Applies to: Kyvos Enterprise Kyvos Cloud (SaaS on AWS) Kyvos AWS Marketplace
Kyvos Azure Marketplace Kyvos GCP Marketplace Kyvos Single Node Installation (Kyvos SNI)
Security settings allow you to limit access to data by the criteria you specify, such as region or by department (group). Configure data security at the row or column level or both for saved semantic models. You can specify security access for individual users or groups. Right-click an existing rule to modify or delete it. Data security rules can be exported along with the data. Use And or Or to create complex rule conditions. Each rule can have a separate column and row-level security.
Important
Kyvos now supports Column Level Security defined in Big Query. When creating a Semantic Model with Big Query as the data source, any column level security applied in Big Query will be reflected in Kyvos when accessing data from the Semantic Model.
The email ID of the user on Kyvos should be the same as the email ID in Google Cloud.
The user should have Fine Grained Reader access for accessing secured columns in Kyvos and BigQuery. Without these permissions on the underlying columns, you will not be able to read the data from secured columns.
You can now create condition data security rules at the row level using both "And" and "Or" conditions. Previously, the 'And' condition was implemented by default. Now, you have the option to choose between 'OR' and 'AND' conditions.
Your organization can also configure custom row-level security (RLS) using Kyvos Manager. Then you can specify to use it from the Design tab semantic model properties page. If custom RLS is configured, you can't apply Kyvos RLS.
You MUST have sufficient security access to the data to be able to set security options.
Kyvos also allows unconditional column data masking, which is another form of security. It enables you to protect sensitive data by masking columns instead of restricting them. This feature allows for easy masking of any column data, such as SSNs, mobile numbers, credit card numbers, and email IDs, while browsing the semantic model on any BI tool.
See the section Column masking for column-level security for more details.
Setting semantic model data security
To set semantic model data security, perform the following steps.
From the Toolbox, click Semantic Models.
Click the Actions menu (...) in the work area then click Data Security.
In the Groups/ Users section, select users or groups that should have access to this semantic model.
Click to select one or more existing rules.
You can also set up rules. Click the plus sign in the Rules column to add a rule.
Click Swap to swap groups and users, and rule lists.
This option allows groups to be mapped with rules or rules to be mapped by groups.Click Save.
Adding semantic model security rule
To add a rule, perform the following steps.
From the Toolbox, click Semantic Models.
Click the Action menu (...) in the work area, then click Data Security.
Click users or groups that this rule will apply to.
Click the plus sign in the Rules column.
Add a rule name and description.
Click Row Level or Column Level.
For Rows, choose the fields, criteria, and enter the values you want to only be accessible to the user or group.
For Columns, select a dimension, level, hierarchy, attribute, or measure.
The available choices vary depending upon the data you are using. The fields selected in this rule will not be accessible to the user or group.Click the plus sign to add additional criteria.
Click Add.
To set up quick rules, perform the following steps.
From the Toolbox, click Semantic Models.
Select the semantic model name from the list and click the Processtab if needed.
Click the Actions menu (...) in the work area, then click Data Security.
Click users or groups to which you want to apply the rule.
Click one of the options in the Rules list:
Allow all columns
Allow all rows
Setting up row-level security
To set up row-level security (RLS), perform the following steps.
From the Toolbox, click Semantic Models.
Select the semantic model name from the list and click the Process tab if needed.
From Properties, scroll down to Data Security and choose one of the following as an endpoint source:
Kyvos Internal
CustomRLS: Displayed only if the corresponding JAR files are uploaded through Custom Data Security Configurations on the Kyvos Manager.
Select an endpoint.
Click the Define Rule and Mapping link and select Groups or Users and select the groups or users you want to use or use Search to find them.
For Rules, click Allow All Columns, Allow All Rows, or click the Plus sign next to Rules to add a custom rule.
On the Add Rule dialog, provide Rule Name and Description.
From the Row Level area, click the field link and select the field on which you want to apply the RLS.
Select the condition (And / Or) using the and link.
Click the value link, and the dialog box is displayed where you can search or select the values on which you can apply the RLS. The available choices vary depending on the data you are using.
Click Add. The RLS is applied to the selected values. you can also apply RLS on the Key value when the Hierarchy/attribute contains description (display field).
Click Row Level, and then select the click the field link, and then select the field on which you want to apply the RLS security on key field.
The RLS on Key field is applied to the values.
Setting up Column Level Security
To set up column-level security (CLS), perform the following steps.
From the Toolbox, click Semantic Models.
Select the semantic model name from the list and click the Process tab if needed.
From Properties, scroll down to Data Security and choose one of the following as an endpoint source:
Kyvos Internal
CustomRLS: Displayed only if the corresponding JAR files are uploaded through Custom Data Security Configurations on the Kyvos Manager.
Select an endpoint.
Click the Define Rule and Mapping link and select Groups or Users and select the groups or users you want to use or use Search to find them.
For Rules, click Allow All Columns, Allow All Rows, or click the Plus sign next to Rules to add a custom rule.
On the Add Rule dialog, provide Rule Name and Description.
From the Column Level area, select any of the following from Restrict and select the field on which you want to apply the restriction.
Data: Type of column level security in which only data of the column will be restricted. Any queries involving the restricted columns while browsing the semantic models are failed.
Data and Metadata: Type of column-level security in which both data and metadata (visibility) of the column will be restricted. If this option is selected, the restricted columns will not be visible while browsing the semantic model on any of the BI tools.
Note
Metadata-level security is not applicable to the default measure.
You can select multiple fields for column-level security, such as restrict data and restrict data with metadata, to apply the same level of restriction on multiple fields without creating multiple rows for each field.
Column masking for Column Level Security
Masking can be applied to a single-level hierarchy, multilevel hierarchy, parent-child hierarchy, attributes, base measures, calculated measures, and measures used in calculations. For column-level security, both unconditional and conditional masking can be applied. By implementing masking at the column level, you can effectively manage data accessibility and privacy, ensuring that users only access information necessary for their roles while protecting sensitive data from exposure.
Unconditional column masking: Applies masking to specific columns. It is supported only for Spark-based deployments.
Conditional column masking (Beta): Applies masking only part of the data while masking based on specific conditions It is supported for both Spark and No-Spark-based deployments.
Unconditional column masking
Unconditional column masking is used in Spark-based deployments where the entire column is masked uniformly. In this approach, any user who accesses the masked column will see only obfuscated or masked values rather than the actual data, regardless of their access permissions.
Note
Column masking is not applied to Member Properties, Unknown and Calculated members, and Predefined time type hierarchy.
Currently, column masking does not support the SQL interface.
Partial masking on numerical dimension field is not supported.
Merging of measure values for fully masked only attribute/single level hierarchy is not supported.
The original column data is preserved while masking because numeric data is masked with a number, and a date is masked with a date. You can specify a fixed pattern or a Regex expression for any string data type.
The masked value is displayed while browsing the semantic model on any BI tool with an MDX connection.
If using Tilde (~) for column masking and want to apply a filter on the masked value from Kyvos UI, then you must change the value of the field value separator as the default value of the kyvos.filter.value.separator property is also Tilde (~). Hence, you must change the default value of this property so that column masking with the Tilde character can function.
To apply column masking to a pre-defined hierarchy, you need to select the full name of the hierarchy.
You can create, delete, update, save, and assign column security (masking) rules by using the Security Rest API's.
To apply unconditional column masking for Column Level Security (CLS), perform the following steps.
From the Toolbox, click Semantic Models.
Select the semantic model name from the list and click the Process tab if needed.
Click the Action menu (...) in the work area, then click Data Security.
If the option is not displayed, you must save the semantic model and try again.Click users or groups that this rule will apply to.
Click the plus sign in the Rules column.
Add a rule name and description.
From the Column Level area, click the Mask Data link, and then select the field on which you want to apply the column masking. By default, the Mask data is applied. This indicates unconditional data mask.
Click the value link, and the Mask with dialog box is displayed. You must enter the required value for unconditional column masking. The available choices vary depending on the data you are using.
For any string data type, choose one of the following:
Fixed: Use this option to specify a fixed value for column masking. Enter a value that you want to apply for column masking. The entered value is displayed in the Preview area.
NOTE: You can specify any character or special characters, such as #, *, @. If you keep the field blank, then while semantic model browsing, the field value is displayed as blank.Regex: Use this option to specify a Regex expression for column masking.
Enter a Regex expression that you want to specify for the field value, and then provide a value that you want to use for column masking.
You can also select a Regex expression from the Choose from common expressions list.
To verify whether the Regex expression is successfully masked with the value, enter a relevant value in the Test Value field. The result is displayed in the Preview field. If the expression is not masked successfully, you can modify the expression, as needed.
NOTE: In an expression, the Delimiter (/) and the flags (g,m,i,u,s,d) are not supported.
Click the plus sign to add additional fields, if required.
Click Add.
Conditional masking (Beta)
Conditional column masking allows for more granular control by masking data in a column based on certain conditions.
Note
Kyvos does not support conditional masking on date field.
Partial masking on numerical dimension field is not supported
Merging of measure values for fully masked only attribute/single level hierarchy is not supported.
Masking on measure is not supported.
To apply conditional column masking for Column Level Security (CLS), perform the following steps.
From the Toolbox, click Semantic Models.
Select the semantic model name from the list and click the Process tab if needed.
Click the Action menu (...) in the work area, then click Data Security.
If the option is not displayed, you must save the semantic model and try again.Click users or groups that this rule will apply to.
Click the plus sign in the Rules column.
Add a rule name and description.
From the Column Level area, click Mask Data and select Conditionally mask data, and then select the field on which you want to apply the column masking.
Click the Conditional Mask Data link and click the field link. The field list is displayed. Select the field that you want to conditionally mask.
Click the value link, and the Conditional Mask with dialog box is displayed. You must enter the required value for conditional column masking. The available choices vary depending on the data you are using.
For any string data type, choose one of the following:
Fixed: Use this option to specify a fixed value for column masking.
For any string data type, choose one of the following:Enter a value that you want to apply for column masking. The entered value is displayed in the Preview area.
NOTE: You can specify any character or special characters, such as #, *, @. If you keep the field blank, then while semantic model browsing, the field value is displayed as blank.
Regex: Use this option to specify a Regex expression for column masking.
Enter a Regex expression that you want to specify for the field value, and then provide a value that you want to use for column masking.
You can also select a Regex expression from the Choose from common expressions list.
To verify whether the Regex expression is successfully masked with the value, enter a relevant value in the Test Value field. The result is displayed in the Preview field. If the expression is not masked successfully, you can modify the expression, as needed.
NOTE: In an expression, the Delimiter (/) and the flags (g,m,i,u,s,d) are not supported.
Click the field link to select the field on which you want to apply conditional column masking.
Click the plus sign to add additional fields, if required.
Click Add.
Examples of rule criteria
You can specify criteria for values in a field such as:
Is in the list
Is not in the list
Starts with
Contains
Ends with
Row Level Security using LDAP
You can set up a Parameterized Row Level Security (RLS) filter to control access to rows in a database table by using custom attributes on an LDAP server.
To use this feature, users and their details must be set up on an LDAP server. Set up custom attributes on the LDAP server and create a group in Kyvos of these users. Then, define a parameterized RLS filter on the semantic model for this group. The filter contains a parameter that is resolved at the time of the query.
To define a parameterized RLS filter, perform the following steps:
From the Toolbox, click Semantic Models.
Click the Actions menu (...) in the work area and then click Data Security.
Click users or groups that this rule will apply.
Click the plus sign in the Rules column.
Add a rule name and description.
Click Row Level.
Specify the field name and for criteria choose the parameter. Then select an LDAP custom attribute.
Click Add.