Upload
ernesto-ongaro
View
1.037
Download
2
Embed Size (px)
Citation preview
Ernesto OngaroTIBCO JASPERSOFT
Multi Tenant Security
Agenda
What is column and row level security? What is multi-tenancy? Explain Organizations/Roles/Users/Attributes Four Multi Tenancy Types Jaspersoft Server Multi-tenancy Features
2©2014 Jaspersoft Corporation. Proprietary and Confidential
Column Level Security
©2014 Jaspersoft Corporation. Proprietary and Confidential
Full Name Store SalaryJohn Smith Store 11 £25,000NancyySnowden Store 24 £34,000
Martin Scotcher Store 11 £22,000
Terry Knight Store 11 £11,200Megan McGovern Store 7 £34,000
Sue Gonzales Store 9 £22,000 Column Restricted by
User Role or Attribute
Full Name Store SalaryJohn Smith Store 11 £25,000
NancySnowden Store 24 £34,000
Martin Scotcher Store 11 £22,000
Terry Knight Store 11 £11,200
Megan McGovern Store 7 £34,000
Sue Gonzales Store 9 £22,000
Full Name Store SalaryJohn Smith Store 11 £25,000NancyySnowden Store 24 £34,000
Martin Scotcher Store 11 £22,000
Terry Knight Store 11 £11,200Megan McGovern Store 7 £34,000
Sue Gonzales Store 9 £22,000
Row Level Security
©2014 Jaspersoft Corporation. Proprietary and Confidential
Full Name Store SalaryJohn Smith Store 11 £25,000NancySnowden Store 24 £34,000
Martin Scotcher Store 11 £22,000
Terry Knight Store 11 £11,200Megan McGovern Store 7 £34,000
Sue Gonzales Store 9 £22,000
Rows Restricted by Tenant or Attribute
Organizations, Roles, Users, Attributes
Organization 1
Role 1
User 1
Role 2
User 2
Attribute 1
©2014 Jaspersoft Corporation. Proprietary and Confidential
Organizations – can be nested. superuser manages root level
Roles, can span organizations or be org specific
Users can belong to one or more roles
Attributes are assigned to each user
Type 0 – No multitenancy
One BI installation per customer, nothing is shared
©2014 Jaspersoft Corporation. Proprietary and Confidential
Customer 1DB1
Customer 2DB2
Customer 3DB3
Type 1 – Separate Databases
One BI installation, separate physical database per customer
©2014 Jaspersoft Corporation. Proprietary and Confidential
JRS 1
DB1
DB2
DB3
jdbc:postgresql://hostname:5432/foodmart
Parameterize Hostname
Type 2 – Shared database, separate schema per customer
One physical database with one physical schema per customer
©2014 Jaspersoft Corporation. Proprietary and Confidential
JRS 1Schema 1
jdbc:postgresql://hostname:5432/foodmart
Parameterize schema
Schema 1Schema 3
Schema 2Schema 1
Type 3 - Shared Database, Shared Schema, separate tables per customer
Tables using some sort of naming convention
©2014 Jaspersoft Corporation. Proprietary and Confidential
JRS 1
SELECT SUM(SALES) FROM CUST01_SALES
Parameterize table name(requires customization for Domains)
Table:CUST02_SALES
Table:CUST01_SALES
Type 4 - Shared Database,Shared Schema,Shared Tables
Row level security based on rules
©2014 Jaspersoft Corporation. Proprietary and Confidential
JRS 1
SELECT SUM(SALES) FROM SALES WHERE CUST_ID = 01
Parameterize WHERE clause
Table:CUST01_SALES
CUST_ID Sales01 20
02 34
Multi-Tenancy Feature
Comes with Enterprise Edition Gives each organization it’s own “repository” Gives each organization roles and users Allows sharing of resources via Public Folder
©2014 Jaspersoft Corporation. Proprietary and Confidential
JRS Session Parameters
LoggedInUser LoggedInUsername LoggedInUserFullName LoggedInUserEmailAddress LoggedInUserEnabled LoggedInUserExternallyDefined LoggedInUserTenantId LoggedInUserRoles LoggedInUserAttributes LoggedInUserAttributeNames LoggedInUserAttributeValues LoggedInUserAttribute_<attribute-name>
©2010 Jaspersoft Corporation. Proprietary and Confidential 12
Row level security
Parameter substitution in SQL queriesWHERE store_city IN ($P!{LoggedInUserAttribute_Cities})
Parameter substitution in Domains<filterExpression>customer.orgID IN groovy('authentication.principal.tenantId.toUpperCase()')</filterExpression>
Parameter substitution in XPath queries<queryString language="xPath”><![CDATA[ /Northwind/Orders[CustomerID = '$P{LoggedInUserRoles}’ ]]]></queryString>
©2010 Jaspersoft Corporation. Proprietary and Confidential 13
Column based security
Hide columns in canned / standard reports
Print when expression$P{LoggedInUserRoles}.toString().contains( "ROLE_ADMINISTRATOR" )) ? new Boolean(true) : new Boolean(false)
Hide columns in Domains<itemGroupAccessGrant id="restrictedHR__salary__grant1" access="granted">
<principalExpression>authentication.getPrincipal().getRoles().any{ it.getRoleName() in ['ROLE_ADMINISTRATOR','ROLE_HR'] }</principalExpression>
</itemGroupAccessGrant>
©2010 Jaspersoft Corporation. Proprietary and Confidential 14
Further Reading and Help
JasperReports Server Admin Guide Community Wiki Professional Services from Jaspersoft and Partners
©2014 Jaspersoft Corporation. Proprietary and Confidential