Explore Yellowfin now with our sample datasetGet Started
This section refers to the level of access a user has within the Yellowfin application, relating to what they can do and what data they can see once inside of the application.
In Yellowfin, a user’s role controls their access to functionality within the application, such as whether a user is allowed to create reports, or if they are limited to a read-only capacity. User roles are created in the Yellowfin Administration Console and can be highly customized to suit your specific needs, with over 100 unique permissions. Yellowfin provides 5 pre-built roles, ranging from a read-only Consumer to fully privileged System Admin <screenshot of role edit page, with one broad category expanded>
Yes – Yellowfin has pre-bundled roles but you can also create your own, and assign any combination of system functions to that role.
Roles and other user attributes can be modified programmatically via Yellowfin’s administration webservices. Synchronising user attributes and security access is an integral step of a standard SSO implementation.
Yellowfin is organized and secured by being placed into a structure of Content Folders. These folders tend to either delineate content by business unit (finance, sales, etc) or modularize the content by experience (broad organizational reports vs day-to-day management reports). Additionally, all individual content can layer its own unique permissioning on top of these folders, enabling the construction of highly complex and granular user experiences.
A user is assigned access to content folders and content items either individually, or based on their current role permissions or user group memberships. Once done, they can access the content stored in that folder unless that content has been marked private and assigned on an individual basis. <see below>
In most businesses, access to information is not controlled on a person by person basis but rather is based on that person’s role within the organization. As covered above, a user’s access to functionality can be grouped based on User Roles. To apply this to content folders and other features such as collaboration, we can additionally employ a feature called “User Groups” that allow us to provide access to content and collaboration features to entire teams.
For more complex use-cases, it is possible to assign both user roles and other user groups access to a specific user group.
Data security in Yellowfin is primarily implemented at the metadata layer, and typically consists of a combination of several different components:
What database tables the user is allowed to see at the metadata layer is based on the permissions of the authenticated user in the underlying data source connection. This allows you to create distinct data sources with unique access to the underlying data, as well as employ more advanced approaches such as pass-through authentication.
Each step of the user security experience can be automated using the Administration Web Services, from creation of users and roles, to the delegation of content access, to minute-by-minute updates to row level security.
This is typically done in the context of an SSO synchronization process.
Yellowfin can use external Identity Providers for authenticating users. Yellowfin natively supports authentication via LDAP enabled providers. Yellowfin also provides a pre-built SAML bridge that can interface with SAML enabled Identity Providers.
Custom authentication adapters can be written to bridge custom or proprietary authentication systems with Yellowfin using a suite of SSO and user provisioning web services.
Yellowfin will store data in memory temporarily whilst reports and dashboards are being viewed. Other options, which are not enabled by default, allow reports and filter values to be cached in the Repository Database. This is used for taking a snapshot of a report, and for allowing users to choose filter values from a dropdown list. The Report Data Cache can also store data in memory. This will store the dataset of a Report Query for reuse within a configurable time period.
Data in transit can be encrypted. This includes data travelling between the data source and Yellowfin, and the rendered reports travelling from Yellowfin to the user’s browser.
Web traffic can be encrypted with SSL. This delivers data securely to the end user’s browser via HTTPS.
Data travelling between Yellowfin and data sources can be encrypted by several means, including encryption enabled by specific JDBC drivers, HTTPS enabled links for XML/A and Third-Party connectors. Network traffic can also be encrypted externally with VPN links.
Write-back can be implemented in several ways, via code-widgets that allow write-back from a dashboard, or via links that are embedded in reports that take you to an external application where data can be modified and updates information in reports.
Additionally, you can create DB connections with users that only have read permissions to ensure the connection cannot be used for writing.
When using internal user authentication, Yellowfin passwords are encrypted with a one-way hash using the BCrypt algorithm. Passwords that require two-way encryption are encrypted with a Triple DES algorithm.
Installations where external user authentication is used, like LDAP, SAML or webservice SSO, user passwords do not need to be stored in the application.
Yes, Yellowfin supports password complexity rules, including length and included character and password reuse rules.
Yellowfin supports account locking when a configurable login attempt limit is met.
Web requests to the Yellowfin application are interrogated to ensure that an active session exists, and that the user associated with the session is allowed to perform the requested action.
Additional security can be configured with custom ServletFilters to interrogate requests and perform custom logic. This may provide functionality like checking request origins or ensuring that a user has a valid SSO session.
Yellowfin does ship some configurable ServletFilters that provide additional functionality, such as HTTP Refer checks, configurable application entry-points, and CSRF protection.
Generally Yellowfin will only be making requests to external data sources. At a content level, access to different sources can be configured within the Application.
At a network level, an outgoing firewall should be configured to only allow access to the required external resources.
Yellowfin features that allow code to be published are disabled by default, and need to be enabled for specific users. Yellowfin inputs are tested for XSS issues as part of our security testing.