Amazon QuickSight is a fully-managed, cloud-native business intelligence (BI) service that makes it easy to connect to your data, create interactive dashboards, and share these with tens of thousands of users, either within QuickSight itself, or embedded in software as a service (SaaS) apps.
QuickSight Enterprise Edition recently added row-level security (RLS) using tags, a new feature that allows developers to share a single dashboard with tens of thousands of users, while ensuring that each user can only see and have access to particular data. This means that when an independent software vendor (ISV) adds a QuickSight-embedded dashboard in their app, they don’t have to provision their end-users in QuickSight, and can simply set up tags to filter data based on who the dashboard is being served to. For example, if an ISV wanted to set up a dashboard that was to be shared with 20,000 users across 100 customers of an app, with all users within a customer having access to identical data, this new feature allows you to share a single dashboard for all users, without having to set up or manage the 20,000 users in QuickSight.
RLS enforced using tags makes sure that each end-user only sees data that is relevant to them, while QuickSight automatically scales to meet user concurrency to ensure every end-user sees consistently fast performance. In this post, we look at how this can be implemented.
Lahenduse ülevaade
To embed dashboards without user provisioning, we use the API GenerateEmbedURLForAnonymousUser, which works with QuickSight’s session capacity pricing. With this API, the embedding server (logic in the SaaS app) determines and manages the identity of the user to whom the dashboard is being displayed (as opposed to this identity being provisioned and managed within QuickSight).
The following diagram shows an example workflow of embedded dashboards that secures data based on who is accessing the application using RLS with tags.
In this case, an ISV has a SaaS application that is accessed by two end-users. One is a manager and other is a site supervisor. Both users access the same application and the same QuickSight dashboard embedded in the application and they’re not provisioned in QuickSight. When the site supervisor accesses the dashboard, they only see data pertaining to their site, and when the manager accesses the dashboard, they see data pertaining to all the sites they manage.
To achieve this behavior, we use a new feature that enables configuring the row-level security using tags. This method of securing data on embedded dashboards works only when dashboards are embedded without user provisioning (also called anonüümne manustamine). The process includes two steps:
- Set up tag keys on the columns of the datasets used to build the dashboard.
- Set values for the tag keys at runtime when embedding the dashboard anonymously.
Set up tag keys on columns in the datasets used to build the dashboard
ISVs or developers can set columns on the datasets using the CreateDataset
or UpdateDataset
APIs as follows:
In the preceding example code, row-level-permission-tag-configuration
is the element that you can use to define tag keys on the columns of a dataset. For each tag, you can define the following optional items:
- TagMultiValueDelimiter – This option when set on a column enables you to pass more than one value to the tag at runtime, and the values are delimited by the string set for this option. In this sample, a comma is set as a delimiter string.
- MatchAllValue – This option when set on a column enables you to pass all values of a column at runtime, and the values are represented by the string set for this option. In this sample, an asterisk is set as a match all string.
After we define our tags, we can enable or disable these rules using the Status
element of the API. In this case the value is set to ENABLED
. To disable the rules, the value is DISABLED
. After the tags are enabled, we can pass values to the tags at runtime to secure the data displayed based on who is accessing the dashboard.
Each dataset can have up to 50 tag keys.
We receive the following response for the CreateDataset
or UpdateDataset
API-d:
Enable authors to access data protected by tag keys when authoring analysis
After tags keys are set and enabled on the dataset, it is secured. Authors when using this dataset to author a dashboard don’t see any data. They must be given permissions to see any of the data in the dataset when authoring a dashboard. To give QuickSight authors permission to see data in the dataset, create a permissions file or a rules dataset. For more information, see Creating Dataset Rules for Row-Level Security. The following is an example rules dataset.
Kasutajanimi | column_name_1 | column_name_2 | column_name_3 |
admin/sampleauthor |
In this sample dataset, we have the author’s username listed in the UserName column. The other three columns are the columns from the dataset on which we set tag keys. The values are left empty for these columns for the author added to this table. This enables the author to see all the data in these columns without any restriction when they’re authoring analyses.
Set values to the tag keys at runtime when embedding the dashboard
After the tag keys are set for columns of the datasets, developers set values to the keys at runtime when embedding the dashboard. Developers call the API GenerateDashboardEmbedURLForAnonymousUser
to embed the dashboard and pass values to the tag keys in the element SessionTags
, nagu on näidatud järgmises näitekoodis:
Because this feature secures data for users not provisioned in QuickSight, the API call is for AnonymousUser
only and therefore this feature works only with the API GenerateDashboardEmbedURLForAnonymousUser
.
The preceding example code has the following components:
- eest
tag_name_1
, you set two values (value1
javalue2
) kasutadesTagMultiValueDelimiter
defined when setting the tag keys (in this case, a comma). - eest
tag_name_2
, you set one value as an asterisk. This enables this tag key to have all values for that column assigned because we defined asterisk as theMatchAllValue
when setting a tag key on the column earlier. - eest
tag_name_3
, you set one value (value3
).
API response definition
The response of the API has the EmbedURL
, Status
ja RequestID
. You can embed this URL in your HTML page. Data in this dashboard is secured based on the values passed to the tag keys when calling the embedding API GenerateDashboardEmbedURLForAnonymousUser
:
- EmbedUrl (string) – A single-use URL that you can put into your server-side webpage to embed your dashboard. This URL is valid for 5 minutes. The API operation provides the URL with an
auth_code
value that enables one (and only one) sign-on to a user session that is valid for up to 10 hours. This URL renders the dashboard with RLS rules applied based on the values set for the RLS tag keys. - Status (integer) – The HTTP status of the request.
- RequestId (string) – The AWS request ID for this operation.
Peeneteraline juurdepääsukontroll
You can achieve fine-grained access control by using dynamic AWS-i identiteedi- ja juurdepääsuhaldus (IAM) policy generation. For more information, see Isolating SaaS Tenants with Dynamically Generated IAM Policies. Kui kasutate GenerateEmbedUrlForAnonymousUser
API for embedding, you need to mention two resource types in the IAM policy: the namespace ARNs your anonymous users virtually belong to, and the dashboard ARNs that can be used in the AuthorizedResourceArns
input parameter value. The sessions generated using this API can access the authorized resources and the ones (dashboards) shared with the namespace.
Because anonymous users are part of a namespace, any dashboards shared with the namespace are accessible to them, regardless of whether they are passed explicitly via the AuthorizedResourceArns
parameeter.
To allow the caller identity to generate a URL for any user and any dashboard, the Resource
block of the policy can be set to *
. To allow the caller identity to generate a URL for any anonymous user in a specific namespace (such as Tenant1
) Resource
part of the policy can be set to arn:aws:quicksight:us-east-1:<YOUR_AWS_ACCOUNT_ID>:namespace/Tenant1
. This is the same for the dashboard ID. For dynamic policy generation, you can also use placeholders for the namespace and users.
The following code is an example IAM policy:
Kasutusjuhtum
OkTank is an ISV in the healthcare space. They have a SaaS application that is used by different hospitals across different regions of the country to manage their revenue. OkTank has thousands of healthcare employees accessing their application and has embedded operations related to their business in a QuickSight dashboard in their application. OkTank doesn’t want to manage their users in QuickSight separately, and wants to secure data based on which user from which hospital is accessing their application. OkTank is securing the data on the dashboards at runtime using row-level security using tags.
OkTank has hospitals (North Hospital, South Hospital, and Downtown Hospital) in regions Central, East, South, and West.
In this example, the following users access OkTank’s application and the embedded dashboard. Each user has a certain level of restriction rules that define what data they can access in the dashboards. PowerUser
is a super user that can see the data for all hospitals and regions.
OkTank’s application’s user | Haigla | regioon |
NorthUser | Põhjahaigla | Kesk ja Ida |
NorthAdmin | Põhjahaigla | Kõik piirkonnad |
SouthUser | Lõuna haigla | Lõuna |
SouthAdmin | Lõuna haigla | Kõik piirkonnad |
jõukasutaja | Kõik haiglad | Kõik piirkonnad |
None of these users have been provisioned in QuickSight. OkTank manages these users in its own application and therefore knows which region and hospital each user belongs to. When any of these users access the embedded QuickSight dashboard in the application, OkTank must secure the data on the dashboard so that users can only see the data for their region and hospital.
First, OkTank created tag keys on the dataset they’re using to power the dashboard. In their UpdateDataset
API kõne, RowLevelPermissionTagConfiguration
element on the dataset is as follows:
Second, at runtime when embedding the dashboard via the GenerateDashboardEmbedURLForAnonymousUser
API, they set SessionTags
iga kasutaja jaoks.
SessionTags
eest NorthUser
aasta GenerateDashboardEmbedURLForAnonymousUser
API call are as follows:
SessionTags
eest NorthAdmin
on järgmised:
SessionTags
eest SouthUser
on järgmised:
SessionTags
eest SouthAdmin
on järgmised:
SessionTags
eest PowerUser
on järgmised:
Järgmine ekraanipilt näitab, mida SouthUser
sees pertaining to South Hospital in the South region.
Järgmine ekraanipilt näitab, mida SouthAdmin
sees pertaining to South Hospital in all regions.
Järgmine ekraanipilt näitab, mida PowerUser
sees pertaining to all hospitals in all regions.
Based on session tags, OkTank has secured data on the embedded dashboards such that each user only sees specific data based on their access. You can pääseda armatuurlauale as one of the users (by changing the user in the drop-down menu on the top right) and see how the data changes based on the user selected.
Overall, with row-level security using tags, OkTank is able to provide a compelling analytics experience within their SaaS application, while making sure that each user only sees the appropriate data without having to provision and manage users in QuickSight. QuickSight provides a highly scalable, secure analytics option that you can set up and roll out to production in days, instead of weeks or months previously.
Järeldus
The combination of embedding dashboard for users not provisioned in QuickSight and row-level security using tags enables developers and ISVs to quickly and easily set up sophisticated, customized analytics for their application users—all without any infrastructure setup or management while scaling to millions of users. For more updates from QuickSighti manustatud analüüsVt Mis on uut Amazon QuickSighti kasutusjuhendis.
Autoritest
Raji Sivasubramaniam is a Specialist Solutions Architect at AWS, focusing on Analytics. Raji has 20 years of experience in architecting end-to-end Enterprise Data Management, Business Intelligence and Analytics solutions for Fortune 500 and Fortune 100 companies across the globe. She has in-depth experience in integrated healthcare data and analytics with wide variety of healthcare datasets including managed market, physician targeting and patient analytics. In her spare time, Raji enjoys hiking, yoga and gardening.
Srikanth Baheti on Amazon QuickSighti spetsialiseerunud World Wide Sr. lahendusarhitekt. Ta alustas oma karjääri konsultandina ja töötas mitmes era- ja valitsusorganisatsioonis. Hiljem töötas ta ettevõttes PerkinElmer Health and Sciences & eResearch Technology Inc, kus ta vastutas suure liiklusega veebirakenduste, väga skaleeritavate ja hooldatavate andmekanalite kavandamise ja arendamise eest AWS-i teenuseid ja serverita andmetöötlust kasutavate aruandlusplatvormide jaoks.
Kareem Syed-Mohammed on Amazon QuickSighti tootejuht. Ta keskendub manustatud analüütikale, API-dele ja arendajakogemusele. Enne QuickSighti töötas ta peaministrina AWS Marketplace'i ja Amazoni jaemüügiga. Kareem alustas oma karjääri arendajana ja seejärel kõnekeskuse tehnoloogiate, kohaliku eksperdi ja Expedia reklaamide peaministrina. Ta töötas mõnda aega konsultandina ettevõttes McKinsey and Company.
- '
- "
- &
- 000
- 100
- 11
- juurdepääs
- konto
- tegevus
- kuulutused
- Materjal: BPA ja flataatide vaba plastik
- Amazon
- analytics
- API
- API-liidesed
- app
- taotlus
- rakendused
- apps
- autorid
- AWS
- ehitama
- äri
- ärianalüüsi
- helistama
- Võimsus
- Karjäär
- kood
- Veerg
- Ettevõtted
- ettevõte
- arvutustehnika
- konsultant
- Kliendid
- armatuurlaud
- andmed
- andmehaldus
- arendaja
- Arendajad
- kesklinna
- töötajad
- ettevõte
- kogemus
- KIIRE
- tunnusjoon
- Valitsus
- Tervis
- tervishoid
- siin
- Suur
- matkamine
- Haigla
- haiglad
- Kuidas
- HTTPS
- IAM
- Identity
- Kaasa arvatud
- info
- Infrastruktuur
- Intelligentsus
- interaktiivne
- IT
- Võti
- võtmed
- Tase
- kohalik
- Tegemine
- juhtimine
- Turg
- turul
- Vastama
- kuu
- uus funktsioon
- põhja-
- Operations
- valik
- Muu
- jõudlus
- arst
- Platvormid
- poliitika
- võim
- era-
- Toode
- Produktsioon
- ressurss
- Vahendid
- vastus
- jaemüük
- tulu
- Rull
- eeskirjade
- SaaS
- ketendamine
- TEADUSED
- turvalisus
- näeb
- väljavalitud
- Serverita
- Teenused
- komplekt
- kehtestamine
- Jaga
- jagatud
- Lühike
- Saidid
- So
- tarkvara
- Lahendused
- Lõuna
- Ruum
- alustatud
- väljavõte
- olek
- Tehnoloogiad
- Tehnoloogia
- aeg
- ülemine
- liiklus
- Uudised
- Kasutajad
- väärtus
- web
- veebirakendused
- Läände
- WHO
- jooksul
- töövoog
- töötab
- maailm
- aastat
- jooga