In this article we will first take a deep dive into how Integrations, Suborganizations and SSO users all come together to control access to your dashboards and datasets.
Then we will look at some examples examples of how to set up Integrations, Suborganizations and SSO users for different scales and use cases, and the pros and cons of each.
Integrations in Luzmo are a way of encapsulating access rights for a group of data sets and dashboards. When creating an Integration, access rights for each shared dashboard and dataset are specified, and dataset filters are defined.
There are several ways to structure Integrations, each with their pros and cons. From a maintenance and scalability point of view, we recommend choosing the most simple solution that fits your needs, i.e. the solution requiring the least amount of resources to manage.
Groups in Luzmo are used to organize users and their access to datasets as well as dashboards. When datasets and dashboards are shared with a group, you can set an appropriate access right and optionally specify some dataset filter(s), similar to sharing them with an Integration. Users added or removed from the group will gain or lose access to the group’s accessible datasets and dashboards.
Suborganizations in Luzmo are like silos for your clients. By assigning a client to a Suborganization, you ensure that they can only see resources from that suborganization (e.g. users, comments, custom datasets, etc.).
Each time a new Suborganization is specified in the SSO authorization request, a new "suborganization group" is automatically created with the same name. Based on the specified username property, a SSO user will be automatically created and added to this group. Dashboards and datasets can then be shared and managed like with any other group, facilitating more granular access to specific resources.
When a SSO token is generated for a user, an Integration and Suborganization must be specified via the integration_id and suborganization property. The bootstrapped SSO user inherits the access rights and filters set on either the Integration, (suborganization) group, or user access itself. If the user has access to a dashboard or dataset via more than one way (Integration, group or user share), the following rules are used:
For example a dataset is accessible:
The SSO user will have 'can use' rights (the highest of the two) and no dataset filter (User share is prioritized over Integration).
All filters from the dashboard (interactivity filters, dashboard filters, chart filters) are merged with the access filter(s) using "AND" relations.
A complete list of dashboards and datasets available to an individual user can be found in the front end of your application by calling the getAccessableDashboards method.
You can generate a similar list by using user’s SSO token and the following curl code:
curl https://api.luzmo.com/0.1.0/securable -H "Content-Type: application/json" -d @- << EOF
{
"action": "get",
"version": "0.1.0",
"key": "{{LUZMO_SSO_KEY}}",
"token": "{{LUZMO_SSO_TOKEN}}",
"find": {
"where": { "type": "dashboard", "derived": false },
"attributes": ["id", "name", "modified_at"],
"order": [["modified_at", "desc"]],
"include": [
{ "model": "Tag", "attributes": ["tag"] },
{ "model": "User", "attributes": ["id", "name"] },
{ "model": "Group", "attributes": ["id", "name", "public"] },
{ "model": "Integration", "attributes": ["id", "name"] }
]
}
}
EOF
As mentioned above, we recommend to set up your access granularity controls with the least amount of resources to manage, as this will be the most scalable and maintenance friendly way. Below we dive into some example recommended setups per use case.
When talking about dashboards, it’s useful to separate them into a few categories:
The most simple setup to achieve is using the same Organizational dashboards for all of their clients. Your use case may look like this:
| Client | Dashboards accessible to client |
|---|---|
| Client 1 | Specifics 1, Specifics 2, … |
| Client 2 | Specifics 1, Specifics 2, … |
| ... | ... |
With only Organization level dashboards, i.e. all dashboards are relevant to all of your clients, a single Integration is an excellent solution that can be easily set up and maintained.
In more varied use cases, multiple Integrations are a better solution to enable finer granularity to manage dashboard/dataset access. Multiple Integration patterns can be set up in many different ways and are best illustrated by examples:
A slightly more granular control access to your dashboards, e.g. based on the client’s license in your application, may look like this:
| Client | License | Dashboards accessible to client |
|---|---|---|
| Client 1 | Basic | Overview |
| Client 2 | Basic | Overview |
| Client 3 | Premium | Overview, Specifics |
| Client 4 | Basic | Overview |
| Client 5 | Premium | Overview, Specifics |
The Overview dashboard is an Organization dashboard (it gets shared with all clients) and Specifics is a Client dashboard (it gets shared with one or more clients). In this case, it makes the most sense to create two Integrations which we will call Basic and Premium.
| Integration | Dashboards accessible via the Integration | Clients |
|---|---|---|
| Basic | Overview | 1,2,4 |
| Premium | Overview, Specifics | 3,5 |
This is useful if your clients all fall under standard licensing scenarios.
Similarly, you might want to support different roles that are common across many of your clients. For example, your clients may all be in sales & marketing, and their users and executives each have their specific dashboarding needs:
| Client | Role | Dashboards accessible to client |
|---|---|---|
| Client 1 | Sales User | Company Overview, Sales Overview, Sales by Region |
| Client 1 | Executive | All Sales & Marketing Dashboards |
| Client 2 | Sales User | Company Overview, Sales Overview, Sales by Region |
| Client 2 | Marketing User | Company Overview, Marketing Overview, Marketing by Campaign |
| Client 2 | Executive | All Sales & Marketing Dashboards |
| Client 3 | Sales User | Company Overview, Sales Overview, Sales by Region |
In this case, the Company Overview dashboard is an Organization level dashboard. We have no Client level dashboards, as different users within the same client need to see different dashboards based on their role. All of the other dashboards are Role dashboards. To achieve this setup, we will use three Integrations:
| Integration | Dashboards accessible via the Integration | Clients |
|---|---|---|
| Sales | Company Overview, Sales Overview, Sales by Region | 1,2,3 |
| Marketing | Company Overview, Marketing Overview, Marketing by Campaign | 2 |
| Executive | Company Overview, Sales Overview, Marketing Overview, Sales by Region, Marketing by Campaign | 1,2 |
This is useful if you have relatively few clients with many Client or Role-specific dashboards.
It might be that your access use-case is more complex to handle compared to the ones mentioned above. For example:
| Client | Role | Dashboards |
|---|---|---|
| Client 1 | Sales | Sales Overview, Sales by Region |
| Client 1 | Marketing | Marketing Overview, Marketing by Campaign |
| Client 2 | Sales + Custom | Sales Overview, Sales by Region, Custom Sales Dashboard |
| Client 3 | Marketing | Marketing Overview, Marketing by Campaign |
| Client 3 | Executive | Company Overview, Marketing Overview, Sales Overview |
In this case, we have no Organization level dashboards, and the rest are a mixture of Client and Role level dashboards. To support this setup, there are some options:
Looking at our example above, we can see that this scenario would almost be a perfect fit for a Role dashboard setup, the only problem is Client 2 needs custom dashboards for their sales role.
First, let’s ignore the variations. In that case, we only have Role level dashboards, and we can create three Integrations to serve those roles (see Role dashboards above).
Next, we can look at any variations from these roles and create a new Integration for each variation. In the example above we will need 4 Integrations; three for the common roles, and one variation:
| Integration | Dashboards | Clients |
|---|---|---|
| Sales | Sales Overview, Sales by Region | 1 |
| Marketing | Marketing Overview, Marketing by Campaign | 1,3 |
| Executive | Company Overview, Marketing Overview, Sales Overview | 3 |
| Client2 - Sales | Sales Overview, Sales by Region, Custom Sales Dashboard | 2 |
In this option we will only create an Integration for each of the most commonly shared dashboards. If a client needs additional dashboards they are shared with that client's specific suborganization group. These shared dashboards could be organized by license, role or client, whichever makes the most sense for your use case.
In the example above it makes the most sense to create Integrations by roles, so we will need 3 Integrations:
| Integration | Dashboards | Clients |
|---|---|---|
| Sales | Sales Overview, Sales by Region | 1,2 |
| Marketing | Marketing Overview, Marketing by Campaign | 1,3 |
| Executive | Company Overview, Marketing Overview, Sales Overview | 3 |
Custom Sales Dashboard and any dependent datasets will then be shared with the Client 2 suborganization. A SSO user generated using the Sales Integration and the Client 2 suborganization would therefore have access to the Sales Overview, Sales by Region (from the Integration) and Custom Sales Dashboard (from the suborganization).
In this option, we will use a single Integration that only contains Organization level dashboards. In general, Client dashboards will be shared by suborganization, and Role dashboards will be shared by group. We will need only one Integration:
| Location | Name | Dashboards | Clients |
|---|---|---|---|
| Integration | Integration 1 | 1,2,3 | |
| Suborganization | Client 2 | Custom Sales Dashboard | 2 |
| Group | Sales | Sales Overview, Sales by Region | 1,2 |
| Group | Marketing | Marketing Overview, Marketing by Campaign | 1,3 |
| Group | Executive | Company Overview, Marketing Overview, Sales Overview | 3 |
Note that in the simple example above, users from different clients are within the same group: this means that those users can e.g. share their dashboards with each other (i.e. possibly accross your suborganizations). To avoid this behavior, you could e.g. create one group per role-client combination!
In order to track embedded dashboards from development to production, it may be advantageous to organize your Integrations by environment.
For example, this allows dashboards and datasets to be created and tested in a development environment Integration first, then tested and evaluated in a QA environment Integration before being shared with a production facing Integration.
The pros and cons of using one or multiple Integrations still apply - now they will need to be evaluated on a per-environment basis. Often a single Integration may be sufficient for development and QA, with a more sophisticated multiple Integration solution necessary for production.
Next to controlling which dashboard shows in which environment, there is also the publishing functionality with which you can control which version of that dashboard shows in which environment. You can read all about this in this article.
If you are interested to know how you can make sure that user-generated dashboards fit seamlessly in your application, the the next article will help out!