Skip to main content

Atoti Access Control

In Atoti, it is possible to filter and transform the information differently for different users or user groups. For example, one can make European users see only the data regarding Europe, or see all the prices in €. It is also possible to hide dimensions and hierarchies from some users or user groups. All these context-dependent elements can be configured through the so-called context values: in particular, the values of interest are subcube properties and mdx contexts.

Entitlements apply through context values

Subcube properties and mdx contexts are controlled by context values that are assigned after authentication and at each query start.

Once authenticated, users are thus assigned a set of context values depending on their roles that define, for example, the resources they can access, or change how the results are computed.

Then, at each query start, a Spring filter calls Atoti's context value manager. The latter provides the context values that are then attached to the context of this query, and thus define the subcube properties.

IEntitlementProvider: defines which entitlements to attribute

Spring-Security tokens are materialized in Atoti as ISecurityDetails, which simply holds a user's roles and username. An IEntitlementsProvider defines which entitlements (i.e. context values) are associated with each ISecurityDetails. For instance, the mdx context can be overridden depending on the users roles, including changes in hierarchy visibility. SubCubeProperties can be used to limit access to certain members of the pivot's hierarchies depending on the user's roles as well.

Roles are ordered to be able to choose which context value to set when two roles define the same context value. The order is defined by an IAuthorityComparator.

For example, USER role and ADMIN role may both define a value for the query time limit. If the ADMIN role is considered of higher authority than the USER role by the IAuthorityComparator, then its value will be used to set the query time limit.

Sandbox Example

Defining Entitlements

The sandbox defines its IEntitlementsProvider in RoleContextConfig.entitlementsProvider(), and its IAuthorityComparator in ASecurityConfig.authorityComparator().

Starter

Atoti Server Starter provides a default security configuration, to find out more about it, please refer to Atoti Server Starter.

Advanced topics

By default, ISecurityDetails simply holds the username and user roles, but you can generate richer details. To do so, simply define your own ISecurityFacade using the setSecurityFacade method. The sandbox provides an example through its SpringSecurityFacade.