Managing user permissions and access controls in Domo for large organizations

If your company relies on data, you probably know that keeping the right people in the right dashboards—and out of the wrong ones—can get messy fast. If you’re using Domo and have more than a handful of users, managing permissions isn’t just a checkbox task. It’s daily, sometimes thankless work that has real consequences when you get it wrong.

This guide is for admins, IT leads, and anyone stuck in the middle of user access chaos. We’ll cut through the noise and get to what actually works (and what doesn’t) when managing access in Domo for big teams. No fluff, just the steps, trade-offs, and a few hard-won lessons.

Why Permissions Matter More as You Grow

Small teams can get away with “everyone’s an admin” or ad-hoc sharing. But as headcount grows, so does the risk:

  • Sensitive data leaks to the wrong people (sometimes by accident).
  • Users get overwhelmed by dashboards they don’t need.
  • Compliance and audits become nightmares.
  • Cleaning up a permissions mess later is way harder.

Domo gives you a bunch of tools to manage this, but—let’s be honest—they’re only as good as your process. So before you start clicking, get clear on what you’re actually protecting, who needs what, and how often things change.

Step 1: Understand Domo’s Permission Model

Domo’s access controls break down into three main layers:

  1. Roles – What a user can do (admin vs. editor vs. viewer, etc.).
  2. Groups – Collections of users, usually by function, department, or geography.
  3. Content permissions – Who can see or edit specific datasets, cards, and pages.

Here’s what actually matters with each:

Roles

  • Domo has built-in roles: Admin, Privileged, Editor, Participant, and Social.
  • You can create Custom Roles if the built-ins don’t fit (and in big orgs, they usually won’t).
  • Pro tip: Don’t give out Admin like Halloween candy. Too many admins = “who deleted this dashboard?” at 2am.

Groups

  • Groups are your friend. Set up groups by department, function, or region.
  • Assign permissions to groups, not individuals, whenever possible.
  • What to skip: Avoid one-off “special” groups for every VIP request. That’s a maintenance nightmare.

Content Permissions

  • Every dataset, card, and page has its own share settings.
  • Permissions can get tangled fast if you grant access ad-hoc. Stick to group-based sharing.
  • Watch out for “Public” shares. Yes, it’s easy, but it’s also risky.

Step 2: Map Out Who Needs What

Don’t just start building groups and roles without a plan. Take a beat and do this:

  • List your major user buckets (Sales, Finance, Execs, etc.).
  • For each, answer: What data do they really need? What’s off-limits?
  • Identify “power users” who need more access, and “viewers” who just consume reports.

You don’t need a perfect matrix, but some basic structure helps avoid headaches later. This is also your chance to push back on “but everyone should see everything!” Trust me: they don’t.

Step 3: Set Up Roles and Groups in Domo

Now you’re ready to build. Here’s the order that works best:

1. Create Custom Roles (If Needed)

  • Go to Admin > Governance > Roles.
  • Clone a built-in role if it’s close, then tweak as needed.
  • Be specific. If Finance needs to edit datasets but not manage users, lock it down.

2. Build Groups

  • Go to Admin > Governance > Groups.
  • Create groups that match your user buckets (from your mapping step).
  • Add users to groups. Sync with your identity provider if you can, to automate this.

3. Assign Roles to Groups

  • Assign your custom roles to groups, not to individual users.
  • This makes onboarding/offboarding a breeze—and avoids mistakes.

Pro tip: If you’re using SSO or SCIM, get IT to manage group membership via your directory. Manual management doesn’t scale.

Step 4: Share Content Using Groups—Not One-Offs

This is where things often go sideways. Resist the urge to “just share this card with Bob.” Instead:

  • Share datasets, cards, and pages with groups.
  • Only make exceptions for truly unique needs, and document them.
  • Regularly review who has access to what. Every quarter is a good cadence.

What to watch: Domo’s UI makes it easy to add individuals to shares. Don’t do it unless you want future-you to hate current-you.

Step 5: Handle Sensitive Data with PDP (Personalized Data Permissions)

Domo has something called PDP (Personalized Data Permissions). It lets you show different slices of a dataset to different users—without duplicating data.

How it works, in plain English:

  • You set up PDP policies on a dataset.
  • The policy uses rules (like “Region = East”) to filter what each group/user sees.
  • When a user loads a card based on that dataset, Domo only shows them their allowed slice.

When to use PDP:

  • You have one dataset (say, sales) but want people to only see their region, client, or division.
  • You want to avoid making 20 copies of the same dataset.

What to watch out for:

  • PDP adds complexity. If you don’t need it, skip it.
  • Test your policies with “View as” before rolling out widely.
  • Document your PDP rules somewhere outside Domo. You will forget what you did.

Step 6: Audit, Review, and Adjust—Regularly

Permission sprawl is real. Even with the best plan, things drift. Make it a habit to:

  • Run Domo’s built-in Access Reports (Admin > Governance > Access Logs).
  • Look for users with admin or broad permissions they don’t need.
  • Remove access for ex-employees or stale accounts.
  • Review your groups and PDP policies at least quarterly.
  • Ask managers to confirm their teams’ access—don’t try to know everyone’s needs yourself.

Pro tip: If something feels confusing or contradictory, it probably is. Permissions don’t get clearer with time; tackle confusion head-on.

What Works, What Doesn’t, and What to Ignore

Let’s be blunt:

Works well:

  • Using groups for everything. Less manual work, fewer mistakes.
  • Custom roles, once you get the hang of them.
  • PDP, when you really need row-level security.

Doesn’t work well:

  • Managing access user-by-user. You’ll lose track, and things get missed.
  • Granting admin to anyone who asks. Too much power, too little oversight.
  • Ignoring regular reviews—this stuff doesn’t run itself.

Ignore:

  • Overly complex permission schemes. If you need a whiteboard to explain it, it won’t last.
  • Making everything “public” for “transparency.” It sounds good until someone sees salary data.

Keep It Simple and Iterate

You don’t need to solve permissions for all time. Start with groups, map out the basics, and don’t be afraid to tweak things as your org changes. Complexity creeps in when you try to please everyone or skip a step.

Keep your process simple, document what you do, and check back often. In big organizations, access control is never “done”—but it doesn’t have to be a disaster either.