Set Custom Access Requests for External Reports

New in Version 5.6,  our Security has been expanded to allow clients to customize how Denial of Access is handled.  Customers can specify tailored messaging and can control where Requests for Access are routed and are now able to support both centralized Access Request processing and distributed Access Request responsibilities. 

There are three different levels where Access Deny options can be set:

  1. Metric Insights Security for an Element  
  2. Metric Insights Security for a Category  

The system will first check the Element Editor to verify Access settings and the default No Access tile formatIf the Report settings do not include a Custom Access Message, then the Category Editor will be accessed to locate a Custom Message. The first Message encountered will be used.

3.    BI Tool authorization. This will only be checked when User already has access to External Report in Metric Insights.

This article will explain how to apply Customized Access Request processing for each Editor.  The system will default to standard error messaging if no customization has been set up, see Provide users with the ability to request access to inaccessible content

On this initial implementation, the 3rd option (validation for BI Tool Authorization) is only available for Tableau and only when the Username is passed through SAML. 

1. The basics are determined by company's Request Access procedures

1.1. Access Request Flow 1: Manage Within Metric Insights

Set the required Access-request variables in the Config file (Admin > Utilities > System Config):

  1. Type 'access' in the Search field to narrow your options
  2. Set 'SHOW_ITEMS_WITHOUT_ACCESS' to 'Y'
  3. Set 'SEND_ACCESS_REQUEST_DIGEST' to 'Y'
  4. Set 'ACCESS_REQUEST_VIA_WEBPAGE' to 'N'
  5. Commit your changes

Note:  Flow #1 additional settings:

  1. (Required) Setting the External Report to be Discoverable to Users Without Access - see Step 2.
  2. (Optional) Set Custom Access Request message and /or email at either the External Report element level or the associated Category level. See Steps 2 and 3 below.

Example of  "Request Access" process. This request email will be sent to either the Access Request Email if specified in Steps 2 or 3, or will  default to your Support Admins' emails.

  1. Select Process request to access the User access requests grid
  2. Select one of the two Control icons to process or deny this request
    1. X mark will deny access (no further processing)
    2. Check mark - will process the request as shown below

Either way this request will be removed from the grid

 

  1. Select whether you want to grant Access to the specific element or to all elements within the Category
  2. Share to complete request
  3. Metric Insights will automatically add requested element or Category to this User
1.2. Access Request Flow 2: Manage via Access Request API (like SAP's GRC tool)

Set the required Access-request variables in the Config file (Admin > Utilities > System Config):

  1. Type 'access' in the Search field to narrow your options
  2. Set 'SHOW_ITEMS_WITHOUT_ACCESS' to 'Y'
  3. Set 'SEND_ACCESS_REQUEST_DIGEST' to 'Y'
  4. Set 'ACCESS_REQUEST_VIA_WEBPAGE' to 'N'
  5. Set 'ACCESS_REQUEST_URL_PASSWORD' to a valid password for the URL_USERNAME
  6. Set 'ACCESS_REQUEST_URL' to the end-point of your Access Request API
  7. Set 'ACCESS_REQUEST_URL_USERNAME' to a valid USER for this API request
  8. Commit your changes

When "Request Access" button is clicked, a request email will be sent to  Admins and an API endpoint will be sent the "Access Request Group"  specified in the External Report's Advanced tab. (see Access the Advanced tab of the External Report Editor).

Note:  Flow #2 additional settings:

  1. (Required)In the External Report Editor: see step 2
    1. Toggle "Discoverable to Users Without Access" to 'ON'
    2. Set the "Access Request Group"  to a valid LDAP group
  2. (Optional) Set Custom Access Request message and /or email at either the External Report element level or the associated Category level. See Steps 2 and 3 below.

Example of  "Request Access" process. This request email will be sent to either the Access Request Email if specified in Steps 2 or 3, or will  default to your Support Admins' emails.

  1. Select Process request to access the User access requests screen
  2. Select one of the two Control icons to process or deny this request
    1. X mark will deny access (no further processing)
    2. Check mark - will process the request as shown below

Either way this request will be removed from the grid

  1. Select whether you want to grant Access to the specific element or to all elements within the Category
  2. Share to complete request
  3. Metric Insights will automatically add requested element or Category to this User
1.3. Access Request Flow 3: Manage via External Form/Webpage

Set the required Access-request variables in the Config file (Admin > Utilities > System Config):

  1. Type 'access' in the Search field to narrow your options
  2. Set 'ACCESS_REQUEST_URL' to [a webpage set to process Access Requests]
  3. Set 'ACCESS_REQUEST_VIA_WEBPAGE' to 'Y'
  4. Set 'SHOW_ITEMS_WITHOUT_ACCESS' to 'Y'
  5. Commit your changes

Note:  Flow #3 additional settings:

  1. (Required) Setting the External Report to be Discoverable to Users Without Access - see Step 2.

NOTE: Any Custom Access Request messages or email set either on the External Report Editor or the associated Category Editor will be ignored

When "Request Access" button is clicked, User will be sent directly to specified Web page and access will be processed via your company's standard method. (below is just an example)

2. Set Custom Access Request fields on External Report Editor  

Create a New Tableau Report (New > External Report),  Select the Tableau Report Type, and follow instructions in How to create an External Report from Tableau.

Or access an existing External Report from your Homepage via the edit icon (gear).

2.1. Access the Advanced tab of the External Report Editor
  1. Toggle "Make Discoverable" to On to open additional fields
  2. Required for Flow #2. If you utilize an API for managing the Access Requests, select the LDAP Group that the User should be added to in order to access this content. Other flows will ignore this field value.
  3. (Optional)To apply a distinct display for inaccessible elements on the Homepage, select 'Upload Public Image File'  to open a standard Upload Image popup. Otherwise the default image from Configuration tab will be displayed.
2.2. (Optional) Select your own distinct image for Access-denied Homepage tile.
  1. Select 'Upload Public Image File'  box
  2. The Upload Image pop-up will appear to allow you to select an alternative image.
2.3. (Optional) Customize the Access Deny message

Note: if you do not specify a Access message at the External Report level, the system will check the associated Category for a message. If neither is specified, the Standard Message will display.

 

Toggle the 'Use Custom Access Denied Message' to 'ON'

  1. You can control the Message display using the standard formatting options
  2. You can insert the following variables using the dropdown:
  3. [Element name] causes the system to  substitute the External Report name in the display
  4. [More Info] provides a link to one of two messages based on where Security is denied:
    1. If MI constraint:  "In order to be able to access this visualization, you must first be granted access to the content within Metric Insights.  By clicking on the Request Access button, you will request that the owners of this content provide you with the necessary access."
    2. If BI Tool Constraint: "In order to be able to access this visualization, you must be granted access to the content within {BI Tool Name}.   By clicking on the Request Access button, you will request that the owners of this content provide you with the necessary access."
  5. (Optional) Provide an Access Request email address to be informed of this Access Denial. This field will over-ride the Standard option to Contact your Support Admin(s) for Access.

3. Set Custom Access Request fields on Category Editor

If Access Denied Message is NOT set at the Element level, the message set at the associated Category level for that element will be used. If Access Denied message is not set at either, the Standard Access Denied message will display.

3.1. Access Category Editor > Info tab
  1. One the Info tab, toggle the 'Use Custom Access Denied message' to ON
  2. Follow the procedure for setting message as shown in Step 2.2 above
  3. If Access Request Email as not been specified on the Report Editor, it may be set here and will apply to all External Reports set to 'Make Discoverable' in this Category

4. Verify if Report Type has been setup to allow verification of Access

The first 2 levels of verification will be available for all External Reports. The Verify Option below is currently only implemented  for Tableau and only for Request Flows 1 and 2.

4.1. Check that External Report is set correctly for Access check

This setting will allow Metric Insights to verify User Access to the specified Tableau Workbooks and Dashboards.

  1. Click on edit gear to open Report Type Editor
  2. Scroll to bottom of Editor
  3. Verify that Pre-verify User Access through Tableau API is set to 'Y'  (Note: this option must be set up through the API by systems engineer; you should not modify this option)

 

0 Comments

Add your comment

E-Mail me when someone replies to this comment