our organization has been using SAS BI Dashboard for several months now for internal use within our own organization. Now, we are working on a project where roughly 100 people in other, outside organizations will need to log on to our BI Dashboard site to view an individualized dashboard for their organization. We plan to use row-level permissions in an Information Map to control who is allowed to see what in terms of the data behind the dashboard indicators.
How would you recommend creating roughly 100 individual log-ons for outside users?
Is there a way to automate the process rather than manually creating all the accounts?
If I create the log-on name and password for each outside user, how/where would I store that in Management Console?
Any help would be appreciated - our office is small enough that we do not have a dedicated IT person or fully-trained SAS administrator, so I'm in over my head. Thanks!
As an ex SAS consultant, I can tell you briefly how I have solved this problem.
First, creating the users in batch should be easy. There are tons of scripts out there that will teach you this. I would recommend to create them in your LDAP server (probably Active Directory), to have them in a central place. That way, you can treat them the same way as you do the internal users.
To get them into the metadataserver, you should take a look at the macros that SAS provides for this:
The following macros are the core components used to import and synchronize user accounts from Active Directory to SAS metadata: %MDUIMPC , %MDUIMPLB , %MDUEXTR , %MDUCMP , %MDUCHGV , %MDUCHGLB. They are located in the following directory: [SAS Home]\SASFoundation\9.3\core\sasmacro.
This SGF proceeding will give you a practical description of the process:
http://support.sas.com/resources/papers/proceedings12/377-2012.pdf
As for the question you did not ask, "how to present the BI Dashboard webapplication to the external users". You need to set up a reverse proxy web server in a secure zone (DMZ). See this document for details: http://support.sas.com/resources/thirdpartysupport/v92m3/appservers/ApacheProxyJBoss.pdf
Hope this helps!
Stig
Related
We have a bunch of legacy tableau reports which we have published on the tableau server. We are planning to embed it onto a Drupal web page as well as internal Sharepoint site. The end users/agencies who need to view the report interactively are not part of our organization. I wanted to check if each of these end users will need any special license to view the reports and interact with it for example apply some filter in the report.
To give a gist of requirements we have our data warehouse built on Azure SQL. Using this data we need to develop a metric based report for each of the agencies that we work with. We need to then share it with them by embedding this report on a Drupal site where each agency has their separate login and they need to view metrics only specific to them.
We are non-profit and want to minimize the cost. If not Tableau is there any other effective way or any other BI tool which we can use.
Every person who uses Tableau needs a license (and MFA is coming this year to enforce that).
For end users outside your firewall, you will need the relevant firewall settings to allow the users to connect.
It might be more cost-effective to purchase Tableau Online (this is different to Tableau Server) licenses to allow them to get access to their workbooks.
Either way, you can embed dashboards in Drupal, WordPress, whatever but you must have a Tableau user license to login and use them (the other option is a Tableau Server Core license, but if you want to minimise cost this is probably not a viable option)
I have a business case where I am developing a simple search UI, I would like to link it to our SQL Server as the performance is pretty fast when I test it. My plan is to create a few linked tables and create a tidy search form for each linked table (different datasets).
UPDATE, here is a better description of my plan
I have a single user ID / Password that I want to use in each ODBC connection on 4 linked SQL tables (its considered an APP ID at my company, the PW never changes). There will be 4 forms that link to each of the tables and each user will have their own accde db with a launch file that places a copy on the users profile drive and opens it from there. This allows each user to have their own copy of the accde file and everyone to have only one "launch" file.
This search UI, will have upwards of 2000 users, who knows how many actually executing a search at any given time. Security is not a concern as it is a DB on an internal SQL Server which is managed by our IT area. The end users are all internal employees.
Will using just the one ID potentially lock out my APP ID and cause major issues?
Will MS Acess no longer be a major choke point if each user has their own accde file?
Thank you and sorry that my first version of this question was not 100% clear, thanks!
So, I figured I would circle back and post up what I did. While providing a singular app ID with a File DSN in a shared location for the Access Front end would have worked, it was ultimately not the most stable solution.
Since I am in a large corporate environment, my options were extremely limited. That said, I was able to have a read only role added to the database I manage, sourced an "Active Directory Group" that had the membership I needed (as a bonus, the membership was managed at the corporate level!) and I added the AD Group to the read only role.
I then created a File DSN using windows authentication security, placed it in a shared folder location (where I also added the same AD Group to a read only role on the folder) and emailed out a shortcut to a simple batch file launcher that copies an ACCDE database to the users profile drive.
The accde houses all the necessary search forms, logic and linked tables needed for the end user. I even build in a back door that crashes out the end users (with a warning) with a simple file rename. The front end runs surprisingly fast with the test group of 100 individuals and is rolling out to 500 next week.
Viola. Hope this helps someone trying to do something similar.
I'm attempting to connect BigQuery to Looker. I am pulling sample data from a Google Sheets document to a BigQuery dataset; this part is working fine, as my internal BigQuery queries are running just fine for this dataset. Using this documentation from the Looker forums, I tried to create a service account key to connect my BigQuery dataset to Looker. Unfortunately, the documentation is slightly out of date: Google now asks which service account (compute engine default service account, app engine default service account, or a new service account that can have any of multiple roles) you want to attach the key to.
Thus far, I have tried using P12 keys created for the compute engine default service account, the app engine default service account, as well as a new Project Owner service account. When I create the connection in Looker, the admin page confirms that the connection "can connect, can cancel queries, can run simple select query" (I need it to do more complex things, but am just trying to connect at all right now). Using the SQL Runner to test a simple select 10 query out, I was able to query the public datasets, e.g. hacker_news or usa_names. However, whenever I tried to run the same query on my personal sample dataset, I received this error:
Failed to retrieve data - The job encountered an internal error during execution and was unable to complete successfully.
The permissions for the base Google Sheet that the BigQuery project is pulling from are set to be viewable by my coworkers who have the link. I have also been adding each service account I test as an editor (which I assume has the highest permissions). At this point, I am creating new service accounts with each of the different possible roles to see if it's a permissions issue from the role perspective. Nothing has worked so far, so any insight would be helpful!
UPDATE: I have created a new table within the same BigQuery dataset. The new table was created using a CSV file, which was simply a download of my previous table in Google Sheets. I updated the connection to Looker. When I wrote a select 10 query pulling from the new table, it worked fine and ran very quickly. This seems to imply that the problem is something about the permissions between Google Sheets and Google BigQuery.
I've been wanting to do something like this myself for a bit, saw this question, and decided to dig in.
First thing I found was this "documentation" over in the looker discourse:
https://discourse.looker.com/t/live-spreadsheets-in-databases/2698/7
In there, it describes the steps necessary to get this working.
Two important things that you are probably missing, based on your description of events so far (since it sounds like you've already attached the sheet to your dataset and are able to query it from the BigQuery UI):
Make sure you share the Google Sheet with the service account you are using to connect Looker to BigQuery. This is the Username from the Connections tab of the Admin page in Looker.
Make sure you have enabled the Drive and Sheets APIs for your google project. You can do that via The API Library. Just search for "Drive" (or "Sheets"), click on the name, and then click on the "Enable" button from the API detail page.
Once I did the above, I had to wait a few minutes before things started working. I'll go out on a limb and guess that this was because Looker needed to cycle it's internal connection pool before the permissions would reset and work. So you may need to run a few failing queries, or wait out the connection pool before this will go into effect.
Hope that helps.
I'm trying to setup customer access to some of my BigQuery data. I'll start off with my requirements, then what I think the solution needs to be, though I'm not sure how to execute.
Requirements
Separate billing per customer for queries
I don't want to make my dataset public
Read only access to specific datasets
Accessible via Excel connector
No access rights to my main project
They manage their own access privileges, I don't want to have to add and remove individual users from direct dataset access on behalf of all our clients.
Nice to have - Web UI access
What I've Done
Created a new Google Developer Project
Added a view-only user on that project
Added a service account
Granted access to my BigQuery dataset to the service account
Here are the options for granting dataset access from the documentation:
I imagine that I need to setup some sort of special group, but I can't figure out how to do it.
Thanks in advance!
In BigQuery there are two different concepts:
The first one is billing (for queries and any other billable
activity) that is linked with a Google Cloud Project.
The second one is access to a dataset.
Having said that, to fulfil your requirements you'd create a separate project for each of the customers, and grant access to the datasets in the granularity that you would want.
That way you would have the costs for each of the projects separated but billed to you. Be careful to give them only read access to the project, unless you want them to be able to create other services like VM or deploy GAE apps, as they'd be billed to you as well.
For example dataset [MyDatasetA] to users X and Y in projects Project1 and Project2, but access to [MyDatasetB] to users Y and Z in projects Project2 and Project3.
Thus, each project is accountable for the queries their users run, and you have your access control on each dataset without it being public.
Separate billing per customer for queries. Done with the independent projects.
I don't want to make my dataset public. Done with fine grained control access.
Read only access to specific datasets. Same as above.
Accessible via Excel connector. It should work without problems as they'd be first class BQ users.
No access rights to my main project. Again possible if they are restricted to their own projects.
They manage their own access privileges. This is trickier. I think they'd need more than read access to the datasets or more than read access to the projects to be able to add new users, if you use the project groups as access control.
Nice to have - Web UI access. Check out https://bigquery.cloud.google.com/
The project groups are groups that allow to select members with Viewer, Developer or Owner roles in one click, without the hassle of adding each member manually.
You get already three groups set-up for you to use: Viewers, Editors and Owners of the original project.
But you may create your own Google Groups and give those groups the permission you want.
The hint when doing so, is that new users will usually need to Display your project so that it appears in the BQ online browser. This is done by clicking on the arrow to the side of the project name in the BQ online browser followed by Switch to project then Display project with the project name that the Dataset belongs to.
Edit: Improved the explanation about Group access
I have created a custom report and it shows up on my "Reports" tab. How can I make this public to everyone in the project so that they can see it in their workspace?
There isn't a way to share it with only a subset of users. What we often do for custom apps that are only useful for a small subset of users is have the admin share it, then have the subset of users copy it and then have the admin un-share it. Note, we resort to this solution to save the limited number of shared dashboards we have to apps and reports that are relevant to all teams. The problem with this solution is it makes it challenging to upgrade the app with new features. Nonetheless, I thought I would mention as an option if you are limited to the number of shared dashboards.
In order to share the app with other users you need workspace or subscription admin privileges.
https://prod.help.rallydev.com/create-custom-pages#share