Skip to main content

​
Define base connection roles

When generating embed requests, set the connectionRoles parameter to either No Access or Viewer. This sets the default level of access for the connection and ensures that access to data must be granted on an individual user basis.

​
Leverage user attributes to control data access

To ensure appropriate data access for users, best practice is to leverage user attributes to systematically filter data.
  • Access filters, or row-level security, allow you to restrict the rows of data a user can access within a topic. Access filters apply the values assigned on a user attribute to the WHERE clause of every SQL query a user runs, filtering out to only the data designated to that user.
  • Access grants define topic- and field-level permissions for users

​
Implement security for multi-tenant instances

Segmenting data using hidden dashboard filters is not a secure practice.
Typically, companies choose one of the following strategies to set up multi-tenant customer data:
  • Row-level security - If all of the data is inside one table, you can assign a user attribute per user and client and use it as an access filter. Specifically make sure to set up a default access filter to control in Omni with default_topic_access_filters.
  • Schema level security - If each client is in a separate, identical schemas then you can leverage dynamic schemas.
  • Database level security - If each client is in a separate database and the schemas are identical across databases, you can leverage dynamic database environments.

​
Build content on shared topics

If embedded content meets any of the following criteria, it won’t render correctly: Embedded dashboards won’t render correctly if the content you want to embed meets any of the following criteria:
  • Content contains fields not included in a topic in the shared model
  • Content built on SQL
  • Content that contains unpromoted changes to joins in the workbook’s model
To expose non-topic bound or SQL-based content, enable AccessBoost in the content’s Share settings. This has security implications, as you may expose data to you don’t want your embed users to access.

​
Save content to the Shared hub

Along with the above criteria for building content on topics, embedded dashboards must be saved in your instance’s Shared hub. Dashboards will not render correctly if they are saved in personal folders.