dougnewton's avatar
dougnewton
ETL
08-31-2023
Status:
New Idea

Row security (filtering) via attribute on User account

At the moment, you can do row filtering in a Data Model, by applying an enforced filter.  This works fine in simple scenarios.

In my case, I have 150 different users who each need to be able to see only their own data.  So I have to add them one-by-one to the data model's "Data Security" area.  Not only that, I have to do this to 10 different cubes, so this will be a lot of manual effort to set up and maintain over time as people come and go.

What I'd like to be able to do is define a custom attribute on the User record, like "Location ID".  I'd fill it in for that user, entering "12345" for a particular user record.  That User is also a member of a group called "My Restricted Group".

Then, I could go into the Data Security section, add an entry for the Location ID filter, applied to "My Restricted Group", and reference the "Location ID" number.  Then the system would enforce it at runtime -- is the logged in user a member of "My Restricted Group"?  If so, apply a fiter on the Location ID field, and fill it in with the value in their User profile.

Then I only have to maintain the Location ID value in their user profile once, and only need to apply that Location ID filter once per cube, not 150 times per cube.

Administration
Data Models

1 Comment

  • HamzaJ's avatar
    HamzaJ
    Data Integration
    08-31-2023

    This would be handy. For the mean time I am doing this via Postman. I have added my postman + an example csv that you can use. Dont forget to set the url and token and define if you are importing users or groups.

    Edit; i cant upload anything else except images. so here is the postman code

    {
	"info": {
		"_postman_id": "127906d0-a14a-44b6-876e-5cf7a822bfe7",
		"name": "Stap 3 EC Beveiliging Copy",
		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json",
		"_exporter_id": "4316343",
		"_collection_link": "https://ysisinzicht.postman.co/workspace/Ysis-Inzicht~5666f0d4-674f-41cc-96c2-5b5152f2e46f/collection/4316343-127906d0-a14a-44b6-876e-5cf7a822bfe7?action=share&source=collection_link&creator=4316343"
	},
	"item": [
		{
			"name": "https://URL/api/elasticubes/datasecurity",
			"request": {
				"auth": {
					"type": "bearer",
					"bearer": [
						{
							"key": "token",
							"value": "TOKEN",
							"type": "string"
						}
					]
				},
				"method": "POST",
				"header": [
					{
						"key": "accept",
						"value": "application/json"
					},
					{
						"key": "Content-Type",
						"value": "application/json"
					}
				],
				"body": {
					"mode": "raw",
					"raw": "[ { \"column\": \"{{column}}\", \"datatype\": \"text\", \"elasticube\": \"{{cube}}\", \"members\": [ {{naam}} ], \"server\": \"localhost\", \"shares\": [ { \"party\": \"{{groupid}}\", \"type\": \"group\" } ], \"table\": \"{{table}}\" }]"
				},
				"url": {
					"raw": "https://URL/api/elasticubes/datasecurity",
					"protocol": "https",
					"host": [
						"URL",
						"nl"
					],
					"path": [
						"api",
						"elasticubes",
						"datasecurity"
					]
				}
			},
			"response": []
		}
	]
}

    CSV is

     cube,naam,groupid,column,table
    CUBE,"""SECURITY_VALUE""",USERID/GROUPID,FIELD_NAME,TABLE_NAME