ایمیزون کوئیک سائٹ is a fully-managed, cloud-native business intelligence (BI) service that makes it easy to connect to your data, create interactive dashboards, and share these with tens of thousands of users, either within QuickSight itself, or embedded in software as a service (SaaS) apps.
QuickSight Enterprise Edition recently added row-level security (RLS) using tags, a new feature that allows developers to share a single dashboard with tens of thousands of users, while ensuring that each user can only see and have access to particular data. This means that when an independent software vendor (ISV) adds a QuickSight-embedded dashboard in their app, they don’t have to provision their end-users in QuickSight, and can simply set up tags to filter data based on who the dashboard is being served to. For example, if an ISV wanted to set up a dashboard that was to be shared with 20,000 users across 100 customers of an app, with all users within a customer having access to identical data, this new feature allows you to share a single dashboard for all users, without having to set up or manage the 20,000 users in QuickSight.
RLS enforced using tags makes sure that each end-user only sees data that is relevant to them, while QuickSight automatically scales to meet user concurrency to ensure every end-user sees consistently fast performance. In this post, we look at how this can be implemented.
حل جائزہ
To embed dashboards without user provisioning, we use the API گمنام صارف کے لیے ایمبیڈ یو آر ایل بنائیں, which works with QuickSight’s سیشن کی صلاحیت کی قیمتوں کا تعین. With this API, the embedding server (logic in the SaaS app) determines and manages the identity of the user to whom the dashboard is being displayed (as opposed to this identity being provisioned and managed within QuickSight).
The following diagram shows an example workflow of embedded dashboards that secures data based on who is accessing the application using RLS with tags.
In this case, an ISV has a SaaS application that is accessed by two end-users. One is a manager and other is a site supervisor. Both users access the same application and the same QuickSight dashboard embedded in the application and they’re not provisioned in QuickSight. When the site supervisor accesses the dashboard, they only see data pertaining to their site, and when the manager accesses the dashboard, they see data pertaining to all the sites they manage.
To achieve this behavior, we use a new feature that enables configuring the row-level security using tags. This method of securing data on embedded dashboards works only when dashboards are embedded without user provisioning (also called anonymous embedding). The process includes two steps:
- Set up tag keys on the columns of the datasets used to build the dashboard.
- Set values for the tag keys at runtime when embedding the dashboard anonymously.
Set up tag keys on columns in the datasets used to build the dashboard
ISVs or developers can set columns on the datasets using the CreateDataset
or UpdateDataset
APIs as follows:
In the preceding example code, row-level-permission-tag-configuration
is the element that you can use to define tag keys on the columns of a dataset. For each tag, you can define the following optional items:
- TagMultiValueDelimiter – This option when set on a column enables you to pass more than one value to the tag at runtime, and the values are delimited by the string set for this option. In this sample, a comma is set as a delimiter string.
- MatchAllValue – This option when set on a column enables you to pass all values of a column at runtime, and the values are represented by the string set for this option. In this sample, an asterisk is set as a match all string.
After we define our tags, we can enable or disable these rules using the Status
element of the API. In this case the value is set to ENABLED
. To disable the rules, the value is DISABLED
. After the tags are enabled, we can pass values to the tags at runtime to secure the data displayed based on who is accessing the dashboard.
Each dataset can have up to 50 tag keys.
We receive the following response for the CreateDataset
or UpdateDataset
APIs:
Enable authors to access data protected by tag keys when authoring analysis
After tags keys are set and enabled on the dataset, it is secured. Authors when using this dataset to author a dashboard don’t see any data. They must be given permissions to see any of the data in the dataset when authoring a dashboard. To give QuickSight authors permission to see data in the dataset, create a permissions file or a rules dataset. For more information, see Creating Dataset Rules for Row-Level Security. The following is an example rules dataset.
UserName | column_name_1 | column_name_2 | column_name_3 |
admin/sampleauthor |
In this sample dataset, we have the author’s username listed in the UserName column. The other three columns are the columns from the dataset on which we set tag keys. The values are left empty for these columns for the author added to this table. This enables the author to see all the data in these columns without any restriction when they’re authoring analyses.
Set values to the tag keys at runtime when embedding the dashboard
After the tag keys are set for columns of the datasets, developers set values to the keys at runtime when embedding the dashboard. Developers call the API GenerateDashboardEmbedURLForAnonymousUser
to embed the dashboard and pass values to the tag keys in the element SessionTags
، جیسا کہ مندرجہ ذیل مثال کے کوڈ میں دکھایا گیا ہے:
Because this feature secures data for users not provisioned in QuickSight, the API call is for AnonymousUser
only and therefore this feature works only with the API GenerateDashboardEmbedURLForAnonymousUser
.
The preceding example code has the following components:
- کے لئے
tag_name_1
, you set two values (value1
اورvalue2
) کا استعمال کرتے ہوئےTagMultiValueDelimiter
defined when setting the tag keys (in this case, a comma). - کے لئے
tag_name_2
, you set one value as an asterisk. This enables this tag key to have all values for that column assigned because we defined asterisk as theMatchAllValue
when setting a tag key on the column earlier. - کے لئے
tag_name_3
, you set one value (value3
).
API response definition
The response of the API has the EmbedURL
, Status
، اور RequestID
. You can embed this URL in your HTML page. Data in this dashboard is secured based on the values passed to the tag keys when calling the embedding API GenerateDashboardEmbedURLForAnonymousUser
:
- EmbedUrl (string) – A single-use URL that you can put into your server-side webpage to embed your dashboard. This URL is valid for 5 minutes. The API operation provides the URL with an
auth_code
value that enables one (and only one) sign-on to a user session that is valid for up to 10 hours. This URL renders the dashboard with RLS rules applied based on the values set for the RLS tag keys. - Status (integer) – The HTTP status of the request.
- RequestId (string) – The AWS request ID for this operation.
عمدہ دانے والا کنٹرول کنٹرول
You can achieve fine-grained access control by using dynamic AWS شناخت اور رسائی کا انتظام (IAM) policy generation. For more information, see Isolating SaaS Tenants with Dynamically Generated IAM Policies. کا استعمال کرتے وقت GenerateEmbedUrlForAnonymousUser
API for embedding, you need to mention two resource types in the IAM policy: the namespace ARNs your anonymous users virtually belong to, and the dashboard ARNs that can be used in the AuthorizedResourceArns
input parameter value. The sessions generated using this API can access the authorized resources and the ones (dashboards) shared with the namespace.
Because anonymous users are part of a namespace, any dashboards shared with the namespace are accessible to them, regardless of whether they are passed explicitly via the AuthorizedResourceArns
پیرامیٹر
To allow the caller identity to generate a URL for any user and any dashboard, the Resource
block of the policy can be set to *
. To allow the caller identity to generate a URL for any anonymous user in a specific namespace (such as Tenant1
) Resource
part of the policy can be set to arn:aws:quicksight:us-east-1:<YOUR_AWS_ACCOUNT_ID>:namespace/Tenant1
. This is the same for the dashboard ID. For dynamic policy generation, you can also use placeholders for the namespace and users.
The following code is an example IAM policy:
کیس استعمال کریں۔
OkTank is an ISV in the healthcare space. They have a SaaS application that is used by different hospitals across different regions of the country to manage their revenue. OkTank has thousands of healthcare employees accessing their application and has embedded operations related to their business in a QuickSight dashboard in their application. OkTank doesn’t want to manage their users in QuickSight separately, and wants to secure data based on which user from which hospital is accessing their application. OkTank is securing the data on the dashboards at runtime using row-level security using tags.
OkTank has hospitals (North Hospital, South Hospital, and Downtown Hospital) in regions Central, East, South, and West.
In this example, the following users access OkTank’s application and the embedded dashboard. Each user has a certain level of restriction rules that define what data they can access in the dashboards. PowerUser
is a super user that can see the data for all hospitals and regions.
OkTank’s application’s user | ہسپتال | ریجن |
NorthUser | North Hospital | Central and East |
NorthAdmin | North Hospital | تمام علاقے |
SouthUser | South Hospital | جنوبی |
SouthAdmin | South Hospital | تمام علاقے |
پاور یوزر | All hospitals | تمام علاقے |
None of these users have been provisioned in QuickSight. OkTank manages these users in its own application and therefore knows which region and hospital each user belongs to. When any of these users access the embedded QuickSight dashboard in the application, OkTank must secure the data on the dashboard so that users can only see the data for their region and hospital.
First, OkTank created tag keys on the dataset they’re using to power the dashboard. In their UpdateDataset
API call, the RowLevelPermissionTagConfiguration
element on the dataset is as follows:
Second, at runtime when embedding the dashboard via the GenerateDashboardEmbedURLForAnonymousUser
API, they set SessionTags
ہر صارف کے لیے۔
SessionTags
لیے NorthUser
میں GenerateDashboardEmbedURLForAnonymousUser
API call are as follows:
SessionTags
لیے NorthAdmin
مندرجہ ذیل ہیں:
SessionTags
لیے SouthUser
مندرجہ ذیل ہیں:
SessionTags
لیے SouthAdmin
مندرجہ ذیل ہیں:
SessionTags
لیے PowerUser
مندرجہ ذیل ہیں:
The following screenshot shows what SouthUser
sees pertaining to South Hospital in the South region.
The following screenshot shows what SouthAdmin
sees pertaining to South Hospital in all regions.
The following screenshot shows what PowerUser
sees pertaining to all hospitals in all regions.
Based on session tags, OkTank has secured data on the embedded dashboards such that each user only sees specific data based on their access. You can access the dashboard as one of the users (by changing the user in the drop-down menu on the top right) and see how the data changes based on the user selected.
Overall, with row-level security using tags, OkTank is able to provide a compelling analytics experience within their SaaS application, while making sure that each user only sees the appropriate data without having to provision and manage users in QuickSight. QuickSight provides a highly scalable, secure analytics option that you can set up and roll out to production in days, instead of weeks or months previously.
نتیجہ
The combination of embedding dashboard for users not provisioned in QuickSight and row-level security using tags enables developers and ISVs to quickly and easily set up sophisticated, customized analytics for their application users—all without any infrastructure setup or management while scaling to millions of users. For more updates from QuickSight embedded analyticsدیکھ، Amazon QuickSight صارف گائیڈ میں نیا کیا ہے۔.
مصنفین کے بارے میں
راجی سیوا سبرامنیم is a Specialist Solutions Architect at AWS, focusing on Analytics. Raji has 20 years of experience in architecting end-to-end Enterprise Data Management, Business Intelligence and Analytics solutions for Fortune 500 and Fortune 100 companies across the globe. She has in-depth experience in integrated healthcare data and analytics with wide variety of healthcare datasets including managed market, physician targeting and patient analytics. In her spare time, Raji enjoys hiking, yoga and gardening.
سری کانت بہیتی Amazon QuickSight کے لیے ایک خصوصی ورلڈ وائڈ سینئر حل آرکیٹیکٹ ہے۔ انہوں نے اپنے کیریئر کا آغاز بطور کنسلٹنٹ کیا اور متعدد نجی اور سرکاری اداروں میں کام کیا۔ بعد میں اس نے PerkinElmer Health and Sciences & eResearch Technology Inc کے لیے کام کیا، جہاں وہ AWS سروسز اور سرور لیس کمپیوٹنگ کا استعمال کرتے ہوئے رپورٹنگ پلیٹ فارمز کے لیے ہائی ٹریفک ویب ایپلیکیشنز، انتہائی قابل توسیع اور قابل انتظام ڈیٹا پائپ لائنز کو ڈیزائن اور تیار کرنے کا ذمہ دار تھا۔
کریم سید محمد Amazon QuickSight میں پروڈکٹ مینیجر ہے۔ وہ سرایت شدہ تجزیات، APIs، اور ڈویلپر کے تجربے پر توجہ مرکوز کرتا ہے۔ QuickSight سے پہلے وہ AWS Marketplace اور Amazon ریٹیل کے ساتھ بطور PM رہ چکے ہیں۔ کریم نے اپنے کیریئر کا آغاز ایک ڈویلپر کے طور پر کیا اور پھر کال سینٹر ٹیکنالوجیز، لوکل ایکسپرٹ اور اشتہارات برائے Expedia کے لیے PM۔ اس نے تھوڑی دیر کے لیے میک کینسی اینڈ کمپنی کے ساتھ بطور مشیر کام کیا۔
- '
- "
- &
- 000
- 100
- 11
- تک رسائی حاصل
- اکاؤنٹ
- عمل
- اشتھارات
- تمام
- ایمیزون
- تجزیاتی
- اے پی آئی
- APIs
- اپلی کیشن
- درخواست
- ایپلی کیشنز
- ایپس
- مصنفین
- AWS
- تعمیر
- کاروبار
- کاروبار کی ذہانت
- فون
- اہلیت
- کیریئر کے
- کوڈ
- کالم
- کمپنیاں
- کمپنی کے
- کمپیوٹنگ
- کنسلٹنٹ
- گاہکوں
- ڈیش بورڈ
- اعداد و شمار
- ڈیٹا مینجمنٹ
- ڈیولپر
- ڈویلپرز
- شہر کے مرکز
- ملازمین
- انٹرپرائز
- تجربہ
- فاسٹ
- نمایاں کریں
- حکومت
- صحت
- صحت کی دیکھ بھال
- یہاں
- ہائی
- لمبی پیدل سفر
- ہسپتال
- ہسپتالوں
- کس طرح
- HTTPS
- IAM
- شناختی
- سمیت
- معلومات
- انفراسٹرکچر
- انٹیلی جنس
- انٹرایکٹو
- IT
- کلیدی
- چابیاں
- سطح
- مقامی
- بنانا
- انتظام
- مارکیٹ
- بازار
- میچ
- ماہ
- نئی سہولت
- شمالی
- آپریشنز
- اختیار
- دیگر
- کارکردگی
- ڈاکٹر
- پلیٹ فارم
- پالیسی
- طاقت
- نجی
- مصنوعات
- پیداوار
- وسائل
- وسائل
- جواب
- خوردہ
- آمدنی
- لپیٹنا
- قوانین
- ساس
- سکیلنگ
- سائنس
- سیکورٹی
- دیکھتا
- منتخب
- بے سرور
- سروسز
- مقرر
- قائم کرنے
- سیکنڈ اور
- مشترکہ
- مختصر
- سائٹس
- So
- سافٹ ویئر کی
- حل
- جنوبی
- خلا
- شروع
- بیان
- درجہ
- ٹیکنالوجی
- ٹیکنالوجی
- وقت
- سب سے اوپر
- ٹریفک
- تازہ ترین معلومات
- صارفین
- قیمت
- ویب
- ویب ایپلی کیشنز
- مغربی
- ڈبلیو
- کے اندر
- کام کا بہاؤ
- کام کرتا ہے
- دنیا
- سال
- یوگا