Tag-based authorization allows you to grant permissions to all users simultaneously. If your organization has many members, you can use tag-based authorization to reduce costs and simplify row-level permission configurations. This facilitates permission management. This topic describes how to perform tag-based authorization.
Scenarios
User tag management authorization is suitable for scenarios with many users who have diverse permission requirements. This authorization is based on user-level permission control strategies, aiming to achieve personalized permission management for each individual user. For example, users responsible for different regions can only view data from their respective areas.
Prerequisites
A dataset is created. For more information, see Create a Dataset.
Notes
This topic applies only to users who purchased or started a free trial of Quick BI on or after June 3, 2021. If you do not meet this requirement, you must upgrade from the earlier version of row-level permissions to the latest version before you can perform the operations described in this topic.
Limits
Only the Pro and Professional Edition support row-level permissions.
Only dataset owners and workspace administrators can configure row-level permissions.
NoteWorkspace developers can configure row-level permissions only for datasets that they create. Workspace administrators can configure row-level permissions for all datasets.
Procedure
After you log on to the Quick BI console, you can configure row-level permissions for a dataset in the workspace or on the dataset edit page.
Feature entry
Entry 1
Configure row-level permissions for a dataset in the workspace.
Follow the steps shown in the figure to go to the Row-level Permission configuration page.
Turn on Enable Row-level Permission.
On the Row-level Permission configuration page, select User Tag Management Authorization and configure association conditions.
Click Save.
Entry 2
Configure row-level permissions for a dataset on the dataset edit page.
Click Advanced Configuration in the top toolbar and select Permission Control -> Row-level Permission.
Turn on Enable Row-level Permission.
On the Row-level Permission configuration page, select User Tag Management Authorization and configure association conditions.
Click Save.
Entry 3
Configure row-level permissions when you create a dataset.
On the dataset preview page, click the
icon to go to the Row-level Permission configuration page.
Turn on Enable Row-level Permission.
On the Row-level Permission configuration page, select User Tag Management Authorization and configure association conditions.
Click Save.
Configure association conditions
Click Add Controlled Field.
Select a Controlled Field and a User Tag Table Field.
When you add multiple association conditions, you can select the "AND" or "OR" logic between rules. If you select "AND", all rules must be met for the permission to take effect. If you select "OR", the permission takes effect when any rule is met.
Click Save.
Configure a whitelist
If you do not want the rules to apply to specific users, you can add these users to a whitelist.
Copy row-level permissions
You can copy row-level permissions from other datasets. For more information, see Copy row-level permissions.
Scenarios
Quick BI allows you to configure a user tag table and associate specific tags with fields in the tag table to perform access control. Quick BI also allows you to manually configure tags to manage a user tag table to perform access control. The following table describes the access control in these scenarios.
Scenario | Implementation steps |
Scenario 1: Perform access control by associating tags with fields in a user tag table |
|
Scenario 2: Perform access control by manually managing a tag table |
|
Scenario 1: Perform access control by associating tags with fields in a user tag table
Customize a user tag table.
After you associate specific tags with fields in a user tag table that is stored in the selected data source, Quick BI can obtain the latest information about member tags in real time. No manual maintenance is required.
When you configure a user tag table, make sure that the user tag table meets the following requirements:
The table contains at least one of the following fields: account_id (ID of an Alibaba Cloud account), account_name (name of an Alibaba Cloud account), and nick_name (nickname of a member in the Quick BI organization).
NoteIf it is an Alibaba Cloud account ID or Alibaba Cloud account name, ensure that the user already exists in the Quick BI organization.
The table contains at least one tag field, such as area.
If the table contains multiple tags, separate the tags with commas (,) or allow the tags to be displayed in multiple rows.
$ALL_MEMBERS$indicates that all permissions are granted.
Associate tags with the user tag table.
After you associate tags with fields in the user tag table, you can use the account_id, account_name, or nick_name field as the primary key and associate the primary key with members in the Quick BI organization.
Log on to the Quick BI console.
On the Quick BI homepage, follow the instructions in the figure to go to the tag table association page.
Customize a name for the user tag table that you want to associate.
In this example, the name of the user tag table is Demo Tag Table.
Follow the instructions in the figure to configure the user tag table to be associated.
The following figure shows the preview of the user tag table.
Add a user tag.
Add a tag and associate the tag with a field in the user tag table, such as area, province, city, or order_number. After the association, the tag value in the user tag table is uploaded to the user tag of Quick BI.
Click the User Tag Management tab and click Add User Tag.
Enter a Tag Name and select an Associated Tag Table Field. Then, save the configuration.
Select Demo Tag Table as the associated tag table. Customize tag names as dy_area, dy_province, dy_city, and dy_order_number, and associate them with the area, province, city, and order_number fields in the Demo Tag Table.
Use tag-based authorization.
After you perform authorization, the tag values in the user tag table are applied to all datasets. Each user can view only the data on which the user is granted the required permissions.
On the Quick BI homepage, follow the instructions in the figure to go to the row-level permission configuration page.
Turn on the Enable Row-level Permission switch and select User Tag Association Authorization as the Authorization Method.
In the Configure Association Conditions section, click Add Controlled Field.
Select a Controlled Field and associate it with a User Tag Table Field.
In this example, the selected controlled fields and user tag table fields are shown in the following figure.
Click Save.
Add users to the whitelist.
If you do not want the rules to apply to specific users, you can add these users to a whitelist.
View the authorization results in a dashboard.
Create a chart on the dashboard edit page and view the authorization results.
For example, create a cross table to view data for Hangzhou with an order quantity of 50.
View the SQL query logic.
Scenario 2: Perform access control by manually managing a tag table
Log on to the Quick BI console.
Configure user tags.
After you add a user tag and associate the tag with a field in the user tag table, you can use the tag that you added to specify the range of data that you want to view when you configure row-level permissions.
Follow the instructions in the figure to add a user tag.
Enter a Tag Name and select an Associated Tag Table Field. Then, save the configuration.
Customize tag names as area, province, city, and order_number, and set Associated Tag Table Field to Manual Entry for all of them.
Manually manage the user tag table.
In the Manually Manage Tag Tables section, select one or more users and specify tag values for the users.
On the Tag Management page, click Manual Management in the left-side navigation pane.
Search for the target user and specify tag values for the user.
The following figure shows how to specify tag values.
Use tag-based authorization.
After you perform authorization, the tag values in the manually managed tag table are applied to all datasets. Each user can view only the data on which the user is granted the required permissions.
On the Quick BI homepage, follow the instructions in the figure to go to the row-level permission configuration page.
Turn on the Enable Row-level Permission switch and select User Tag Association Authorization as the Authorization Method.
In the Configure Association Conditions section, click Add Controlled Field.
Select a Controlled Field and associate it with a User Tag Table Field.
In this example, the selected controlled fields and user tag table fields are shown in the following figure.
Click Save.
Add users to the whitelist.
If you do not want the rules to apply to specific users, you can add these users to a whitelist.
View the authorization results in a dashboard.
Create a chart on the dashboard edit page and view the authorization results.
For example, create a cross table to view data for Hangzhou with an order quantity of 50.
View the SQL query logic.
What to do next
After you configure the dataset, you can perform data analytics. For more information, see Create a Dashboard and Create Charts.