We are now able to embed our GD workspace into our react app using iFrames. We are also able to provide the JWT, by posting a message to the iFrame. However, the workspace data filter is not working.

Hi Oscar, just to make sure I understand - are you trying to set up a Workspace Data Filter by sending a message to embedded iFrame? If so, then that is not propper approach. Workspace data filters need to be set in advace with a standard API call by user with required permissions as described here. As far as I know you can not define Worksspace Data Filter or Workspace Data Filter Config (value) by a message sent to an iframe. And it IMO makes sense as those calls are running under the end user session and you can not allow the end user to modify (and therefore could overcome) the Workspace Data Filters.

so we can't reuse the same workspace if we have 3 different companies trying to use them at the same time?

While technically speaking, you can change the workspace data filter (or rather the workspace data filter config = the value based on which the data are filtered), to different value with an API call, I would for sure not do it to use the same workspace by three companies especially at the same time! Workspace data filter is defined on the workspace level and anyone with access to the workspace will see the data based on that filter. Changing the filter dynamically to switch to different company’s data while people from multiple companies have access to the same workspace seems like very risky thing to do. I would see a huge risk that users from company A who have access to that workspace would be able to see data of company B. Also any scheduled exports would probably work with the current filter and send data of different company… That could be IMO really dangerous and I would suggest not doing it ever. Do you have a specific reason why to share one workspace with multiple companies? Is that for cost reasons? Legally speaking, I am not sure if you are allowed to use the same workspace for multiple companies from the contract point of view. I guess that depends on details of your specific contract and I would suggest to consult this with your customer representative.

we are just looking for the most efficient way to develop workspaces that we maintain. less number of workspaces translates to less maintenance work if some is broken or to be enhanced.

I see, depends on what you mean by “reuse”. It would not be “reusing” in the sense that you use the very same workspace (with the same ID) for multiple customers. But you can for sure “reuse” its content (model, metrics, visualizations, dashboards…) and based other workspaces of it. That is the concept of parent-child relationship in GoodData Cloud also called Workspace Hierarchy with multiple tenants. That way you can easily manage structure of all the workspaces by modifying just one. Then all the objects (but not data) available in the parent workspace are also available (read only) in all the child workspaces. plus custom objects can be created in these child workspaces. That is the standard and recommended way for setting up the Workspace hierarchy in GoodDataCloud: • You define a parent workspace “P” with logical model, metric, visualizations, dashboards ◦ You define a Workspace Data Filter in this parent workspace ◦ You map this Workspace Data Filter in the Logical Data Model to the datasets (tables) where it should be applied (and what column in source database to use for the filter) ◦ you do not share the parent workspace with any of your customers (it still contains all the data) • You define a Client Workspace for your first client “C1” and make the workspace “P” its parent ◦ For workspace “C1” you define WorkspaceDataFilterSetting where for the WorkspaceDataFilter defined in “P” you define what values should be valid for workspace “C1” ▪︎ basically what should be in the additional WHERE column = … condition ◦ You add end users from company C1 into this workspace • same way you define one workspace (“C2", “C3”, …) for each of your clients and add users from those companies (typically one company - one workspace) • to deploy any changes you just modify the parent workspace “P” and all the changes automatically propagate to all the client workspaces Ideally to make the maintenance even easier, you define a user group for each workspace and assign the workspace permission to the user group and then only add users to the groups. With OIDC just-in-time provisioning, you can add users to groups without need to do an API call. For JWT, this is currently not yet available, so you will need to create the user and assign their permissions upfront. To do so, you can use the official Python SDK: https://www.gooddata.com/docs/python-sdk/latest/ Or for example this set of Python tools: https://github.com/gooddata/gooddata-productivity-tools I hope this helps and clarifies it a bit. Please le us know if you would have more questions on how to best set up your multi-tenant environment

Just to confirm my understanding, when we have a new customer that we need to have an embedded analytics, we have to do these steps on the GoodData web interface: 1. add their companyId to the "P1" WorkspaceDataFilter 2. create a new child workspace "Cx" then set their own companyId 3. grab the new iFrame URL 4. create new user 5. give user access to child workspace

Hi Oscar, when you already have the parent workspace defined with Workspace data filter set in it (mapped to the datasets) - that is a one time operation - then all you need to do to add a new customer is: 1. create a new child workspace “Cx” 2. set their own companyId into workspaceDataFilterSettings in that “Cx” workspace 3. create new user and give user access to that child workspace “Cx” 4. grab the new iFrame URL (the iframe URL will be technically the same, it will just have different workspaceID)