Overview
Bold BI embedding supports group-based authorization for OAuth 2.0 and OpenID providers. With this support, you can configure and import your OAuth or OpenID groups into the Bold BI server without importing the users of the group. However, every user from the group can access the Bold BI dashboard.
Why group-based authorization
- Avoid managing user data in multiple systems.
- Maintain user security within your identity provider.
- Grant dashboard access based on group permissions.
How to embed with group-based authorization.
Before embedding, review these essential guides:
Provider Configuration
Let’s take a look at the configuration settings for Azure AD, OAuth 2.0 and OpenID import, importing the group, and granting access to that group.
-
To have Azure AD connect support, you would need to configure the Azure AD in Bold BI server. Please follow these steps provided in the link.
The following link explains how to connect with the Bold BI application.
-
To have support for OAuth 2.0 connect, you will need to configure OAuth 2.0 in the Bold BI server. Please follow the steps provided in the link.
The following is a list of a few OAuth 2.0 providers, and it explains how to connect with the Bold BI application.
-
For OpenID connect support, you would need to configure the OpenID in Bold BI server, follow these steps in the link.
The following is a list of a few OAuth 2.0 providers, and it explains how to connect with the Bold BI application.
-
After configuring your providers, you need to import your group into the Bold BI server. Follow these respective links to import the groups.
-
Then, you need to provide access to your imported group. Follow these steps in the link, which will help your users to access and embed the dashboard.
-
Now, you need to configure your authorization server to use group-based authorization by adding the marked parameters in the embedQuery.
Parameter Description embed_group_access This parameter needs to set as true to enable the group-based authorization. embed_auth_provider This parameter value indicates which auth provider you are using in embedding.
Example:embed_auth_provider=GlobalOAuth
Following are the values for different auth providers:AzureAD – Set this if you have configured AzureAD TenantOAuth – Set this if you have configured OAuth at the tenant level
TenantOpenID – Set this if you have configured OpenID at the tenant levelGlobalOAuth – Set this if you have configured OAuth at the global level
GlobalOpenID – Set this if you have configured OpenID at the global levelWindowsAD – Set this if you have configured WindowsAD None – Set this if you aren’t using any auth providers embed_user_id Need to set your user id, which used in your provider for this user embed_user_email Need to set your user mail, which used in your provider for this user NOTE: The previous UserID and UserEmail would act as the password for users of each provider in Bold BI.
Example: For GlobalOAuth:
&embed_group_access=true&embed_auth_provider=GlobalOAuth&embed_user_id=1212121212&[email protected]
For GlobalOpenID:&embed_group_access=true&embed_auth_provider=GlobalOpenID&embed_user_id=auth0|5dbc1ac0835a7c0e18724875&[email protected]";
For Azure AD:&embed_group_access=true&embed_auth_provider=AzureAD&embed_user_id=cda791a1-3dec-4e52-a70c-38323aafe256&[email protected]
NOTE: Please use your UserID and UserEmail as follows in the authorization server.
Amazon Cognito Set the user email as embed_user_id and embed_user_email Auth0
- Set the user id as embed_user_id
- Set the user email as embed_user_emailOkta OneLogin
Enabling user import with group-based authorization
Enable this feature to dynamically import users from external identity provider groups when they access embedded dashboards. This ensures users inherit group permissions without being manually added to the Bold BI server.
For more details, refer to the Enabling user import with group-based authorization
Sample links
The sample applications for ASP.NET Core, ASP.NET MVC, and Angular can be downloaded from the following links. Once downloaded, you can update your group access, authentication provider, user id, and user email in the authorization server code block.