Column-Level Security

By Sisense

Overview

Using the Column Level Security you can apply data security rules on the column level. Sensitive columns can be configured to be either replaced by another column or completely hidden.

Each column can be configured to be hidden or replaced on export to CSV/Excel only, or on the dashboard level as well.

Note: This add-on does not support exporting to PDF and exporting a widget as an image.

Use Case

A hospital is interested in analyzing procedure waiting time. For each procedure, the collected data includes the procedure information, waiting time, and patient information. A unique identifier is set for each patient as well.

As required by the Health Insurance Portability and Accountability Act (HIPAA), sensitive personally identifiable information (PII) must be encrypted to prevent it from harming individuals should a data breach occur.

Using the Column Level Security add-on, all columns that are considered PII can be replaced with the patient’s unique identifier, or they can be completely hidden.

This solution consists of three components:

  1. Client side plugin – applies security for the Sisense application.
  2. Server side plugin – applies security for the Sisense API.
  3. External plugin – adds REST API for ‘Column Level Security’.

Installation

  1. Extract the .zip folder.
  2. Install the client-side component:
    Place the ./Plugin/columnLevelSecurity folder in /opt/sisense/storage/plugins/.

    • If the folder does not exist, create it.
  3. Install the external-plugin component:
    Place the external-plugin folder ./Plugin/columnLevelSecurityMicroservice/src/features/columnLevelSecurity into /opt/sisense/storage/external-plugins/apiPlugins/plugins/.

    • If the folder does not exist, create it.
  4. Restart external-plugins pod to apply configuration changes.
  5. Install the server-side plugin component:
    1. Open the Configuration Manager page.
    2. Scroll to the bottom of the page and click  Show Advanced.
    3. Expand the Server Side Plugins section and enable the server-side plugins.
    4. Click Save.
    5. Copy folder ./Plugin/columnLevelSecurityInterceptors to /opt/sisense/storage/serverSidePlugins.
  6. Restart the Api-gateway pod and the External-plugins pod.

Managing Column-Level Security Rules

Managing the column-level security rules is done using column-security REST APIs that can be found on the REST API page:

To add new column-security rules, use the POST /columnsecurity endpoint.

Column-level Security Rule Structure

Rule parameters:

  • cube – full path of the ElastiCube in format <server>/<elasticube name>
  • dim – full sensitive dimension name that the rule is applied on. Format: “[<table>.<column>]”
  • replaceWith – If specified, the sensitive dimension is replaced by this dimension. Format: “[<table>.<column>]”
    Notes: The sensitive column has to have a one-to-one relationship with the replacing column.
  • shares – array. Users/groups affected by the rule.
    • id – User/group ID
    • type – Type of the share: ‘user’ or ‘group’
    • allowOnDashboard – boolean. If set to true, the sensitive dimension is hidden or replaced only on export to CSV/Excel and not on the dashboard level
  • excluded – array. Users/groups permitted to view the column on export and on dashboard view
    • id – User/group ID
    • type – type of the share: ‘user’ or ‘group’
  • everyoneElse – default security rule for users that are not in the shares nor in the excluded lists

Example:

{

  "cube": "LocalHost/Sample ECommerce",

  "dim": "[Category.Category]",

  "replaceWith" : "[Category.Category ID]",

  "shares" : [

    {

      "id" : "5c8a85f40bd0266fa8344bf0",

      "type" : "user",

      "allowOnDashboard" : true

    }

  ],

  "everyoneElse" : {

  "allowOnDashboard" : false

  },

  "excluded" : [
    {

      "id" : "5c8a85f40bd0266fa8344bf1",

      "type" : "user"

    }

  ]

}

Note: By default, the plugin only replaces columns and does not hide them. To enable hide columns, use the POST /columnsecurity/settings endpoint.

This setting is global, affecting all the column-level security configuration entries.
In case the ‘allowHideColumn’ is set to false, all the rules that do not include the replaceWith property are not active until they are updated.

Security rules can make permanent changes to dashboards and widgets in specific cases. Some changes cannot be reverted. Examples:

  1. Dashboard filters:
    • Column replacement rules can cause duplications on dashboard filters. In this case, the dashboard filter field will be removed and cannot be replaced. If the duplicated field is part of the cascading filter, the cascading filter is removed completely.
    • If the replacing field has a different type than the original field, any type-related configurations (such as level configuration for date field) will be removed.
  2. Drill to:
    If a restricted dimension is used in a drill, the widget will be drilled up to the nearest unrestricted dimension.
  3. Restore dashboard when hidden rules became obsolete.
    • Logged in as the dashboard owner:
      Hidden widget fields/filters are permanently removed from the widget in case the widget is re-saved.
      Once the widget is saved without the hidden fields, no changes made to the security rules will add the columns again.
    • Hidden dashboard filters are permanently removed in case a user adds an additional filter to the dashboard. No changes made to the security rules will add the filters again.
  4. Duplicating a widget:
    When duplicating a widget that contains a sensitive column, the duplicated widget is duplicated as presented to the user – without the hidden column or with the replacement column.
  5. Formulas:
    If a measure of type formula contains a hidden sensitive column, the measure will be hidden completely.

Limitations

  • Table and column names can’t contain the ‘.’ symbol.
  • If cascading filters have restricted dimensions, all levels below are hidden.
This is a premium Sisense add-on. For pricing details please get in touch with your CSM: Get the Add-On

1.0.0.7 – 01/04/2021
First release

TOP