We are creating dashboards for clients using data studio.
Each client should see their data in the dashboard, based on their login credentials. It is simple to create an authorized_view in Big Query to let certain users see certain rows of an underlying shared table. But how would one achieve to then move this into a dashboard which can be shared with each client, yet show only the individuals client in the dashboard instead of the data that was visible to the report creator?
So let's say we have a large table with a bunch of columns and one column email which contains the email of users. Now, we want the dashboard to show metrics for each user based on this email column.
On DataStudio in the datasource schema review step, make sure the flag USING VIEWER’S CREDENTIALS is on. By turning it on, the query when being executed will use the viewer’s credential instead of the owner who created the report.
After you finish create proper visualization on Data Studio, final step is to share the report to eg: store managers using the share option of Data Studio which is similar to share a Google Docs. You can confidently share it with the whole organization or with the email group of eg: store managers, permission already be controlled at data level.
Read more about this topic here.
Related
I have multi tenant azure sql database. I need to create readonly view to one customer to read some data without able to access any other database tables or views. How i can do that
Please try Azure Data Share to share a view with any person you want without giving access to the database.
Create a Data Share account.
Navigate to your Data Share Overview page.
Select Start sharing your data.
Select Create.
Fill out the details for your Data Share. Specify a name, description of share contents, and terms of use (optional).
Select Continue
To add Datasets to your Data Share, select Add Datasets.
Select the dataset type that you would like to add.
Specify the view you want to share with.
In the Recipients tab, enter in the email addresses of your Data Consumer by selecting '+ Add Recipient'.
Select Continue.
Set off "Snapshot schedule".
In the Review + Create tab, review your Package Contents, Settings, Recipients, and Synchronization Settings. Select Create.
Alberto Morillo provided a good way for you.
But from the Azure Data Share Documentation, Data share only can help share the view data to the customer, can not receive the request from customer, it's unidirectional.
According your comment, customer want to access the view from other application through call or API,
The answer is no, we can not do that for now without the permission for login or access the database.
Hope this helps.
I would like to add a member (xxxxxxx#developer.gserviceaccount.com) in the list of members that are allowed to read the tables in a data set.
However, when in the Big Query console, when I click on SHARE DATASET , I have the message :
**"You don't have permission to edit the permissions of the selected resource "****
However, I have the permission to use the query editor and to run queries on this Data Set.
How can I add a member to the list of members who can read this DATA SET so that to access to this Data Set through a Virtual Machine ?
The error message you are receiving is because you do not have the required permissions associated with your account to share a Dataset with another member.
In order to do this, you(if possible), or an admin of the project, i.e., someone with project editor or project owner role assigned. Will need to assign the needed permissions to allow you to share datasets.
You can see all the available permissions in this document Predefined roles and permissions
For a comprehensive document dealing with controlling access to Datasets review this document Controlling access to datasets
As long as you have the appropriate roles/permissions you should have no problems sharing BigQuery Datasets
I'm trying to setup customer access to some of my BigQuery data. I'll start off with my requirements, then what I think the solution needs to be, though I'm not sure how to execute.
Requirements
Separate billing per customer for queries
I don't want to make my dataset public
Read only access to specific datasets
Accessible via Excel connector
No access rights to my main project
They manage their own access privileges, I don't want to have to add and remove individual users from direct dataset access on behalf of all our clients.
Nice to have - Web UI access
What I've Done
Created a new Google Developer Project
Added a view-only user on that project
Added a service account
Granted access to my BigQuery dataset to the service account
Here are the options for granting dataset access from the documentation:
I imagine that I need to setup some sort of special group, but I can't figure out how to do it.
Thanks in advance!
In BigQuery there are two different concepts:
The first one is billing (for queries and any other billable
activity) that is linked with a Google Cloud Project.
The second one is access to a dataset.
Having said that, to fulfil your requirements you'd create a separate project for each of the customers, and grant access to the datasets in the granularity that you would want.
That way you would have the costs for each of the projects separated but billed to you. Be careful to give them only read access to the project, unless you want them to be able to create other services like VM or deploy GAE apps, as they'd be billed to you as well.
For example dataset [MyDatasetA] to users X and Y in projects Project1 and Project2, but access to [MyDatasetB] to users Y and Z in projects Project2 and Project3.
Thus, each project is accountable for the queries their users run, and you have your access control on each dataset without it being public.
Separate billing per customer for queries. Done with the independent projects.
I don't want to make my dataset public. Done with fine grained control access.
Read only access to specific datasets. Same as above.
Accessible via Excel connector. It should work without problems as they'd be first class BQ users.
No access rights to my main project. Again possible if they are restricted to their own projects.
They manage their own access privileges. This is trickier. I think they'd need more than read access to the datasets or more than read access to the projects to be able to add new users, if you use the project groups as access control.
Nice to have - Web UI access. Check out https://bigquery.cloud.google.com/
The project groups are groups that allow to select members with Viewer, Developer or Owner roles in one click, without the hassle of adding each member manually.
You get already three groups set-up for you to use: Viewers, Editors and Owners of the original project.
But you may create your own Google Groups and give those groups the permission you want.
The hint when doing so, is that new users will usually need to Display your project so that it appears in the BQ online browser. This is done by clicking on the arrow to the side of the project name in the BQ online browser followed by Switch to project then Display project with the project name that the Dataset belongs to.
Edit: Improved the explanation about Group access
I want to add security to report(s) based on username and password present in my web application database. But i do not want add parameter(s) username/password in rdl file which shows password in clear text. What is the best way to perform this task? Currently, my reporting server bypass my web service? Report url directly call report on report server. Can I made to pass it via web service which can authenticate user? Any suggestions?
The method that gives you the most flexibility is to override the authentication in SSRS:
http://technet.microsoft.com/en-us/library/ms152825.aspx
If you're unable or unwilling to go that route, your best option is to pass the username as a report parameter. You should of course make this parameter hidden. In your report database, you will want to create many-to-many security tables that join your user table to the constraining entities in your report queries. For example, if you want row level security by branch or office or department or something, then you'd create a Users_Department table and in your reports query you inner join to that and the users table.
I've done this successfully in a past project. It's doesn't feel very elegant because it requires you to create the property authorization user interface admin screens that fill and update these many-to-many security tables and in addition all of your report queries must join properly to filter to the proper security table to filter the result data sets.
But in some scenario's, it's your best (or only!) option.
I am trying to add users to the Report Servers dbo.Users Table. I see a 36 character USERID. Does anyone know how this is generated? How do i get users to show up in this table?
I do not think you should directly modify/add data in ReportServer database.
To add a new user, go to your Report Manager web page.
For a default installation, it is http://[computer-name]/Reports
For a named instance suppose the instance is sql01, it is http://[computer-name]/Reports_sql01
Next, click on Properties tab. In Security, choose New Role Assignment.
There you can add users that exist on your Local machine, or on your company domain.
This user will show up in the Users table. But again, SQL Documentation advises not to directly manipulate data there. Good luck!