Implementing Dynamic User Impersonation with SSO in JavaScript Embedding
Dynamic user impersonation with row-level security is a powerful feature that allows for a seamless and secure user experience when embedding Bold BI dashboards into your applications, which use Single-Sign-On (SSO) for user authentication. This article explains how to achieve dynamic impersonation with row-level security in Bold BI without requiring users to be pre-configured.
Authenticating Users for JavaScript Embedding
To authenticate and embed a dashboard, you must have at least one user with appropriate permissions present in the Bold BI application. This user’s email is used for authentication purposes and is passed to the Bold BI application using the embed_user_email query parameter of the Authorize REST API.
Here’s an example of how to authenticate a user in your application:
[HttpPost]
[Route("AuthorizationServer")]
public string AuthorizationServer([FromBody] object embedQueryString)
{
// ... other code ...
embedQuery += "&embed_user_email=boldbiuser@123";
// ... other code ...
var embedDetailsUrl = "/embed/authorize?" + embedQuery + "&embed_signature=" + GetSignatureUrl(embedQuery);
using (var client = new HttpClient())
{
client.BaseAddress = new Uri(embedClass.dashboardServerApiUrl);
client.DefaultRequestHeaders.Accept.Clear();
var result = client.GetAsync(embedClass.dashboardServerApiUrl + embedDetailsUrl).Result;
string resultContent = result.Content.ReadAsStringAsync().Result;
return resultContent;
}
}
Performing User Impersonation with Row-Level Security In Embedded Dashboard
Your application may use external authentication providers such as OAuth, OpenId, Azure AD, Windows AD, or similar authenticators to authenticate users. To integrate the dashboard with each user’s data upon logging into the application, there is no need to set up the external authentication provider in Bold BI. Instead, the data source used to configure the dashboard must contain the necessary user details for impersonation purposes.
To impersonate a user with row-level security, the user details should be retrieved from the SSO token and passed through the query parameter “embed_datasource_filter” of the Authorize REST API of the embedded application. This query parameter will filter the data in the dashboard’s data source based on the user details provided.
Here’s an example of how to perform user impersonation:
[HttpPost]
[Route("AuthorizationServer")]
public string AuthorizationServer([FromBody] object embedQueryString)
{
// ... other code ...
embedQuery += "&embed_user_email=boldbiuser@123";
// ... other code ...
embedQuery += "&embed_datasource_filter=" + "[{&EmployeeId=EMP100}]";
var embedDetailsUrl = "/embed/authorize?" + embedQuery + "&embed_signature=" + GetSignatureUrl(embedQuery);
using (var client = new HttpClient())
{
client.BaseAddress = new Uri(embedClass.dashboardServerApiUrl);
client.DefaultRequestHeaders.Accept.Clear();
var result = client.GetAsync(embedClass.dashboardServerApiUrl + embedDetailsUrl).Result;
string resultContent = result.Content.ReadAsStringAsync().Result;
return resultContent;
}
}
We have included the query parameter embed_datasource_filter with the column name EmployeeId and the value EMP100 to filter the dashboard. This allows the SSO authenticated employee EMP100 to view the dashboard with respect to their data.
Adding and Managing Users via REST API
For scenarios where users need to create or edit dashboards, you must add them to Bold BI using the REST API. An administrative user can add new users and assign permissions through the API.
API Endpoints to Add Users and Provide Permissions
-
For On-Premise Tenants:
- Add Users:
https://{yourdomain}/bi/api/site/<site_identifier>/v5.0/users - Provide Permissions:
https://{yourdomain}/bi/api/site/<site_identifier>/v5.0/permissions/users
- Add Users:
-
For Cloud Tenants:
- Add Users:
https://{yourdomain}/bi/api/v5.0/users - Provide Permissions:
https://{yourdomain}/bi/api/v5.0/permissions/users
- Add Users:
These APIs can be used to manage users and permissions within your JavaScript-embedded applications.
Additional References
For more detailed information on embedding Bold BI in your application and using the server API, please refer to the following resources:
- Embedding Bold BI in Your Application
- Bold BI Server API Reference for Adding Users
- Bold BI Server API Reference for User Permissions
By following the steps outlined in this article, you can effectively implement dynamic user impersonation with SSO in your JavaScript applications, enhancing the user experience with personalized and secure dashboard views.
