We are trying to make a decision on how to operate Superset within a whole company which has more than 10 divisions that will need each dashboard and datasets to view with only read-only Gamma role that won't allow users to create a new dashboard etc..
Is there a way to simply operate the roles and the permissions?
Thank you!
I read through the documentation and explored over the sites to find a solution but there seems no.
Related
we have some restrictions on our GCP prod instance that is why I cannot store BQ views there.
Do you know the minimum permission or role needed to store views in BigQuery?
Then I would take that into a discussion with our user administration.
Thank you,
Christian
See this page: https://cloud.google.com/bigquery/docs/access-control#permissions_and_predefined_roles for permissions and roles.
Here BigQuery view falls into the category of table, therefore, you'll need
bigquery.tables.create permission to be able to store a view (and probably bigquery.tables.update to update the view definition later).
Predefined roles seems too wide, you might just ask admin to create a custom role for you. https://cloud.google.com/iam/docs/creating-custom-roles
And in case the dataset for holding tables is too sensitive, you could suggest admin to create a "view only" dataset and grant you enough permission or even assign you predefined role roles/bigquery.dataEditor to that dataset only.
Issue: In GCP IAM I have >30 users assigned the pre-defined roles BigQuery Data Viewer and BigQuery Data Editor, and now when I create a new dataset, it's automatically accessible to these 30+ users because of "policy inheritance".
Question: As BQ project admin, I want a newly created dataset only accessible to certain users (a small subset of the 30+ users). What's the best approach to do this? Thanks!
You cannot override the permissions granted at higher leves. So, if you want to restrict access at dataset level, the best approach would be to:
1) Remove the current permissions BigQuery Data Viewerand BigQuery Data Editor from project level.
2) Grant the permissions again, but only at dataset level
This also complies with the recommended best practice of least privilege. Also, if possible, use groups to grant the permissions, as it will be easier to manage.
In addition to this, you could use another project to create the dataset and allow access to the desired subset of users; however, I wouldn't recommend this approach as it only makes more difficult to handle the data and the users with access to them.
I am working in a Yii project with 4 or 5 roles. Where each role has access to similar forms and views but do not see all fields. Also there are reports which are only for management level roles.
In the past I have managed permissions based on per field control to avoid repeating code, but this get into a nightmare.
My question is, what is the best approach you have used to handle permissions? per field or per view?
I was thinking in create different views and the admin can select which ones to assign to each role.
Any ideas you can bring will help me.
Use RBAC module http://www.yiiframework.com/doc-2.0/guide-security-authorization.html
Once you have defined you role and permission you can use the function provided by Yii2 for show /hide the field you need or for lead the code behavior
I'm trying to setup customer access to some of my BigQuery data. I'll start off with my requirements, then what I think the solution needs to be, though I'm not sure how to execute.
Requirements
Separate billing per customer for queries
I don't want to make my dataset public
Read only access to specific datasets
Accessible via Excel connector
No access rights to my main project
They manage their own access privileges, I don't want to have to add and remove individual users from direct dataset access on behalf of all our clients.
Nice to have - Web UI access
What I've Done
Created a new Google Developer Project
Added a view-only user on that project
Added a service account
Granted access to my BigQuery dataset to the service account
Here are the options for granting dataset access from the documentation:
I imagine that I need to setup some sort of special group, but I can't figure out how to do it.
Thanks in advance!
In BigQuery there are two different concepts:
The first one is billing (for queries and any other billable
activity) that is linked with a Google Cloud Project.
The second one is access to a dataset.
Having said that, to fulfil your requirements you'd create a separate project for each of the customers, and grant access to the datasets in the granularity that you would want.
That way you would have the costs for each of the projects separated but billed to you. Be careful to give them only read access to the project, unless you want them to be able to create other services like VM or deploy GAE apps, as they'd be billed to you as well.
For example dataset [MyDatasetA] to users X and Y in projects Project1 and Project2, but access to [MyDatasetB] to users Y and Z in projects Project2 and Project3.
Thus, each project is accountable for the queries their users run, and you have your access control on each dataset without it being public.
Separate billing per customer for queries. Done with the independent projects.
I don't want to make my dataset public. Done with fine grained control access.
Read only access to specific datasets. Same as above.
Accessible via Excel connector. It should work without problems as they'd be first class BQ users.
No access rights to my main project. Again possible if they are restricted to their own projects.
They manage their own access privileges. This is trickier. I think they'd need more than read access to the datasets or more than read access to the projects to be able to add new users, if you use the project groups as access control.
Nice to have - Web UI access. Check out https://bigquery.cloud.google.com/
The project groups are groups that allow to select members with Viewer, Developer or Owner roles in one click, without the hassle of adding each member manually.
You get already three groups set-up for you to use: Viewers, Editors and Owners of the original project.
But you may create your own Google Groups and give those groups the permission you want.
The hint when doing so, is that new users will usually need to Display your project so that it appears in the BQ online browser. This is done by clicking on the arrow to the side of the project name in the BQ online browser followed by Switch to project then Display project with the project name that the Dataset belongs to.
Edit: Improved the explanation about Group access
I just wanna know if it's possbile to have a parameter or variable in Pentaho CE 5.0.1 when users log , so in that case each user will have his own report and cube in function of that parameter.
Thank you ,
If I understood you, you want to restrict data based on user name.
Example: User A can see Cube filtered to to Products from A department.
I used these 3 pages to implement such settings.
Try here, here and here.
The best way to do it is by assigning roles to different types of users and enabling cube security. You may grant role A the right to view a cube/schema/dimension/member and deny it to another.
As for content itself (reports, dashboards), you manage that from within Pentaho User Console by adding permissions either to a role or to a user.