Saturday, March 2, 2024
HomeBusiness IntelligenceGoodData Person Provisioning Automation Information With Python SDK

GoodData Person Provisioning Automation Information With Python SDK


As companies broaden their analytical capabilities, the necessity for job automation, corresponding to person provisioning, turns into more and more evident. Guide processes devour priceless time and introduce the opportunity of errors. This text delves into automating person provisioning in GoodData, utilizing the GoodData Python SDK. Whereas our instance employs Auth0 because the OIDC supplier, the core ideas stay relevant to different suppliers like Okta.

Conditions:

Earlier than we dive into the automation course of, guarantee you’ve got the next:

  • A GoodData Cloud account with out the ManagedOIDC entitlement In case you want to change the OIDC IdP that your trial surroundings is utilizing, contact us on our neighborhood portal.
  • An OIDC supplier (we use Auth0 on this article however the ideas apply to different suppliers like Okta, Cloud IAM, Keycloak, and many others.).
  • Configured authentication utility with Callback URLs and Secrets and techniques. Within the case of Auth0, see the documentation for particulars.
  • Configured OIDC authentication in GoodData. See the documentation for particulars.
  • Put in gooddata-sdk and auth0-python. Ideally, you need to have configured a digital surroundings.

Tip: The code repository is open-sourced.

Step 1: Customers and Roles in OIDC

Start by populating your OIDC supplier with customers. On the next display, you possibly can see customers in Auth0.

Defining person roles is crucial to regulate entry. For example, “Admin” and “Person” roles might be arrange.

Now you can transfer to the following step, which is able to configure all of the required surroundings variables for the answer.

Step 2: Configure Atmosphere Variables

For Auth0, you will have to outline the next three surroundings variables:

  • AUTH0_DOMAIN
  • AUTH0_CLIENT_ID
  • AUTH0_SECRET

Yow will discover all of those within the Auth0 utility.

Then copy & paste their values into the next code snippet.

export AUTH0_DOMAIN='<auth0-domain>'
export AUTH0_CLIENT_ID='<auth0-client-id>'
export AUTH0_SECRET='<auth0-secret>'

The final step on this part is to configure GoodData surroundings variables. In case you do now know get a GoodData API token, see our documentation for particulars.

export GOODDATA_HOST='<gooddata-host>'
export GOODDATA_TOKEN='<gooddata-token>'
export GOODDATA_WORKSPACE_ID='<gooddata-workspace-id>'

Tip: Yow will discover the GoodData host and GoodData workspace ID within the URL <GOODDATA_HOST>/dashboards/#/workspace/<GOODDATA_WORKSPACE_ID>.

Step 3: Create Person Teams in GoodData

Arrange customers in GoodData utilizing person teams. On this instance, we use “adminGroup” for customers with Admin roles and “userGroup” for these with Person roles.

def create_user_groups():
    # adminGroup already exists, it signifies that solely userGroup must be created
    user_group = CatalogUserGroup.init(user_group_id="userGroup")
    gooddata_sdk.catalog_user.create_or_update_user_group(user_group=user_group)

You may see within the script above that you don’t want to create the adminGroup as a result of it already exists in GoodData.

Step 4: Create Permissions in GoodData

Outline permissions to control person entry inside GoodData. The “MANAGE” permission permits customers (who’re within the adminGroup within the instance under) to create and edit visualizations and dashboards. In distinction, the “VIEW” permission grants customers (who’re within the userGroup within the instance under) read-only entry.

def create_permissions():
    declarative_permissions = gooddata_sdk.catalog_permission
        .get_declarative_permissions(gooddata_workspace_id)
    admin_group_permissions = {
        "title": "MANAGE",
        "assignee": {
             "id": "adminGroup",
             "sort": "userGroup"
        }
    }
    user_group_permissions = {
        "title": "VIEW",
        "assignee": {
            "id": "userGroup",
            "sort": "userGroup"
        }
    }

    declarative_permissions.permissions = [admin_group_permissions, user_group_permissions]
    gooddata_sdk.catalog_permission
        .put_declarative_permissions(gooddata_workspace_id, declarative_permissions)

Tip: Verify the Handle Permissions part of our documentation for extra info.

Step 5: Provision Customers From Auth0 to GoodData

An important half is accurately mapping customers from the OIDC supplier (in our case Auth0) to GoodData. First, retrieve person information and roles from Auth0:

def get_auth0_users():
    return auth0.customers.record()


def get_auth0_user_role(auth_id: str):
    return auth0.customers.list_roles(auth_id)

With customers and roles from Auth0, it’s straightforward to map customers to GoodData and assign them the suitable permissions.

def create_or_update_user(user_id: str, authentication_id: str, user_group_ids: Record[str]):
    gooddata_sdk.catalog_user.create_or_update_user(
        CatalogUser.init(
            user_id,
            authentication_id,
            user_group_ids
        )
    )


def provision_users():
    customers = get_auth0_users()

    for person in customers["users"]:
        # user_id is the authentication_id on this case, it's auth0|<user_id>
        auth_id = person["user_id"]
        user_id = auth_id.substitute("auth0|", "")
        # person can have assigned extra roles, I assigned only one
        position = get_auth0_user_role(auth_id)["roles"][0]
        role_name = position["name"]


        # if person has an admin position, it's assigned to adminGroup
        if role_name == "Admin":
            create_or_update_user(user_id, auth_id, ["adminGroup"])
        else:
            create_or_update_user(user_id, auth_id, ["userGroup"])

After this step, all customers from the OIDC supplier are provisioned to GoodData. For seamless person provisioning, automate your entire course of.

Step 6: Automation of Person Provisioning

Schedule common execution of the provisioning script, which checks for brand spanking new customers and maintains synchronization. You should use Auth0 Actions (or comparable instruments from different OIDC suppliers) for superior use circumstances. In our instance, working a easy cron job is sufficient:

def run_provisioning():
    print("Checking new customers...")
    create_user_groups()
    create_permissions()
    provision_users()
    print("Carried out")


schedule.each(1).hour.do(run_provisioning)

whereas True:
    schedule.run_pending()
    time.sleep(1)

The script above ensures that the provisioning of latest customers runs each hour.

A Identified Limitation

The outlined person provisioning method lacks change administration logic. Within the state of affairs offered, even when we take away customers from the OIDC supplier, they may stay inactive in GoodData. Whereas integrating change administration logic is possible, we now have omitted its implementation on this context for the sake of article simplicity.

Closing Ideas

Automating person provisioning is a pivotal step in scaling your analytics endeavors. By integrating the GoodData Python SDK and Auth0, you possibly can effectively handle person entry and permissions, guaranteeing correct information evaluation and reporting. When you’ve got any queries or require help, do not hesitate to achieve out on the GoodData Slack channel. Able to get began? Discover the probabilities by signing up for our free trial at the moment!

Why not strive our 30-day free trial?

Absolutely managed, API-first analytics platform. Get prompt entry — no set up or bank card required.

Get began

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments