Row-level security (RLS) with Indexima is used to restrict data access for given users. Filters restrict data access at the row level.

Given a fact table (containing at least an entity column), Row-level security (RLS) within Indexima is based on:

  1. A table that will contain rights to be applied, called "User_Rights_Table"
    1. This table will contain the list of allowed entities per user. (User can be allowed multiple entities)
  2. An additional SQL on the fact table that will apply a join clause with the aforementioned table

Implement Row-level security (RLS)

1. In the galactic.conf configuration file, make sure impersonation=true in order to activate the fact that users will connect with their credentials (and not through a service account)

2. Create a Filter Table as a DIMENSION Table in order to speed up joins

entity string,
Allowed_User string

3. In order to force Indexima to apply the filter clause, it is requested to add a FILTER on the table

ALTER TABLE fact_table ADD FILTER (JOIN User_Rights_Table on fact_table.entity=User_Rights_Table.entity AND User_Rights_Table.Allowed_User=current_user)

Take care of using an INNER JOIN (and not a LEFT JOIN that will not result in the wanted filtering).

Check Row-level security (RLS)

Any user can check by sending basic queries to the Indexima cluster.

In the Monitor/Queries panel, users would see the username of that sent SQL queries.

There is no way to see that a SQL query has been enriched with a JOIN clause that filters the data.

Using Impersonation of BI tools

In most cases, BI tools (PowerBI Desktop, Tableau) allow users to connect and use their current UserName.

Regarding PowerBI service (used through PowerBI Gateway), there are additional steps to implement