Skip to main content

Overview

External embedding enables delivering data to users outside of the business, living in other applications. Reporting can be mapped to row level permissions, allowing many users to access identical reports filtered to only their own data. In order to set up an external embed experience you must be an Admin and contact Support to turn on the license feature.

There are several ways organizations embed Omni content:

  • simple, interactive dashboards for high-level summaries
  • ephemeral workbooks to give their users deeper access to their data
  • more robust data applications

All of those use cases leverage the same base technology: creating an authorized Omni URL that you will use in an iframe. The URL contains the content you want to share, the ID of the user in your system, and the attributes you want that user to have. You'll then sign the URL with a secret key provided by Omni.

tip

We recommend that you set your connection base roles to either No Access or Viewer by default.

Data Security

For internal embedding the content will only be visible to logged-in members of your Omni organization that have access to the underlying content. If they are not already logged in, they will be prompted to authenticate through the iFrame.

For both internal and external embedding the best practice for protecting data is to leverage user attributes to systematically filter the data.

Typically companies choose one of these two strategies for setting up their multi-tenant customer data:

  1. Row level security - If all of the data is inside one big table, you can assign a user attribute per user and client and use it as an access filter. Specifically make sure to set up a default access filter to controlled in Omni with default_topic_access_filters:.

  2. Schema level security - If each client is in a separate, identical schemas then you can leverage dynamic schemas.

Hidden filters & Security

Segmenting data using hidden dashboard filters is not a secure practice.

Embedded dashboards won't render correctly if the content you want to embed meets any of the following criteria:

  • Content contains fields not modeled in a topic
  • Content built on SQL
  • Content saved in your personal folder (the content must be in the Shared hub)
  • Content that contains changes to the workbook model's joins which have not been merged or promoted
warning

In the event that you want to expose SQL-based or non-topic bound content to your embed users, you can accomplish this by enabling the AccessBoost role in the content's Share settings.

This has security implications, as you may expose data to your embed users that you don't want them to see.