Custom Row Level Security

By sisense

The Custom Row-Level Security plugin applies custom data security for users by querying a remote service.

You can use the Custom Row-Level Security plugin if you have dynamic data security that changes frequently (every few minutes).

On every data query sent to the Sisense server, the Sisense server first sends an HTTP/HTTPS request to a security endpoint to get the updated data security for the logged-in user. The security rules are applied to the query so that the query is processed with the new data security rules.

Important Note: The security endpoint should be implemented by the client and should return the data security rules in the expected format.

Use Case:

A company has a real-time product with complex data security rules. The security rules are saved in a database and are changed often, based on new data that comes in.

Since the company already maintains complex data security rules on their system, they would like to avoid maintaining it twice - once in their database and once in Sisense. In addition, since their data security is changed so often, they want to be assured that the Sisense security rules are always up-to-date.

Using Custom Row Level Security, they can use their existing security database, and make sure the security rules are always up-to-date.

Installing the Custom Row Level Security Plugin

Installing the Server-Side Plugin

  1. Download the plugin.
  2. Enable the server-side plugin feature:
    1. Open the Configuration Manager from your browser at http://localhost:3030
    2. Click the Sisense logo five times to display the full list of services configurations.
    3. On the API-Gateway tab, enable serverSidePlugins.enabled.
  3. Place the “serverSidePlugin” folder content in the path specified under the API-Gateway serverSidePlugins.dirPath setting in the Configuration Manager.
  4. Configure the Custom Row Level Security, as described below.
  5. Install the node dependencies:
  6. If it is not already installed, install npm.
    1. Open the Windows Command Line.
    2. Browse to [plugin location]/Jaql/addDataSecurityLib.
    3. Run this command: npm install

Disabling Pivot2

This plugin does not support Pivot2. To disable Pivot2:

  1. Run the installation.bat file on the server as Administrator. it will disable the Pivot2 service and will stop it.
  2. Copy the disablePivot2 plugin to your plugins folder located in C:\Program Files\Sisense\app\plugins
  3. Restart Sisense services by clicking Restart Services in the Configuration Manager: http://localhost:3030/system

Configuring Custom Row Level Security

The configuration file is located in:

[server side plugin location]/Jaql/addDataSecurityLib/config.json

The Configuration Object Keys:

  • defaultEndpointHeaders Object. Key-value pairs of the default headers that are added to the data security REST API request. If not needed, the object should be kept empty.
  • cubesEndpoint Array. Contains the Data Security endpoints and headers that the given cubes will get the Data Security rules from. This array is used to decide which Data Security endpoint is triggered for the given JAQL query.
    Data Security configuration object keys:

    • cubes: Array of full cube name: [address/cube title] (mandatory).
    • endpoint: String (mandatory). The data security endpoint for the cube.
    • endpointHeaders: Object (optional). Key-value pairs of the headers that are added to the data security endpoint that is listed above.

Note: The configured security endpoints should be implemented by the client.

Creating a Data Security Rules Service

The Custom Row Level security checks for each query of the data source. Based on the configuration, it sends a query to the configured Data Security Rules endpoint.

The request is sent with some URL parameters:

  • user – The user email
  • role – User role name
  • cube – The full ElastiCube name
  • groups – User group IDs

In addition, if specified, some headers are added to the query.

The endpoint returns an object with three keys:

  • rules: Array of data security rules, as described below
  • includeAll: Boolean (optional). When set to true, the user can see all of the ElastiCube data.
  • excludeAll: Boolean (optional). When set to true, the user cannot access the ElastiCube data.

Note: If includeAll or excludeAll are specified, the rules are not taken into account.

The rules array contains objects that describe the data security for a user, group, or role:

  • dim: String (optional). The data security dimension
  • members: Array of the members that the user should see (optional). When specified the members of the dimension must be set

Return value example:

Notes:

  • In case a user/role/group has more than one data security rule for an ElastiCube, the priority is:
    1. Exclude all
    2. Include all
    3. Members – union between all members settings
  • After every change made to the server-side plugin configuration file, restart the Sisense.Gateway service
  • After every system upgrade, run the installation.bat file with Administrator rights
  • The data security fields are validated against the ElastiCube. If there is even one field that does not exist in the ElastiCube, the user will not be able to see the ElastiCubedata
  • If the user/role/group does not have data security applied to an ElastiCube, the user will not see any data
  • If an ElastiCube does not have an endpoint configured in the server side plugin configuration plugin, the ElastiCube will use the Sisense default data security
  • ElastiCubesets are supported
This is a premium Sisense add-on. For pricing details please get in touch with your CSM: Get the Add-On

Release Notes:
1.0.2
1.0.2 – 2020-9-7
First release