Service Client and Row Level Security¶
Updated 22 February 2024
Topics on this page:
The service client feature of Comotion Dash allows you to provide selective access to certain data within a table. This is useful when building dashboards for multiple customers (known in the dash world as service clients) while ensuring that they cannot see each other's data.
To achieve this:
- Each user is tagged with a service client id. This is usually some unique short representation of the customer - such as
initech- or a number. - Each insights table must have
service_client_idas its first partition.
Setting up in this way will mean that users tagged with a certain service client will only be granted access to the part of the insights table with their data in it.
Special Service Clients¶
Note the following special service clients
| service_client_id | Name | Description |
|---|---|---|
| 901 | Public | Lines in insights tables tagged with this service client are accessible to all users |
| 0 | Internal | Users that are tagged with this service client have access to all service client information. This is generally for internal analysts and admins who work with the data, and internal consumers who need to view dashboards based on data from multiple customers. |
Grant Access to a Service Client¶
To grant access to a service client you have to complete the following steps:
-
When creating your Insights Table, define your last partition as service client and ensure each line is populated with the correct service client.
-
When preparing the insights table for visualisation, add custom SQL to the table definition to ensure that only data from the right service client is returned. The function
service_client_clauseis available for this purpose:
Missing this step causes an error
Adding the service_client where clause ensures that your graphs only select from the correct service client. Missing this step will result in a permissions error when a service client user tries to view a dashboard with data from other service clients.
-
When requesting User Access from your Comotion Dash representative, specify the "service_client_id" of that user.
Implementing Row Level Security¶
Row Level Security filters, accessible under the Security menu, allow you to define filters that are associated with specific tables and roles. For instance, to restrict members of the Finance team to only view rows where the department is 'finance', you can:
- Create a Row Level Security filter with the condition (department = 'finance').
- Assign this filter to the Finance role and the relevant table.
The filter's condition, which can be any text, is incorporated into the WHERE clause of the generated SQL statement. This allows for versatile filtering, such as limiting access to data from the last 30 days with a condition like date_field > DATE_SUB(NOW(), INTERVAL 30 DAY), or using multiple conditions like client_id = 6 AND advertiser = 'foo'.
AND Statements
Superset combines all applicable Row Level Security filters using AND statements, which means that conflicting filters could potentially restrict access to an empty subset of a table. For example, if a role has filters client_id = 4 and client_id = 5, the resulting query for users with that role will include client_id = 4 AND client_id = 5, which is an impossible condition to satisfy.
Before you go¶
This documentation portal has been created to be your right hand of guidance on this journey. We will be evolving the content from time to time and if there is any specific information you want us to add to improve your experience, please get in touch or send us a direct email to dash@comotion.co.za.
We love hearing from you!