Skip to Main Content
Sisense
Menu Button
Demo
Home > Marketplace > Column-Level Security

MARKETPLACE

Column-Level Security

By Sisense

  • Data Security
Get the add-on
Add-on Version 1.3.7
OS Support
Windows
Linux
Supported Sisense Versions (Linux) Latest
Supported Sisense Versions (Windows) Latest
Last Updated June 12, 2024
Tags
data security
HIPAA
pii
Sisense Marketplace Terms & Conditions

Overview

Using the Column Level Security you can apply data security rules on the column level. Sensitive columns can be configured to be either replaced by another column or completely hidden.

Each column can be configured to be hidden or replaced on export to CSV/Excel only, or on the dashboard level as well.

Note: This add-on does not support exporting to PDF and exporting a widget as an image.

Use Case

A hospital is interested in analyzing procedure waiting time. For each procedure, the collected data includes the procedure information, waiting time, and patient information. A unique identifier is set for each patient as well.

As required by the Health Insurance Portability and Accountability Act (HIPAA), sensitive personally identifiable information (PII) must be encrypted to prevent it from harming individuals should a data breach occur.

Using the Column Level Security add-on, all columns that are considered PII can be replaced with the patient’s unique identifier, or they can be completely hidden.


This solution consists of three components:

  1. Client side plugin – applies security for the Sisense application.
  2. Server side plugin – applies security for the Sisense API.
  3. External plugin – adds REST API for ‘Column Level Security’.

Installation

Windows

  1. Copy the installation package zip to a destination server.
  2. Extract the Sisense.{addon-name}.zip.
  3. Go to folder Sisense.{addon-name}.{version}scripts.
  4. If the currently installed add-on is version 1.2.11 or lower:
    • manually back-up configuration files (see Implementation section for the configuration files location, if any)
    • run .msi from the previous installation package, to uninstall microservice.
    • run remove command from the new installation package.
  5. Run script with one of the keys described below in the Script Flags Description Windows chapter.
    • For first time installation use -i flag.
    • For update installed add-on use -u flag.
    • For Multi-Node deployment one of key parameter a | q | b] should be specified based on node type.
  6. If you manually backed up configuration files in #3, apply them manually
  7. Open the Configuration Manager and click the Sisense logo five times to display the full list of services configurations.
    • Click the API-Gateway tab.
    • Enable serverSidePlugins.enabled flag and save the changes by clicking the Save Changes button.
    • Serverside component will be installed to default paths C:ProgramDataSisenseserverSidePlugins.
    • Restart Sisense.Gateway service manually or restart all Sisense services by clicking Restart Services on the main Configuration Manager page.

For Multi-Node Deployment:

  • Update the ‘Proxy URL’ parameter on the configuration manager if needed.

Script Flags Description Windows

  1. The script could be executed in two ways:
  2. To run the script command:
    • right click on w-addon-script.bat and Run as Administrator and follow the commands in the console.
    • run cmd as Administrator go to folder with script and run w-addon-script.bat <command>
    • <command> – replace <command> with one of the keys listed from -h command.
  3. Show available commands:
    • -h – shows a list of available command keys and their description.
  4. Common commands:
    • -i – install – [] – install add-on.
    • -r – remove – [] – remove add-on from the system. Configuration in Mongodb and Configuration page will persist.
    • -u – update – [] – update installed add-on by removing it and then installing a new version. Protected filesfolders will persist.
      • Protected files: “config.js” “config.6.js” “config.json”.
      • Protected folders: “resources” Configuration in Mongo and Configuration page will persist.
    • -c – check – [] – check if add-on components located in relevant places.
  5. Parameter description:
    • s<single> node installation, all components will be installed. Default parameter if not specified.
    • a<app>, q<query>, b<build> – high availability installation, add-on components will be installed based on node type.

Linux

  1. If the server has the unzip tools installed, you can upload the archive and unzip it on the server, otherwise extract files on an external machine.
  2. Connect to the server via SSH (ssh username@serverip).
  3. Create the addons folder:
    • mkdir ~/addons
  4. Upload files: 4.1. Using File Manager UI (go to Admin/System Management/File Management).
    • Create addons folder in the root using File Manager UI.
    • Upload add-on delivery package(zip or extracted) to the server using File Management in to addons folder.
    • Connect to the server via SSH (ssh username@serverip).
    • Copy files to home directory(need for HA installation). Script will copy all content of File Management/addons folder:
    • kubectl cp sisense/$(kubectl get pods -n sisense -l 'app=management' | awk '/'management'/ {print $1;}'):"/opt/sisense/storage/addons" "./". 4.2. Using scp command
    • For extracted folder: scp -r /path/local/files {user}@0.0.0.0:~/addons.
    • For archive: scp /path/local/files {user}@0.0.0.0:~/addons.
  5. Connect to the server via SSH (ssh username@serverip).
  6. Navigate to the destination folder:
    • cd ~/addons
  7. If the delivery package is archived, extract it.
  8. Navigate to the Sisense.{addon-name}.x.x.x/scripts.
  9. Run a script with one of the keys described below in the Script Flags Description chapter.
    • For the first-time installation use -i flag.
    • To update the previously installed add-on use -u flag.
  10. All the needed pods will be restarted automatically. This may take a few minutes.
  11. Verify the interceptor status (it should be enabled):
    ● Go to the configuration page http://[sisense-domain]/app/configuration/system.

    • Click 5 times on the logo to unlock settings.
    • Select api-gateway tab.
    • Find chapter ServerSidePlugins and enable parameter serverSidePlugins.enabled.
    • Check that serverSidePlugins.dirPath is equal to the path where interceptors were placed (option #3).
    • Press Save changes button.
    • ● The api-gateway service will be automatically restarted.
    • Refresh your dashboard.

Script Flags Description

  1. To run script command use:
    • bash ./l-addon-script.sh {command-key} – replace {command-key} with one of keys listed from -h command.
  2. Show available commands:
    • bash ./l-addon-script.sh -h – shows a list of available command keys and their description.
  3. Common commands:
    • bash ./l-addon-script.sh -i – install add-on or rewrite existing add-on files.
    • bash ./l-addon-script.sh -r – remove add-on from the system. Configuration in Mongo and Configuration page will persist.
    • bash ./l-addon-script.sh -u – update the currently installed add-on by removing it and then installing a new version.

All needed pods will be restarted automatically. This may take a few minutes.

Implementation

Note: more details on column-security endpoints you can find at column-security section on Sisense REST API page.

  1. Make http POST request to /api/v1/columnsecurity-settings. If you don’t, default settings will be used. Default Settings are: 
    {
  "allowHideColumn": true, 
  "areSharesExclusive": true,
  "allowExport": true
}
  2. If allowHideColumn option is true restricted columns will be hidden unless replaceWith rule option is omitted. This setting is global, affecting all the column level security configuration entries.
    The option areSharesExclusive changes priority between ‘shares’ and ‘excluded’. If it’s true and user/group exists both in “shares” and “excluded”, “shares” will have more priority. For example: { "areSharesExclusive": true }.
    Set up the option allowExport to false if you want to leave export to img/PDF unblocked. If PDF/IMG export is allowed, data on exported PDF/IMG will be the same as on the dashboard.3. Add security rule by making http POST request to /api/v1/columnsecurity. Security model example JSON:

    { 
  "cube": "LocalHost/Sample ECommerce", 
  "dim": "[Category.Category]", 
  "replaceWith": "[Category.Category ID]", 
  "shares": [ 
    { "id": "5c8a85f40bd0266fa8344bf0", 
      "type": "user", 
      "allowOnDashboard": true 
    } 
  ], 
  "everyoneElse": { 
    "allowOnDashboard": false 
  }, 
  "excluded": [] 
}
  3. If replaceWith property is omitted and global allowHideColumn setting is true corresponding dimension will be hidden. Example JSON: 
     
{ 
  "cube": "LocalHost/Sample ECommerce", 
  "dim": "[Brand.Brand]", 
  "shares": [ 
    { 
      "id": "5c8a85f40bd0266fa8344bf0", 
      "type": "user", 
      "allowOnDashboard": true 
    } 
  ], 
  "everyoneElse": { 
    "allowOnDashboard": false 
  }, 
  "excluded": [] 
}
  4. user/group defined in the excluded array will be excluded from being affected by the add-on functionality. It also depends on areSharesExclusive parameter. If it’s true, the shares has more priority. For example: 
    { 
  "cube": "LocalHost/Sample ECommerce", 
  "dim": "[Brand.Brand]", 
  "shares": [ 
    { 
      "id": "5c8a85f40bd0266fa8344bf0", 
      "type": "user", 
      "allowOnDashboard": true 
    } 
  ], 
  "everyoneElse": { 
    "allowOnDashboard": false 
  }, 
  "excluded": [ 
    { 
      "id": "5c8a85f40bd0266fa8344bf1", 
      "type": "user" 
    }, 
    { 
      "id": "5fc75758c6841c196ce762c6", 
      "type": "group" 
    } 
  ] 
}
  5. Where
    • cube – full model(elasticube/live) path. For Elasticube models: <server>/<elasticude name>, for Live models: live:<model name>.
    • dim – ‘PII’ dimension in a format [<table>.<column>]. For date dimensions add ” (Calendar)”, i.e. [Date.Date (Calendar)]
    • replaceWith – ‘RC’ dimension in a format [<table>.<column>].
    • shares – array of security flags per users/groups.
      • id – sisense user/group ID.
      • type – type of the share: ‘user’ or ‘group’.
      • allowOnDashboard – allows showing PII on dashboard. When true add-on logic won’t be applied, when false corresponding values will be replaced/hidden.
    • excluded – array users/groups excluded from being affected by the add-on functionality completely. It also depends on areSharesExclusive parameter. If it’s true, the shares has more priority.
      • id – Sisense user/group ID.
      • type – type of the share: ‘user’ or ‘group’.
    • everyoneElse – default security flags for all the users/groups that nor specified in ‘shares’ field.
  6. Refresh the dashboard. Enjoy applied security.

Limitations

  1. Duplicated filters appeared after applied security will be removed. Only one filter available per dimension.
  2. If a filter level from cascading filter is duplicated, the whole cascading filter will be removed.
  3. A filter related to a target dimension will be removed if replaceWith dimension datatype is different.
  4. ‘PII’ dimension/column must have one to one relationship with ‘RC’ dimension/column.
  5. Table and column names in the elasticube must not contain a dot symbol.
  6. If cascading filters contain restricted dimensions, all levels below the target dimension will be hidden.
  7. If restricted dimension uses in hierarchies drill, widget will be drilled up to the nearest not restricted dimension.

This is a premium Sisense add-on. For pricing details please get in touch with your CSM

Version 1.3.7 – June 12, 2024

  • Bugfix: 500 error when creating rule and table/column name
    contains special characters

Version 1.3.6 – March 28, 2024

  • Bug fix: API DELETE /columsecurity/{cube}/{dim} call for a column
    deletes all rules for the cube
  • Bug fix: API POST /columnsecurity creates duplicate entries for date
    dimensions

Version 1.3.4 – Nov. 21, 2023

  • Bug fix: the add-on is causing the Explanations ‘Explore other fields’ search api to fail

Version 1.3.3 – Sept. 18, 2023

  • Bug fix: a data model with special characters in its name is not supported
  • Bug fix: dependent filters are broken when using the plugin
  • Bug fix: the add-on removes date filters of the same dimensions but different levels

Version 1.2.12 – Dec. 22, 2022

  • Bug fixes

Version 1.2.9 – July 11, 2022

  • Added support for L2022.6

  • Bug fixes

Version 1.2.7 – Mar. 11, 2022

  • Added support for L2022.3
  • Added compatibility with Jasper Reports
  • Installation scripts were upgraded to V13

Version 1.2.6 – Feb. 11, 2022

  • Fixed issue with error in api-gateway logs
  • Removed readme files from components
  • Updated version of plugin in all components (client-side plugin version was 1.2.2)
  • Added description of client-side plugin config to Readme in the Config section

Version 1.2.5 – Feb. 10, 2022

  • Added support for L2022.2
  • Installation steps have been changed to support installation with scripts

Version 1.2.1 – Jan. 20, 2022

  • Added support for L2022.1

Version 1.2.1 – Dec. 09, 2021

  • Added support for L2021.12.0

Version 1.1.11 – Nov. 01, 2021

  • Added support for L2021.11.0

Version 1.1.11 – October 25, 2021

  •  Added support for W2021.9
  • Fixed issue with missed files in package

Version 1.1.9 – Sept. 27, 2021

  • Added support for L2021.10.0

Version 1.1.9 – Sept. 03, 2021

  • Added support for L2021.9.0

Version 1.1.9 – Aug. 17, 2021

  • Added support for L2021.8.0

Version 1.0.0.9 – July 23, 2021

  • Added support for W2021.6

Version 1.0.0.9 – May 14, 2021

  • Added support for L2021.3.1
  • Added support for Live datasources

Version 1.0.0.8 – May 14, 2021

  • Added support for W2021.2
  • Added support for W2021.4

Version 1.0.0.7 – April 01, 2021

  • First release
Premium
marketplace sisense

Report Manager

Read More
Free
marketplace sisense

Sisense for Cloud Data Teams

Read More
Premium
marketplace sisense

Jasper Reports

Read More

Want the latest in analytics?