Do I Need to Import Users to work with Bold BI Dashboards in Terms of Embedding?
We can embed dashboards from Bold BI without importing users by using Anonymous user embedding with Row-Level Security, where user identity is passed via token to filter data dynamically and Group Based Authorization where you can import only groups and assign dashboard access based on group roles, avoiding individual user management.
Anonymous User Embedding
Anonymous user embedding in Bold BI allows you to embed dashboards for users who are not registered in the Bold BI server. This feature uses group-based authorization with SDK-based embedding.
Implementation Steps for Anonymous User Embedding
1. Enable the System User
Log in to your Bold BI or Bold Reports site as an admin and navigate to:
{your-domain}/ums/sites
Enable the System User option on the UMS Accounts page and save the changes.
This user will be added only to the Bold BI server database and won’t be visible in the Bold BI users list.
2. Create a Group
Create a new group without adding any users and assign the necessary permissions.
3. Use Parameters in Authorization Server
| Parameter | Description | Example |
|---|---|---|
embed_user_email |
Anonymous user email not available in Bold BI Server | anonymous@example.com |
embed_anonymous_token |
Enable/disable anonymous user embedding | &embed_anonymous_token=true |
embed_authorize_group |
Group name to be accessed by the anonymous user | &embed_authorize_group=Alpha |
Example Implementation
[HttpPost]
[Route("embeddetail/get")]
public string GetEmbedDetails(string embedQueryString, string dashboardServerApiUrl)
{
// Use your user email as embed_user_email
// This is the read-permission user in Bold BI, which has access to the data source linked to the dashboard.
embedQueryString += "&embed_user_email=anonymous@example.com";
// Adding custom attributes for the logged-in user.
embedQueryString += "&embed_anonymous_token=true&embed_authorize_group=Alpha";
// To set embed_server_timestamp to overcome EmbedCodeValidation failures when using different time zones in the client application.
double timeStamp = (int)DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1)).TotalSeconds;
embedQueryString += "&embed_server_timestamp=" + timeStamp;
var embedSignature = "&embed_signature=" + GetSignatureUrl(embedQueryString);
var embedDetailsUrl = "/embed/authorize?" + embedQueryString + embedSignature;
using (var client = new HttpClient())
{
client.BaseAddress = new Uri(dashboardServerApiUrl);
client.DefaultRequestHeaders.Accept.Clear();
var result = client.GetAsync(dashboardServerApiUrl + embedDetailsUrl).Result;
string resultContent = result.Content.ReadAsStringAsync().Result;
return resultContent;
}
}
Dashboard Rendering
Render the dashboard viewer using the anonymous user.
Anonymous access is available only for the single dashboard viewer from Bold BI Version 10.1 onwards.
Group Based Authorization
Bold BI embedding supports group-based authorization for OAuth 2.0 and OpenID providers. With this support, you can configure and import your OAuth or OpenID groups into the Bold BI server without importing the users of the group. However, every user from the group can access the Bold BI dashboard.
Importance of Group-Based Authorization
Group-based authorization is particularly advantageous for organizations that:
- Avoid Redundant User Management: Organizations can manage user information in a single location, reducing the complexity of maintaining user data across multiple applications.
- Enhance Security: By not duplicating user data, organizations can mitigate security risks associated with data breaches and unauthorized access.
- Streamline User Management: Organizations can manage users within their original authentication provider, such as AWS Cognito, simplifying the overall user management process.
When a group is imported into the Bold BI server, the individual users within that group are not directly imported. Instead, users can access and embed dashboards based on the permissions assigned to their respective groups, while the organization retains control over user management in their original provider.
Implementing Group-Based Authorization
To successfully implement group-based authorization in Bold BI embedding, follow these steps:
- Configure Your Authentication Provider: Set up your authentication provider (e.g., AWS Cognito) to work with the Bold BI server.
- Import Groups into Bold BI: Import the necessary user groups from your authentication provider into the Bold BI server.
- Assign Access Permissions: Provide the appropriate access permissions to the imported groups to ensure they can access the required dashboards.
- Configure the Authorize API: Set up the Authorize API to utilize group-based authorization effectively.
Configuring the Authorize API
When configuring the Authorize API for group-based authorization, it is essential to include specific parameters in the embedQuery. The following parameters should be added:
| Parameter | Description |
|---|---|
embed_group_access |
Set to true to enable group-based authorization. |
embed_auth_provider |
Indicates which authentication provider is being used (e.g., GlobalOAuth). |
embed_user_id |
The user ID as recognized by your authentication provider. |
embed_user_email |
The user email as recognized by your authentication provider. |
Example query string:
&embed_group_access=true&embed_auth_provider=GlobalOAuth&embed_user_id=user@domain.com&embed_user_email=user@domain.com
Supported Authentication Providers
You can use various OAuth 2.0 or OpenID providers with Bold BI:
OAuth 2.0 Providers
OpenID Providers
By following these guidelines, organizations can effectively implement group-based authorization in Bold BI, ensuring secure and efficient access to dashboards while maintaining centralized user management.
Conclusion
Using anonymous embedding with RLS and Group-based authorization, Bold BI enables seamless dashboard embedding without importing individual users with secure and enables personalized access.
Additional Resources
