharing maps by email address in addition to Snowflake username:
- Contact Snowflake Support
- Request to enable the optional
Sf-Context-Current-User-Emailheader for your account - Once enabled, users can share maps using email addresses
For more information, see Snowflake Documentation on User-Specific Headers.
Note: Email-based sharing requires additional configuration at the Snowflake account level and is not enabled by default.
Administrative Control
Users with the HONEYCOMB_APP_ADMIN role have additional capabilities:
- View all maps, including private maps
- Modify sharing settings for any map regardless of ownership
- Reassign map ownership
- Restore deleted maps
See Administrative Functions for details.
Best Practices
- Use VIEW permissions for consumers: Grant VIEW permissions to users who only need to see data
- Grant EDIT permissions to collaborators: Reserve EDIT permissions for users who need to modify maps
Permission Management Workflow
- Create: User creates a map and becomes the owner
- Share: Owner grants VIEW or EDIT permissions to specific users or all users
- Collaborate: Users with EDIT permissions can modify the map
- Review: Admins can audit permissions using SQL queries
- Adjust: Owners or admins can modify permissions as needs change
- Archive: Owners can delete maps; admins can restore if needed
Related Documentation
- Administrative Functions - Admin-specific map management capabilities
- Accessing Map Metadata with SQL Queries - Query map permissions programmatically
- Managing Access with Application Roles - Understand application role capabilities