The Custom Row-Level Security plugin applies custom data security for users by querying a remote service.
You can use the Custom Row-Level Security plugin if you have dynamic data security that changes frequently (every few minutes).
On every data query sent to the Sisense server, the Sisense server first sends an HTTP/HTTPS request to a security endpoint to get the updated data security for the logged-in user. The security rules are applied to the query so that the query is processed with the new data security rules.
Important Note: The security endpoint should be implemented by the client and should return the data security rules in the expected format.
A company has a real-time product with complex data security rules. The security rules are saved in a database and are changed often, based on new data that comes in.
Since the company already maintains complex data security rules on their system, they would like to avoid maintaining it twice - once in their database and once in Sisense. In addition, since their data security is changed so often, they want to be assured that the Sisense security rules are always up-to-date.
Using Custom Row Level Security, they can use their existing security database, and make sure the security rules are always up-to-date.
Installing the Custom Row Level Security Plugin
Installing the Server-Side Plugin
- Download the plugin.
- Enable the server-side plugin feature:
- Open the Configuration Manager from your browser: Linux | Windows
- Click the Sisense logo five times to display the full list of services configurations.
- On the API-Gateway tab, enable serverSidePlugins.enabled.
- Place the “serverSidePlugin” folder content in the path specified under the API-Gateway serverSidePlugins.dirPath setting in the Configuration Manager.
- Configure the Custom Row Level Security, as described below.
- Restart Sisense services/ pods:
- Linux: Restart the apigateway pod
- Windows: Restart the Sisense services by clicking “Restart Services” in the Configuration Manager page.
Configuring Custom Row Level Security
The configuration file is located in:
[server side plugin location]/Jaql/addDataSecurityLib/config.json
The Configuration Object Keys:
- defaultEndpoint: String. Data Security Service URL.
The URL can be provided with parameters based on the request information, for example:
/secure/ – a static route addition to the Data Secure Service.
Using the origin information, you can define a dynamic security service endpoint based on the request origin.
If a default endpoint is set, security rules will be applied for all cubes that do not have an explicit security endpoint set in the cubesEndpoint collection.
- passEntireRequestBody Boolean. If set to true, interceptors will send the whole body and request headers to the data security endpoint.
- defaultEndpointHeaders Object. Key-value pairs of the default headers that are added to the data security REST API request. If not needed, keep the object empty.
- cubesEndpoint Array. Contains the Data Security endpoints and headers that the given cubes will get the Data Security rules from. This array is used to decide which Data Security endpoint is triggered for the given JAQL query.
Data Security configuration object keys:
- cubes: Array of full cube name: [address/cube title] (mandatory).
- endpoint: String (mandatory). The data security endpoint for the cube.
- endpointHeaders: Object (optional). Key-value pairs of the headers that are added to the data security endpoint that is listed above.
Note: The configured security endpoints should be implemented by the client.
Creating a Data Security Rules Service
The Custom Row Level security checks for each query of the data source. Based on the configuration, it sends a query to the configured Data Security Rules endpoint.
The request is sent with some URL parameters:
- user – The user email
- role – User role name
- cube – The full ElastiCube name
- groups – User group IDs
In addition, if specified, some headers are added to the query.
The endpoint returns an object with three keys:
- rules: Array of data security rules, as described below
- includeAll: Boolean (optional). When set to true, the user can see all of the ElastiCube data.
- excludeAll: Boolean (optional). When set to true, the user cannot access the ElastiCube data.
Note: If includeAll or excludeAll are specified, the rules are not taken into account.
The rules array contains objects that describe the data security for a user, group, or role:
- dim: String (optional). The data security dimension
- members: Array of the members that the user should see (optional). When specified the members of the dimension must be set
Return value example:
- In case a user/role/group has more than one data security rule for an ElastiCube, the priority is:
- Exclude all
- Include all
- Members – union between all members settings
- After every change made to the server-side plugin configuration file, restart the Sisense.Gateway service
- After every system upgrade, run the installation.bat file with Administrator rights
- The data security fields are validated against the ElastiCube. If there is even one field that does not exist in the ElastiCube, the user will not be able to see the ElastiCubedata
- If the user/role/group does not have data security applied to an ElastiCube, the user will not see any data
- If an ElastiCube does not have an endpoint configured in the server side plugin configuration plugin, the ElastiCube will use the Sisense default data security
- ElastiCubesets are supported
This is a premium Sisense add-on. For pricing details please get in touch with your CSM:
Get the Add-On