Jaspersoft and Multi tenant Data Security

Ernesto OngaroTIBCO JASPERSOFT

Multi Tenant Security

Agenda

What is column and row level security? What is multi-tenancy? Explain Organizations/Roles/Users/Attributes Four Multi Tenancy Types Jaspersoft Server Multi-tenancy Features

2©2014 Jaspersoft Corporation. Proprietary and Confidential

Column Level Security

©2014 Jaspersoft Corporation. Proprietary and Confidential

Full Name Store SalaryJohn Smith Store 11 £25,000NancyySnowden Store 24 £34,000

Martin Scotcher Store 11 £22,000

Terry Knight Store 11 £11,200Megan McGovern Store 7 £34,000

Sue Gonzales Store 9 £22,000 Column Restricted by

User Role or Attribute

Full Name Store SalaryJohn Smith Store 11 £25,000

NancySnowden Store 24 £34,000


Terry Knight Store 11 £11,200

Megan McGovern Store 7 £34,000

Sue Gonzales Store 9 £22,000

Full Name Store SalaryJohn Smith Store 11 £25,000NancyySnowden Store 24 £34,000




Row Level Security


Full Name Store SalaryJohn Smith Store 11 £25,000NancySnowden Store 24 £34,000




Rows Restricted by Tenant or Attribute

Organizations, Roles, Users, Attributes

Organization 1

Role 1

User 1

Role 2

User 2

Attribute 1


Organizations – can be nested. superuser manages root level

Roles, can span organizations or be org specific

Users can belong to one or more roles

Attributes are assigned to each user

Type 0 – No multitenancy

One BI installation per customer, nothing is shared


Customer 1DB1

Customer 2DB2

Customer 3DB3

Type 1 – Separate Databases

One BI installation, separate physical database per customer


JRS 1

DB1

DB2

DB3

jdbc:postgresql://hostname:5432/foodmart

Parameterize Hostname

Type 2 – Shared database, separate schema per customer

One physical database with one physical schema per customer


JRS 1Schema 1

jdbc:postgresql://hostname:5432/foodmart

Parameterize schema

Schema 1Schema 3

Schema 2Schema 1

Type 3 - Shared Database, Shared Schema, separate tables per customer

Tables using some sort of naming convention


JRS 1

SELECT SUM(SALES) FROM CUST01_SALES

Parameterize table name(requires customization for Domains)

Table:CUST02_SALES

Table:CUST01_SALES

Type 4 - Shared Database,Shared Schema,Shared Tables

Row level security based on rules


JRS 1

SELECT SUM(SALES) FROM SALES WHERE CUST_ID = 01

Parameterize WHERE clause

Table:CUST01_SALES

CUST_ID Sales01 20

02 34

Multi-Tenancy Feature

Comes with Enterprise Edition Gives each organization it’s own “repository” Gives each organization roles and users Allows sharing of resources via Public Folder


JRS Session Parameters

LoggedInUser LoggedInUsername LoggedInUserFullName LoggedInUserEmailAddress LoggedInUserEnabled LoggedInUserExternallyDefined LoggedInUserTenantId LoggedInUserRoles LoggedInUserAttributes LoggedInUserAttributeNames LoggedInUserAttributeValues LoggedInUserAttribute_<attribute-name>

©2010 Jaspersoft Corporation. Proprietary and Confidential 12

Row level security

Parameter substitution in SQL queriesWHERE store_city IN ($P!{LoggedInUserAttribute_Cities})

Parameter substitution in Domains<filterExpression>customer.orgID IN groovy('authentication.principal.tenantId.toUpperCase()')</filterExpression>

Parameter substitution in XPath queries<queryString language="xPath”><![CDATA[ /Northwind/Orders[CustomerID = '$P{LoggedInUserRoles}’ ]]]></queryString>


Column based security

Hide columns in canned / standard reports

Print when expression$P{LoggedInUserRoles}.toString().contains( "ROLE_ADMINISTRATOR" )) ? new Boolean(true) : new Boolean(false)

Hide columns in Domains<itemGroupAccessGrant id="restrictedHR__salary__grant1" access="granted">

<principalExpression>authentication.getPrincipal().getRoles().any{ it.getRoleName() in ['ROLE_ADMINISTRATOR','ROLE_HR'] }</principalExpression>

</itemGroupAccessGrant>


Further Reading and Help

JasperReports Server Admin Guide Community Wiki Professional Services from Jaspersoft and Partners


Software

Jaspersoft and Multi tenant Data Security