Today, SaaS businesses are mostly multi-tenant applications, providing a single centrally administered architecture to serve multiple customers (tenants). These tenants can be within an organization or different businesses, with all its data stored in the SaaS system. Data privacy and securing the data from other tenants are both critical in these deployment scenarios.
For this purpose, the tenant's data can be partitioned logically within a single database using shared/multiple schemas, or the data can be partitioned physically where each tenant has a separate database.
In this article, we'll show you how to logically and/or physically separate the tenant's data with Wyn Enterprise, using User Context attributes.
These attributes can be used to define the rules for dynamically restricting the data available to each tenant logged in to the same portal. User contexts can either be used to provide row-level data security in a document or database-level security for a data source. It acts as an additional layer of data security extending the role-based security that is built into Wyn Enterprise.
Multi-tenant Applications for the Healthcare Industry
Personal Identifiable Information (PII) is especially important to the healthcare industry. Suppose the Health Information and Management System (HIMS) of a hospital chooses to store its data in different databases, providing authorized access to certain user groups.
There may be databases:
-
With different healthcare departments in the hospital (Neurology, Cardiology, Oncology, etc.). All of these departments have authorized access to doctors to see the history of the patients they treated.
-
With patient treatment histories.
For this blog, let's name the former set of databases based on the department names: "Neurology," "Cardiology," and the latter one as "Patients."
The individual tenants accessing their specific data in the Wyn Security Layer are as follows:
- Tenant John and Fred are patients and want to view their treatment history from a "Patient" Database
- Tenant Smith, is a doctor and wants to see the data of the patients he has treated from "Neurology" Database
- Tenant Marcus is another doctor and wants to see the data of the patients he has treated from "Cardiology" Database
The patients, John and Fred, are trying to access the same database. We need a User Context that can be used to filter the respective rows for them. The doctors, Smith and Marcus, are trying to access the isolated databases for their departments. We need a User Context here that can identify the department as well as the patients they have treated.
The User Contexts for the defined scenario can be as follows: * Department: Patient, Neurology, Cardiology * PatientID * DoctorID
Let's see how we can define these User Contexts in Wyn Enterprise.
User contexts are related to a user. First, we need a Custom Property to store information about users. It can be added to user profiles from the Custom Property page in the Admin Portal. Once we have the user properties defined, we can map them to user contexts that we will be used by making sure they are present in the Claims list of the User Contexts page.
You can follow the documentation to see in detail how you can create a custom property and add a claim for the user context in Wyn Enterprise.
For this blog, we created the custom properties based on the user contexts identified above — Department, PatientID, DoctorID as shown below:
While the department has predefined available values for the different departments in the hospital, PatientID and DoctorID have no available value because it will be unique for the users — the patients and doctors.
When you create Custom Property, the claim is automatically created on the "User Context" page as shown below. This claim name is used to map the user context with custom property for dynamic filtering in a document.
Note: On the "User Context" page, you also see some default user contexts like First Name, Last Name, Email, etc.
Now, the User Contexts that we mapped to the user's custom properties are available while creating users as shown below:
The next step is to add the users. Refer to our user documentation to add a new user to Wyn Enterprise.
We created the users for the scenario in this blog with the defined user contexts as shown below:
When you are ready with the User Context and users for your system, let's see where and how you can use them.
User contexts can be used on Document or Resource Portal in/as a Parameter value in Schedules, Parametric Filters in Shared DataSets, in DataSource Connection String, Security Filter in Semantic model, in SQL Query of Embedded Datasets in WynReports, Parameter/Filter in WynReports, etc. The syntax for using the user context attribute differs for the different Wyn Enterprise plugins.
It can be used:
- As expression: "UserContext.GetValue("<claimName>")" in WynReports. You can define filter on a Table control in WynReports using user context expression, as shown below:
- As Parameter Type: User Context with claimName as Value for Filters in Shared Dataset for WynReports and/or WynDashboard.
- As filter value for Security Filter in Semantic Report. Simply choose the claimName from the dropdown in Security Filter.
- As placeholder @{claimName} in DataSource connection String. With user context, the connection in general looks like - data source=@{claimmydatabase};initial catalog=@{claimmycatalog}; user id=@{claimmyusername};password=@{claimmypassword};
To fetch the tenant-specific database, the connection string is as shown below:
Now that we have defined how and where the User Context is used in Wyn Enterprise, let's see how it can be used to meet the use-case we have defined above.
For this purpose, we have created a WynReport "Patient Medical Report" for patients and doctors as shown below:
In the report, data is to be fetched from different databases, Patient, Neurology, and Cardiology, accessible to the logged-in user. So, we used the user context "Department" as a placeholder in the Database connection string.
And then, as an expression in the SQL query of the Embedded Dataset in the WynReport to fetch data corresponding to the patients and doctors.
So, when John login to the system, he sees only his medical history while Fred's see only his history as shown below:
Image showing report with only John’s medical history
Image shows report with only Fred’s medical history
And the same report shows the medical history of all the patients Dr. Smith has treated for neurological problems and Dr. Marcus has treated for cardio problems as shown below:
Image shows report accessed by Dr. Smith
Image shows report accessed by Dr. Marcus
As you see, User Context can be applied to any document in Wyn Enterprise to achieve multi-tenancy in your system. You can also use it with the users in your ActiveDirectory (using Security Providers).
Empower Teams with Ad Hoc Reporting and Self-service Analytics
Provide your team with a unified, enterprise-level, self-service data analysis and decision support platform. Wyn Enterprise is a web-based BI and data analytics platform that provides greater insight into your data.
Wyn offers built-in tools for report and dashboard creation, data governance, security integration, embedded BI, automated document distribution, and a business-user friendly interface for self-service business intelligence.
Wyn's easy-to-use designers allow non-technical business users to build interactive dashboards with drill-down and cross-filter functionality quickly.
Users can independently create ad-hoc reports to visualize data and obtain meaningful insights from their reports.