COURSE OVERVIEW

Hexagons Background

Training Module:

Security

Learn how to configure security for all Instances, with granular control

to grant customized access rules and roles in your organization.

Geometrical Illustration

Table of ContentS

  • ODX Security
    • Custom User Permissions: Table, Schema, or Column
  • MDW Security
    • Add or Edit SQL Server Logins
    • Adding a database Role
    • Object-Level Security
    • Assign Row-Level Permissions
    • Apply Row-Level Permissions
  • SSL Security
    • Add a Role
    • Map a Role to an Endpoint


Hexagons Background

ODX Security

ODX User Permissions

If you plan to provide user access to the ODX storage,


you may want to give them access to some of the data,

but maybe not all of it...

ODX allows customized, granular control of user access to the data in your ODX Storage. This can be a critical step for those working with sensitive data.


Imagine you are working as an IT Administrator, with colleague (data engineer) to integrate and analyze Human Resources (HR) data sources. There would likely be a few tables (e.g. “employee_salaries”) that shouldn’t be able to be accessed by this developer, though the rest of the data needs to be accessed by the data engineer, for their tasks.


In this case, the IT Admin could grant access to the data source in the Portal, but then to create a “Role” for the Data Engineer without access to the tables in question.


Custom User Permissions by Table, Schema, and Column (ODX)

  1. With the ODX instance open, right-click Roles-> Select Add Role.
  2. Enter Name and click Next
  3. Search and select Members to add to the Role and click Next.
  4. Search to grant permission to the table, schema, column based on the requirement and click Grant.


Hexagons Background

MDW Security

data area (MDW, DSA) Security

If you plan to provide user access to the Data Areas,


you may want to give them access to some of the data,

but maybe not all of it...

Object-Level Security (OLS) in Data Area

Similar to the ODX, the Data Area (MDW, DSA, etc.) object-level security allows you to provide granular control over User Permissions to data objects in the MDW storage by Selecting a group of users (Role) and giving them access to specific Tables, Views, Columns, or even Schemas.


In practice, it is common for IT teams and security administrators, to not provide User Access to the ODX Storage, but to provide access to the Data Areas. TimeXtender strives to provide you total control over your data, and so there is feature parity with the ODX’ Role-based security access pattern. For example, data engineers “likely” should not have access to employee health information, unless it is central to their work and responsibilities.


Row-Level Security (RLS) in Data Area

MDW row-level security give users the ability to dynamically give users’ access only to specific rows in a table based on rules that you define.


For example, Sales Managers in North America can only see Sales bonuses for Salespeople in the North America region. However, since there is Row-Level Security (RLS) functionality in the Semantic Models, which is more commonly how non-developers would access the data.

add or edit SQL Server logins (MDW)

  1. Under the data area, right-click the Security and select SQL Server Logins to open the Logins window
  2. If an SQL Login already exists that is suitable for use in the database role, then skip to the Adding a Database Role section. Otherwise, click the Add new login button to create a new SQL Server Login.
  3. Enter Login Name and other credentials based on authentication method.
  4. Click OK

Adding a database role (MDW)

  1. In the data area tree, right-click the Security folder and select Add Database Role.
  2. In the Name box, enter a name for the database role.
  3. Click the Add login button to add logins that exist on the SQL Server configured for the data area storage.
  4. Select the logins to be added from the list in the Select Login(s) window.
  5. Click OK.

object-level security (MDW)

  1. Under the data area, right-click the Security folder and select Object Security Setup to open that window.
  2. In the tree on the left, click on either Tables, Views, or Schemas to select the type of object to set up access for. Expand Tables and select an individual table to assign object or column level permissions on that table.
  3. Click the icon to toggle through the three types of access settings of “Not Set”, “Grant”, and “Deny”. Setting column-level permissions on a table will overwrite any current object-level permissions that have been set.
  4. Click OK

Permissions for database roles can be set on objects for database to create object level security. TimeXtender uses the same allow/deny settings as SQL Server. Not set (gray dot), Grant (green with a white checkmark) and Deny (red with white bar)

Please see here for more information Object Level Security .

row-level security

assign row-level permissions (MDW)

  1. Expand the table that contains the column where permissions are to be set. Right-click the field and select Add Securable Column.
  2. In the Display Column list, click the column value to be displayed in lieu of the column that is being secured.
  3. Click OK, which will open the Add Securable Column Setup window.
  4. Click OK, which will open the Add Securable Column Setup window
  5. Select column values and database roles click Add to add to the Security Configuration list on the right to grant object access.
  6. Click Ok

apply row level permissions (MDW)

  1. Drag and drop a securable column setup on a field in a data area table.
  2. To add further permissions to the view, drag and drop a securable column setup on the view, which will open the Add Field window.
  3. In the Field Name list, select the field that contains the values to be filtered with the securable column setup.
  4. Click OK. The field is added to the secured view.

Please see here for more information on Row-level security.

Hexagons Background

Semantic Model Security

Security in ssl

If you plan to provide user access to the Semantic Models,


you may want to give them access to some of the data,

but maybe not all of it...

Model-Level Security (OLS) in Semantic Models & Endpoints

Similar to MDW row-level security, Dynamic Security in the Semantic models enables you to give users access to specific data in the model based on rules that you define. Model-Level Security is configured by creating a role that is not associated to any row-level security setup, and then associating that role to an endpoint. This association will grant full access to the endpoint for all the members of that role.


Row-Level Security (RLS) in Semantic Endpoints and

A Row-Level Security (RLS) is created under a specific field and specifies which field values that the role will have access to, which also means that the role will not have access to data that is related to the field values that are not specified as part of the setup. In this way, roles and row-level security setups work together to provide a security layer to the semantic model based on the identity of the user that is accessing it.


For example, Sales Managers in North America can only see Sales bonuses for Salespeople in the North America region.

model-level security

add a role (SSL)

  1. Right click Roles under the SSL instance you choose
  2. Click on Add Role and enter the role Name
  3. Click on Add User to add the desired user, use Add External User to add Active Directory (AD) Groups, provided their name is specified in the following format example: <obj:groupid123@tenantid123>.
  4. Click OK

Map a role to an endpoint (SSL)

  1. Drag the created role on to the desired endpoint.
  2. Alternatively, you can also right click on the created role and choose from the endpoint option.


Section Quiz...

Planning to take the Solution Architect exam? Then you want to be sure these questions are easy to answer.

True or False:

In the Desktop application, granular control over ODX storage is supported, such as tables, schemas, and columns?

True or False:

Row-Level Security (RLS) can be configured in both MDW and SSL Instances?

The ODX supports granular, custom, User Permissions for the data in the ODX Storage?

Brushstroke Arrow Smooth Curve Down Small

When you're ready, see Answers Below

Section Quiz Answers

Planning to take the Solution Architect exam? Then you want to be sure these questions are easy to answer.

True or False:

In the Desktop application, granular control over ODX storage is supported, such as tables, schemas, and columns?



True, the ODX does allow for more granular customization in data access, within the Desktop application.

True or False:

Row-Level Security (RLS) can be configured in both MDW and SSL Instances?



True, both Data Areas and Semantic Models can be configured with RLS.

The ODX supports granular, custom, User Permissions for the data in the ODX Storage, right?



Yes, it does. The ODX supports granular and customized User access to Tables, Schemas, and Columns on data sources.

want to Learn even more?

Learn even more data loading techniques from TimeXtender Tuesdays

Congratulations! You've completed the training module

Security

give FEEDBACK

Thumbs Up Illustration
Thumbs Up Illustration