We are storing multiple tenants in one instance of SQL Azure. I have been doing some research, but I cannot determine if SQL Azure Reporting can support a multi-tenant model discretely.
For example, we want to run reports for a user based on their "tenancy", but we want their tenant ID to be completely opaque to them- not contained in a query string, or anything view-able by the user.
Has anyone encountered this problem before? What was your solution?
If you had the restriction that a User can only belong to a single tenant, you can hop from a User to the corresponding tenant without them having to know their tenant Id. So any of your Tenant related queries could automatically be filtered by the logged-in user.
Related
I have a dimension which contains our business warehouse IDs and also I made users in Active Directory with the same name(1001, 1002, 1003, 1004, …) as you see in below.
DimWarehouse
ID
1001
1002
1003
1004
.
.
.
My question is that how it is possible each "username" just access to it's Warehouse ID?
There are two ways how you can restrict user access to certain parts of the cube:
You define "static security": You define one role in the cube for each set of permissions (if I understand your requirements correctly, that would mean one role per user), and then you map the Active Directory users or user groups to those roles. If you have many users and many permission roles, that can get more or less unmanageable. However, sometimes it is good that you also can use AD user groups for this purpose, and that can reduce effort a lot. I Implemented a solution like this where we needed to restrict access user access based on their country, and only had around 50 countries, and AD user groups were already existing for the countries.
You can use "dynamic security". This means you only use a single role and write an MDX expression that most likely makes use of the Username() MDX function, and which returns a valid MDX set which is either a set of allowed or a set of forbidden members. As your MDX statement could even call an AS Stored procedure implemented in .net, you are even more flexible, as this .net Stored procedure could e. g. contact your AD to check for further properties of the user.
In both cases, you would administer the settings in "dimension security" of the cube design in "SQL Server Data Tools - Business Intelligence" or in SQL Server Management Studio, and would need to design your cube accordingly to have the correct relations from the dimension that you restrict to your data.
A detailed (if a bit old) blog post describing an approach for setting security using dynamic security can be found at http://bharathonsqlserver.blogspot.com/2016/07/dynamic-security-in-ssas-in-detail.html.
The permissions are driven by roles.
You may need to create multiple roles and assign users to each of the roles.
Then for each role, you define which dimension attributes are accessible to that role.
I'm looking for the best way to secure access to the data stored into an SQL Server database (accessed via stored-procedures).
Company's users are split into 3 entities with associated Windows security groups: G_SUBSIDIARY1, G_SUBSIDIARY2, and G_HOLDING.
Each application is associated with a Windows security group: G_APPLICATION1, G_APPLICATION2, G_APPLICATION3...
These security groups are mostly used to control access to shared folders dedicated to each entity and application.
The stored-procedures should filter data depending on who request them.
As an example to access data in table APPLICATION1_DATA you must be a member of group G_APPLICATION1.
And depending on your entity you will access a different subset of the data (discriminator is a column with the entity to which the data belongs).
To apply authorization I was thinking of relying only on Windows security groups and checking with the IS_MEMBER function if the current user (authenticated via Windows authentication) belongs to each: IS_MEMBER("COMPANY\G_APPLICATION1") and IS_MEMBER("COMPANY\G_SUBSIDIARY1").
The main advantages I see is that there is only one object to manage, and if later users are added or removed this is transparent on the database side.
But I wonder if there is any drawbacks with this method, and if on the contrary there would be some advantages to use SQL Server roles in addition to these security groups.
It would add some maintenance to keep them up-to-date but it might be worth it...
I'm using CouchDB 2.1.0 and for my use case I would like non-admin users to be able to create their own databases that they will then have write/read access to, and the ability to add other users with write/read access.
Note that this is not one database per user, which seems to be the common use case, but many user-created databases per user.
Users are being created right now by POSTing to the _users database. Authentication is being handled by CouchDB's built-in authentication.
I could create a backend service that has admin credentials that would create these databases, but I would like to avoid doing so. Reading through docs it seems like by default CouchDB only allows admins to create databases; is there a way to change this?
Honestly, I think the only real answer here is that you'll have to make a backend service that has admin credentials that can create new databases. Kind of a bummer since one of my goals for this project was "no backend other than CouchDB".
My backend service ended up just taking a list of users that should have access to the created database, creating the database with a unique ID, and returning that ID. I then have a document in each user's DB that lists all of the DBs they have created.
i'm planning to use a combination of entity framework + plain sql access for a large sized project that i'm about to start. its an ASP.NET web application.
for auditing data, i was thinking of creating a user in sql db for every user in membership that i create so that the auditing can automatically track the asp.net logged in user activities. so basically, if i could impersonate as that username for the connection that is used, then sql server will automatically log.
do you know how to implement this in entity framework, i'm fairly new to ef.
if this is not possible, do you know another solution WITHOUT manually including userid in every sql insert/update/delete.
thanks..
That is pretty bad idea. If you want this kind of auditing don't use membership and instead use Windows accounts directly with Kerberos delegation as common in large ERP or CRM systems = each user will have access to the database with his own domain account but it requires very correctly specifying security for the database and it will most probably lead to design without entity framework because you will not want users to be albe to execute queries directly but only to execute stored procedures under their user context.
If your application should be publicly available then this level of auditing is not for you and you must roll your own solution on the application level (not the database level).
Im setting up a multi tenant database and came across the following blog post on federations: SQL Azure Multi Tenant
They write about assigning a predicate to filter data between tenants:
In a single-tenant app, the query logic in application is coded with the assumption that all data in a database belongs to one tenant. With multi-tenant apps that work with identical schemas, refactored code simply injects tenant_id into the schema (tables, indexes etc) and every query the app issues, contains the tenant_id=? predicate. In a federation, where tenant_id is the federation key, you are asked to still implement the schema changes. However federations provide a connection type called a FILTERING connection that automatically injects this tenant_id predicate without requiring app refactoring. Our data-dependent routing sets up a FILTERING connection by default. Here is how;
1: USE FEDERATION orders_federation(tenant_id=155) WITH RESET, FILTERING=ON
My question is, is this just a SQL azure thing? Or can this be accomplished with any sql server instance?
Thanks in advance
Federations are available only on SQL Azure.