Securing inherited content: Sharing BI content across multi-tenant environments
Multi-tenancy support has been part of Yellowfin since it’s heyday, and shared out-of-the-box Business Intelligence (BI) content has been an integral part of this. We have recently added features that extend the capabilities of this shared content, allowing it to be secured differently for each tenant.
Sharing BI content across multi-tenant environments
For those who don’t know, Yellowfin’s multi-tenancy features, known colloquially has Client Org functionality, allows content (including views, reports and dashboards) to be written once, but shared between tenants. Data for the shared content is customized for each tenant in one of two ways:
- Client Org Substitution – Dynamically swapping to a data source that contains data for the client
- Client Org Filtering – Filtering a common data source (that contains data for all tenants) so that only relevant row data is accessed
Sharing this content means that it is authored once, and maintained in one place, but delivered to multiple tenants who view that same content using their own data.
Historical issues: Unsecure shared content
Historically, this shared content was unsecure. Restricting individual inherited reports and dashboards to particular groups or users was not possible.
In Yellowfin, content access control is defined by the Content Categories. Content saved into the same category will have the same level of security.
You can define a Content Category as ‘Unsecure’, ‘Login Required’ or ‘Access Level’. Content categorized as Unsecure or Login Required allowed anyone with access to Yellowfin to view that content.
The Access Level Content Category supplies very granular rules about who has access, and what type of access they have, to BI content, including read-only, update or delete. However, this security model did not offer the ability to restrict content access by users or groups defined at a tenant.
Creating granular security for inherited content: Client Org Group security
Enter Client Org Group security. This new functionality allows for granular security across tenants. Now when defining Access Level security at the Primary Organization (where content is shared from), you can restrict content based on groups defined at a tenant.
On new builds from August 2013, Yellowfin clients will see a new option while searching for users and groups when defining Access Level security on a Content Category.
Assigning a Client Group to the list will restrict the content to individual users at the Client Org. Group membership can be managed at the Client Org, enabling Administrators at the tenant to determine who has access to what content.