Security for Embedded Applications: Authorization
In this video, we cover the second “A”: authorization, which refers to defining and enforcing privileges and permissions for a user.
There are two common methods for authorizing users: role-based access control (RBAC) and the access control list (ACL). In the first, a user is defined as a member of group -- say finance administration -- and the group as a whole is assigned permissions. Another group in finance -- finance accounts payable -- could be assigned a different level of permissions. ACLs provide a finer-grained level of control. For embedding purposes, users, groups, and roles should be defined by the parent application.
My name is Olivier Meyer. I'm a Director of Product Management at Zoomdata, and my focus area is on embedding and integration with other applications.
So, we just covered authentication. That allows me to trust that you really are who you say you are. Now I need to be able to enforce what you're allowed to do once you're in the application or looking at the content, and we call that authorization.
Authorization: Role-Based Access Control
And what we see in the marketplace for the parent application that's embedding this content into their application is there's two models that people tend to use for modeling those security roles. One is called RBAC or Role Based Access Control where you take users and you assign them to one or more groups. So, for example, you might be part of the HR group, and you might be part of the finance group. And because you're a member of those two groups, you've been given privileges to view financial information, and you've been given privilege to watch social security numbers. But, if I was not in the HR group, I might be able to see financial information but not social security numbers. So, that's really what Role Based Access Control lets me do, I can assign those permissions and manage them for a group of users.
The Access Control List
The second model we see is called Access Control List, and that's for more fine grain control over what someone's allowed to see. So, you might have created your own piece of content -- your own report, your own dashboard, your own chart. And you only want to allow one or two people to see it. That's called an Access Control List. You can grant Olivier and Robyn the right to see that piece of content.
Get Security Context from the Parent Application
So, what's important in embedding is to support those models but really to get the context about those rules directly from the parent application as opposed to making someone have to duplicate them, because once you duplicate security rules, you make the system less secure, because one way or another, someone's gonna forget to update one of the two copies. And so, what we try to do is to look for solutions that allow the parent application to pass in the context about the user and to leverage that context. And I mentioned a couple of standards earlier. SAML and LDAP both allow us to pass in additional context about the user that the BI platform can then use to enforce security rules. So, those are the types of things that someone who's looking to embed BI or embed analytics into their own application is going to want to look for.