Show/Hide tabs for user groups

[Paul Hickford 2]

Hi all,

I'm looking for some documentation about how to show/hide tabs for user groups.  I am in the process of building a dashboard which will be accessed by users using the analyst client (currently version 12).  I have setup row level security by including filters into the information link using the %1 in (%CURRENT_GROUPS%) statement in a filter.  This works perfectly, but has the consequence that some of the visualizations built on the full dataset (intended for a subset of users) don't show anything meaningful to the users in the limited groups.  Ideally I'd like to keep one version of the dashboard for all users to keep the maintenance as simple as possible, but would like to be able to show/hide some tabs for some of the user groups.

My intention is to keep my current landing page and all tabs visible for one set of users but have a simplified landing page and a subset of the tabs visible to some users as defined by group membership.  I've seen some posts like this one suggesting this can be done using Iron Python scripts, but the details in the post aren't clear for me to follow.  Any guidance or documentation to do this would be much appreciated. 

 

[David Boot-Olazabal]

Hi Paul,

I have done this once for a customer, before we were able to hide pages.

It basically removed the page for restricted users. And since these user groups couldn't save the analysis file, it worked fine.
I should have that somewhere (will post it if I find it).

When I find it, I'll also see if I can make the pages hidden for these user groups in stead of removing them on runtime. That is still a bit more secure...

Kind regards,

David

[Olivier Keugue Tadaa]

Hi Paul

I confirm that this is possible with an IronPython script that will be executed when a user opens a report (how to trigger a script can be discussed later)
 

Basically , this is what you need 

1. A rudimentary role-based access control that can be implemented with a data table with two columns (user-name, tab) providing the information on who can access what. That information can be stored on a database and retrieved using the same principle that you described for the row-level security with %CURRENT_USER%. You can implement a more complex solution depending on your needs
2. an IronPython script that reads from this data table and hides all the tabs except the one that the user can access
   (you might probably need some knowledge of our client API and Python language but I believe there are some available code snippets)
3. A trigger to run that script when a user opens the dashboard (the datetime data function I suggest for this step is explained here )

This solution has been implemented by some of our customers and works on both the Web Player and the Analyst Client

 

I hope this helps

Edited July 5 by Olivier Keugue Tadaa

[David Boot-Olazabal]

Hi Paul,

I've found my example dxp file.
Not sure what version you're on, but I made it work for Spotfire 14.4.

The main idea is as Olivier explained. I have a dataset and I'm using a special info link to pick the user group which I need to restrict. Based on the outcome of the info link data, I'm able to hide a page for those restricted users.
The script also offers the initial option to remove the page (I made it inactive though), but hiding the page feels a bit better to me.

As I'm using 3 scripts in total, and I also have 3 document properties that interact with them:

The sysdate and UserGroup properties are filled by a data function. The sysdate isjust the system date of opening the file and the UserGroup comes from the information link. If you have only one group that needs to be restricted, you can set the value hardcoded in the data function (it currently is an expression).

Let me know if you can open this analysis file or that you need it in a different version to see how it works.

Kind regards,

David

Dashboard with Restricted Tab example.dxp

[Paul Hickford 2]

Thanks for your help, I'm having another look at this today so these files look useful.  I have already created an information link that loads the users group membership by querying the Spotfire database and applying row filtering to show groups based on the %CURRENT_USER%.  Hopefully I can use this as a check to show/hide the relevant tabs based on groups so that I have a single point of administration.

[Paul Hickford 2]

Our prod system is on v12 for the moment, so I wasn't able to open your file but I think I managed to get enough information from suggestions here and this youtube video.

Essentially I created a view based on this that I exposed via an information link filtered to the %CURRENT_USER%

select
users.user_name,
groups.group_name
from group_members_view
join users on group_members_view.member_user_id=users.user_id 
join groups on group_members_view.group_id = groups.group_id

This give a table called UserGroups with a row per group the user is in.  I pivotted this to give a single row, with a concatenation of the groups.  Eg:

USER_NAME	GROUP_LIST
username1	Site1, TeamA, Everyone

Then this IronPython script:

from Spotfire.Dxp.Data import *

#Read user name or user group
username = ""
groupname=""
table=Document.Data.Tables["UserGroups"]
cursor1 = DataValueCursor.CreateFormatted(table.Columns['USER_NAME'])
cursor2 = DataValueCursor.CreateFormatted(table.Columns['GROUP_LIST'])
for row in table.GetRows(cursor1,cursor2): 
    username = cursor1.CurrentValue
    groupname = (cursor2.CurrentValue)

#Create list of pages as per the username or group
#Any other logic to select page will go in this part
visiblePageList = []
if "Global" in groupname:
 visiblePageList = ["Landing Page","Site1","Site2"]
elif "Site1" in groupname:
 visiblePageList = ["Site Landing Page","Site1"]
elif "Site2" in groupname:
 visiblePageList = ["Site Landing Page","Site2"]
else:
 visiblePageList = ["Error"]

#Show or hide the page based on the visibilityPageList
for page in Document.Pages:
 print(page.Title)
 if page.Title in visiblePageList:
  page.Visible=True
 else:
  Document.Pages.Remove(page)
# page.Visible=False

This version as I have it configured actually deletes the unneeded tabs, but by swapping the comments from the last two lines it can hide them instead.

I already have a document property that uses the current date time to calculate some forward and backward looking dates into Document properties, so it was easy to make the script run on document load,

One limitation/issue I'm aware of is that the group checks are done in order and as soon as one is satisfied the check ends, so if a user was in the Site1 and Site2 groups they would only see tabs for Site1.  In my case this shouldn't be an issue as people are either in the Global group or one of the local groups, but this may need refining.  Also needs some care to ensure the group names do not allow accidental matches, eg Site1 could also match Site11, Site12 etc, but this isn't an issue for me.

[David Boot-Olazabal]

Hi Paul,

I have converted my 14.4 dxp file to a 12.0 LTS dxp file.

That should give you the possibility to open the dxp file and do a cross-check on the code.

Kind regards,

David

Dashboard with Restricted Tab example.dxp