Hello all I have a question about updating the LDM to cater GoodData #gooddata-cloud

Hello all. I have a question about updating the LD...

Eoghan Bonass

01/10/2024, 10:32 AM

Hello all. I have a question about updating the LDM to cater for fine-grained access control, i.e. some users shouldn’t see all the data. Context • Our product is a SaaS tool where we have embedded the GoodData Analytical Designer via an iframe, which is configured to use our own auth provider • We have our own permission and access model, which is a combination of role and row based access • Currently only our admin user roles can access the GoodData instance, and those roles are entitled to see all data • We have other roles that do not have access to all data, governed by our fine-grained permission model • We are working on allowing those other roles to have access to GoodData • Our approach as recommended by the GD team has been to leverage the user filter functionality - essentially filter by

user_id

to restrict the content visible for the current user Challenge 1. All the data entities (tables & views) in the LDM would need to be filtered by

user_id

2. We’ve tried adding lookup tables with

user_id

column that are linked/related to the target entity, e.g. if we had a

sales

table with

sales_id

and other columns, it would have a corresponding

sales_lookup

table linked on

sales_id

that lists each

user_id

for each

sales_id

- but the target

sales

table does not have the

user_id

◦ This approach was intended to keep the ‘business entity’ tables in the same shape, but permit filtering by the

user_id

◦ The problem is that the filter only works when an insight includes the

user_id

, which we of course can’t enforce 3. Our alternative approach is to create views of the business entities that do include the

user_id

, effectively repeating the

sales_id

and other columns for every user that has access to that row Right now we can’t see how we could make the lookup table approach in point 2 above work. Do the GoodData team know of any way we can force the generated queries to always consider/apply the user filter, even if the user hasn’t added the corresponding column to an insight? Otherwise, is there a different approach we should or could consider other than point 3 above? All thoughts and suggestions welcome!

Ivana Gasparekova

01/10/2024, 11:00 AM

Hello Eoghan, I assume that you are not speaking about the User data filters(UDF), but rather about the Workspace Data Filter(WDF). Could you kindly confirm if this is the case, please?

Eoghan Bonass

01/10/2024, 11:17 AM

I am speaking about user data filters.

Eoghan Bonass

01/10/2024, 11:18 AM

We can’t use workspace data filters, because each workspace is for a different customer. We need additional filtering within the workspace.

Ivana Gasparekova

01/10/2024, 11:21 AM

Ok. Could you share with us the JSON template that you used for creation of your UDF, please?

Eoghan Bonass

01/10/2024, 11:23 AM

Copy code

{
  "data": {
    "id": "project_lookup_filter",
    "type": "userDataFilter",
    "attributes": {
      "title": "Project Lookup filter",
      "maql": "{label/project_lookup.user_id} = \"<user_id_value>\""
    }
  }
}

Eoghan Bonass

01/10/2024, 11:24 AM

You can ignore my Sales references earlier - a real entity for us is Project.

Ivana Gasparekova

01/10/2024, 12:57 PM

Thanks a lot, this looks fine to me. I am wondering how the relations are set in your model. Please let me ping you also via DM.

Open in Slack

Previous Next