Row-level security (RLS) within Indexima
Row-level security (RLS) with Indexima is used to restrict data access for given users. Filters restrict data access at the row level.
Given a fact table (containing at least an entity column), Row-level security (RLS) within Indexima is based on:
- A table that will contain rights to be applied, called "User_Rights_Table"
- This table will contain the list of allowed entities per user. (User can be allowed multiple entities)
- An additional SQL on the fact table that will apply a join clause with the aforementioned table
Implement Row-level security (RLS)
1. In the galactic.conf configuration file, make sure
impersonation=true
in order to activate the fact that users will connect with their credentials (and not through a service account)
2. Create a Filter Table as a DIMENSION Table in order to speed up joins
CREATE DIMENSION TABLE User_Rights_Table (
entity string,
Allowed_User string
);
3. In order to force Indexima to apply the filter clause, it is requested to add a FILTER on the table
ALTER TABLE fact_table ADD FILTER (JOIN User_Rights_Table on fact_table.entity=User_Rights_Table.entity AND Allowed_User=current_user)
Take care of using an INNER JOIN (and not a LEFT JOIN that will not result in the wanted filtering).
Check Row-level security (RLS)
Any user can check by sending basic queries to the Indexima cluster.
In the Monitor/Queries panel, users would see the username of that sent SQL queries.
Using Impersonation of BI tools
In most cases, BI tools (PowerBI Desktop, Tableau) allow users to connect and use their current UserName.
Regarding PowerBI service (used through PowerBI Gateway), there are additional steps to implement