Set Custom Access Request Messages for External Reports

New in Version 5.6, our Content Security and Discoverability capabilities have been expanded to allow customization of Access Denied messages for content.

You may specify tailored messages, control where Requests for Access are routed, and are now able to support both centralized Access Request processing (via a tool like SAP's GRC) and distributed Access Request responsibilities via a Metric Insights-only workflow.

There are three different levels where Access Denied options can be set:

  1. Element  
  2. Category  

The system will first check the Element Editor to verify Access settings and the default No Access tile formatIf the Report settings do not include a Custom Access Message, then the Category Editor will be accessed to locate a Custom Message. The first Message encountered will be used.

3.    BI Tool authorization. This will only be checked when User already has access to External Report in Metric Insights.

This article will explain how to apply Customized Access Request processing for each Editor.  The system will default to standard error messaging if no customization has been set up, see Provide users with the ability to request access to inaccessible content

In this initial implementation, the 3rd option (validation for BI Tool Authorization) is only available for Tableau and only when the Username is passed through SAML. 

1. The basics are determined by company's Request Access procedures

1.1. Access Request Flow 1: Manage Within Metric Insights

Set the required Access-request variables in the Config file (Admin > Utilities > System Config):

  1. Type 'access' in the Search field to narrow your options
  2. Set 'SHOW_ITEMS_WITHOUT_ACCESS' to 'Y'
  3. Set 'SEND_ACCESS_REQUEST_DIGEST' to 'Y'
  4. Set 'ACCESS_REQUEST_VIA_WEBPAGE' to 'N'
  5. Commit your changes

Note:  Flow #1 additional settings:

  1. (Required) Setting the External Report to be Discoverable to Users Without Access - see Step 2 Set Custom Access Request fields on External Report Editor.
  2. (Optional) Set Custom Access Request message and /or email at either the External Report element level or the associated Category level.

Example of  "Request Access" process with default message. This request email will be sent to either the Access Request Email if specified in Steps 2 or 3, or will  default to your Support Admins' emails.

  1. Select [Process Request] to access the User access requests grid
  2. Select one of the two Control icons to process or deny this request
    1. X mark will deny access (no further processing)
    2. Check mark - will process the request as shown below

Either way this request will be removed from the grid

 

  1. Select whether you want to grant Access to the specific element or to all elements within the Category
  2. Share to complete request
  3. Metric Insights will automatically add requested element or Category to this User
1.2. Access Request Flow 2: Manage via Access Request API (like SAP's GRC tool)

Set the required Access-request variables in the Config file (Admin > Utilities > System Config):

  1. Type 'access' in the Search field to narrow your options
  2. Set 'SHOW_ITEMS_WITHOUT_ACCESS' to 'Y'
  3. Set 'SEND_ACCESS_REQUEST_DIGEST' to 'Y' (optional)
  4. Set 'ACCESS_REQUEST_VIA_WEBPAGE' to 'N'
  5. Set 'ACCESS_REQUEST_URL_PASSWORD' to a valid password for the URL_USERNAME
  6. Set 'ACCESS_REQUEST_URL' to the end-point of your Access Request API
  7. Set 'ACCESS_REQUEST_URL_USERNAME' to a valid User for API authentication
  8. Commit your changes

When the "Request Access" button is clicked, a request will be sent to the endpoint set via "ACCESS_REQUEST_URL", passing Access Request Group set on the External Report Editor (optional, mentioned below), and a request email will be sent to Support Admins (if 'SEND_ACCESS_REQUEST_DIGEST' = 'Y'). (see Access the Advanced tab of the External Report Editor).

Note:  Flow #2 additional settings:

  1. (Required) In the External Report Editor: see step 2
    1. Toggle "Discoverable to Users Without Access" to 'ON'
    2. Set the "Access Request Group" to a valid LDAP group. This determines the group the user needs to be added to in order to gain access the content. Only applies in cases where Metric Insights and LDAP are regularly synced.
  2. (Optional) Set Custom Access Request message and/or email at either the External Report element level or the associated Category level. See Steps 2 and 3 below.

Example of  "Request Access" process. This request email will be sent to either the Access Request Email if specified in Steps 2 or 3, or will  default to your Support Admins' emails.

  1. Select Process request to access the User access requests screen
  2. Select one of the two Control icons to process or deny this request
    1. X mark will deny access (no further processing)
    2. Check mark - will process the request as shown below

Either way this request will be removed from the grid

  1. Select whether you want to grant Access to the specific element or to all elements within the Category
  2. Share to complete request
  3. Metric Insights will automatically add requested element or Category to this User
1.3. Access Request Flow 3: Manage via External Form/Webpage

Set the required Access-request variables in the Config file (Admin > Utilities > System Config):

  1. Type 'access' in the Search field to narrow your options
  2. Set 'ACCESS_REQUEST_URL' to [a webpage set to process Access Requests]
  3. Set 'ACCESS_REQUEST_VIA_WEBPAGE' to 'Y'
  4. Set 'SHOW_ITEMS_WITHOUT_ACCESS' to 'Y'
  5. Commit your changes

Note:  Flow #3 additional settings:

  1. (Required) Setting the External Report to be Discoverable to Users Without Access - see Step 2.

NOTE: Any Custom Access Request messages or email set either on the External Report Editor or the associated Category Editor will be ignored

When "Request Access" button is clicked, User will be sent directly to specified Web page and access will be processed via your company's standard method. (below is just an example)

2. Set Custom Access Request fields on External Report Editor  

Create a New Tableau Report (New > External Report),  Select the Tableau Report Type, and follow instructions in How to create an External Report from Tableau.

Or access an existing External Report from your Homepage via the edit icon (gear).

2.1. Access the Advanced tab of the External Report Editor
  1. Toggle "Make Discoverable" to On to open additional fields
  2. Required for Flow #2. If you utilize an API for managing the Access Requests, select the LDAP Group that the User should be added to in order to access this content. Other flows will ignore this field value.
  3. (Optional)To apply a distinct display for inaccessible elements on the Homepage, select 'Upload Public Image File'  to open a standard Upload Image popup. Otherwise the default image from Configuration tab will be displayed.
2.2. (Optional) Select your own distinct image for Discoverable Homepage tile.
  1. Select 'Upload Public Image File'  box
  2. The Upload Image pop-up will appear to allow you to select an alternative image.
2.3. (Optional) Customize the Access Deny message

Note: if you do not specify a Access message at the External Report level, the system will check the associated Category for a message. If neither is specified, the Standard Message will display.

 Toggle the 'Use Custom Access Denied Message' to 'ON'

  1. You can control the Message display using the standard formatting options
  2. You can insert the following variables using the dropdown:
  3. [Element name] causes the system to  substitute the External Report name in the display
  4. [More Info] provides a link to show list of Support Admins that can assist you
  5. (Optional) Provide an Access Request email address to be informed of this Access Denial. This field will over-ride the Standard option to send email to your Support Admin(s) for Access.

3. Set Custom Access Request fields on Category Editor

If Access Denied Message is NOT set at the Element level, the message set at the associated Category level for that element will be used. If Access Denied message is not set at either, the Standard Access Denied message will display.

3.1. Access Category Editor > Info tab
  1. One the Info tab, toggle the 'Use Custom Access Denied message' to ON
  2. Follow the procedure for setting message as shown in Step 2.2 above
  3. If Access Request Email as not been specified on the Report Editor, it may be set here and will apply to all External Reports set to 'Make Discoverable' in this Category

4. Verify if Report Type has been setup to allow verification of Access

The first 2 levels of verification will be available for all External Reports. The Verify Option below is currently only implemented  for Tableau and only for Request Flows 1 and 2.

4.1. Check that External Report is set correctly for Access check

This setting will allow Metric Insights to verify User Access to the specified Tableau Workbooks and Dashboards.

  1. Click on edit gear to open Report Type Editor
  2. Scroll to bottom of Editor
  3. Verify that Pre-verify User Access through Tableau API is set to 'Y'  (Note: this option must be set up through the API by systems engineer; you should not modify this option)

 

0 Comments

Add your comment

E-Mail me when someone replies to this comment