Security context

A fundamental feature of customer-facing analytics is that every user should only see only the data that they are allowed to see, and nothing more. That’s why row-level security is a first class citizen in Embeddable.

Embeddable dashboards are embedded in your website as a HTML web component:

<em-beddable 
	token='eyJhbGciOiJIUzI...'
/>

An important part of that is the required token parameter above which we call a security token. This must be retrieved by your server-side (for security reasons) from the Embeddable API whenever a user wants to access your Embeddable dashboard.

When requesting this security token you provide what we call a security context which is just a simple JSON object containing any context that you want to pass to your data models.

For example:

POST /api/v1/security-token
securityContext: { userId: 45, orgId: 'abc12' }

Response:
{ 'token': 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzZXNzaW9uSWQiOiI3YjgyYzIzZC05M2YzLTQ1YzMtOTkwYi1hMzkzNjkyYmEzNmYiLCJlbWJlZGRhYmxlSWQiOiJmNWFhN2MxNy1iOTkxLTRiZmQtOWRkNy04YTJkNzMwOTM0MDMifQ.Tz_hYjdrmYG-Suek1auufcDGO_x59B0EfZX0c31fEog' }

This security context can be anything you like (userId and orgId above are just examples. You can pass any arbitrary objects and values).

This security context is then automatically available for you to use inside your data models, making it trivial to enforce row-level security:

cubes:
  - name: orders
		title: "Orders"
    sql: >
			SELECT * FROM public.orders
			WHERE org_id = '{ COMPILE_CONTEXT.securityContext.orgId }'
			AND user_id = { COMPILE_CONTEXT.securityContext.userId }
...

Or even, for example, if your customer data is split by schema, you can easily achieve this too:

cubes:
  - name: orders
		title: "Orders"
    sql_table: "{ COMPILE_CONTEXT.securityContext.orgId }.orders"
...

But if you’re unsure how best to approach your data security needs, just reach out to us. We’re here to help.

Testing your security context in Embeddable

To test out different security contexts in the Embeddable no-code builder, you can simply define some example security contexts in a file named src/presets/security-contexts.sc.yml like so:

- name: Nike
  securityContext:
    orgId: org5
    userId: 23478
- name: Adidas
  securityContext:
    orgId: 23
    userId: cmlidXRlIjoiZ2VvaXBf9sZSJ9LHsiYXR0

By doing so, each item in the list will appear under the “View as” drop down in the builder:

Screenshot 2024-02-07 at 18.10.43.png

Easily switch between contexts to preview your dashboard as different users.