How to setup 360Eyes for MultiTenancy
Symptom
How to setup 360eyes when it is shared by multiple customer ? How to run snapshot for each customer and show only specific snapshot to specific customers ?
SPECIFICATIONS
Acme Corporation hosts 6 customers on one BOBJ platform, they described the environment as a multitenant env. They have 1 CMS, but different physical servers for these 6 customers, I guess it is their FRS that is on each server. They segregate everything by groups.
They have one 360eyes install. Currently, they send 360eyes reports to these customers, filtering out data so they only see their information. They want to be able to provide access to the 360Eyes reports to these customers, but prevent them from seeing each others data. Can you think of a way to do this? I was thinking there must be a way to restrict this at the universe level, or maybe they need separate databases. I think the Reports in the Reports folder would be most useful, Impact Analysis and User Activity reports.
Some things I was thinking of:
Could row level security be put on the Universe to restrict the folders they could see, based on their group, so they would only see their reports?
Create 360Eyes databases, limit the extraction on Universe folders and parent folders so they only extract info for each customer.
ANSWER
Capacity
360eyes is able to run jobs on multitenancy platforms and report on that easily. For that we are using the following feature :
Ability to run 360eyes on user with specific ‘vision’ of the system
Ability to run 360eyes report on universe with specific row level security to filter data
Detailed
Create dedicated users
360eyes is able to run jobs with a ‘filtered’ user that can see only part of the system. Imagine that Acme Corp host 2 customers, Acme1 and Acme2. Then create following users on the BOBJ systems :
acme1_360eyes
acme2_360eyes
Each user must be able to see ONLY data (reports, universes, users, groups...) specific to the specific customer. This is achieved by doing BOBJ security on folders, universes and so on. Generally this security setup inside BOBJ is already done and the *_360eyes user must be granted just the ‘admin’ role for each customer.
Setup 360eyes
Setup the following parameter in the 360eyes.param:
- snapshot.distinct.user = ON
Run 360eyes
Then RUN 360eyes with this user :
Run CMS job with the user acme1_360eyes
Run CMS job with the user acme2_360eyes
You must end up with 2 snapshots in the database :
ID | Name | Cluster | User |
1 | CMS | ACME | acme1_360eyes |
2 | CMS | ACME | acme2_360eyes |
Cluster name is the same but user not the same. You can force the name of the cluster with -forceCluster=XXX if needed.
Check that the data is correct (snapshot 1 must correspond to Acme1 universes and reports and 2 to Acme2 data). The data is not filtered yet for end-user usage.
You can run the other jobs with the same setup.
Setup 360eyes universes
Now it is time to filter data to allow end-user access. For that we will use row-level security inside 360eyes universes. I will describe how to do that in 360eyes_CMS universe but the same process must be applied on all 360eyes universes.
Open Designer for UNV (IDT for UNX)
Open 360eyes_CMS universe
Go to Tools / Security / Manage Access Restriction and add a new restriction on the left :
You must filter on the field EYE_SNAPSHOT.SNAPSHOT_USER.Do the same for Acme2. You must end up with that :
Then apply the restrictions (on the right) to the right groups (generally global groups for Acme1 and Acme2). You must be sure that the group selected contains all users of the right company (if not the restriction will not be applied on the user and he will see all snapshots !)
Save and export the universe
Then each time an user of Acme1 refresh a 360eyes report he will see only Acme1 data !
