Single Sign-On (SSO), Roles and Rights with Superset
This page contains notes on Single Sign-On for OpenLMIS so Superset can leverage.
Single Sign-On is different from Roles and Rights that filter data.
Single Sign-On
- Superset depends on Flask App builder which supports OAuth2.
- OpenLMIS uses OAuth2
- We need to work to integrate these
Questions:
- Should we use JWT, or just get the username?
- The username is returned from the token authorization response.
Filtering Data based on Rights and Roles
OpenLMIS has a concept called permission strings that is provided by the reference data service. Permission strings provides three types of rights and is constructed as RIGHT|FACILITY|PROGRAM.
Suggested Steps:
- Step 1: The first right that you have is, do you have the right to see a particular report.
- Step 2: Now you need to determine what data to see in the report
- This right is going to be oriented around being able to see the topic area like view_requisition|FacilityUuid|ProgramUuid ← This is important because it filters
- Rights provide the claim to see the data. Once we get to this point, the query is run.
How do we handle this with the database?
- We want to be able to just pass in the User ID and have the view filtered by that based on a table join.
Questions:
- Do we take all of these permissions that we are interested in and ignore all the ones we don't want?
- Should we load the permission strings into the data warehouse from OpenLMIS?
- We need to research if we can join based on permission strings.
- How do we do intelligent indexes?
- Should we hit the permission strings endpoint?
- We need to create an endpoint that returns all permission strings for all users in JSON format. This endpoint should have a "since" parameter
- Nifi will have to query this every 30 seconds.
- We need to create an endpoint that returns all permission strings for all users in JSON format. This endpoint should have a "since" parameter
OpenLMIS: the global initiative for powerful LMIS software