Skip to content

Business Intelligence Software

Satori integrates with BI software to monitor and enforce security and privacy policies for data consumers who are using BI tools to access data.

To bind the BI tools to Satori the BI tools must be connected to the data store via the Satori hostname.

BI Tool - User Data Access

BI tools generally access data on behalf of end users using a single, shared user identity connected to the data store. When the BI tool connects to the data store via Satori, Satori is only aware of a single user "entity" and is not exposed to the full context of the real end user data access.

The following diagram illustrates how Satori cannot determine that the end user "Alice" is accessing data via the BI tool, and Satori only sees the shared BI_USER username. Screenshot

Making Satori Aware of Individual End Users

To enable Satori to be aware of the individual end users accessing data, Satori leverages the existing capabilities of the BI tools. Satori collects additional information about the BI tool's environment, including the identity of the end user.

The following diagram illustrates how the BI tool sends Alice's username when she connects to the data store via Satori, making Satori aware of Alice's user identity and enabling Satori to audit and enforce policies based on her true identity.

Screenshot

Looker

Looker supports sending additional parameters via JDBC connections. See the Additional Parameters section in the Looker documentation.

Note: Customizing the JDBC connection with additional parameters may disable Looker's PDT functionality. To ensure Looker's PDT functionality, make sure to override the Additional Parameters field with the previous value (without the SATORI_LOGIN_NAME) in the PDT Overrides section, or specify a unique user ID to the Looker PDT. For example, in a Snowflake connection use: SATORI_LOGIN_NAME=LOOKER&SATORI_LOGIN_TOKEN=<TOKEN>.

Using Snowflake

To send the end user username to Satori, add the following parameter in the Additional Parameters field: SATORI_LOGIN_NAME={{ _user_attributes['email'] }}&SATORI_LOGIN_TOKEN=<TOKEN>.

To activate this functionality, you must first obtain an authentication token via the management console (Settings->User management->DAC Access Tokens) then replace the <TOKEN> above with the newly created token.

Using PostgreSQL or Redshift

To send the end user username to Satori, add the following parameter in the Additional Parameters field: options="SATORI_LOGIN_NAME={{ _user_attributes['email'] }}""SATORI_LOGIN_TOKEN=<TOKEN>".

To activate this functionality, you must first obtain an authentication token via the management console (Settings->User management->DAC Access Tokens) then replace the <TOKEN> above with the newly created token.

Using SQL Server

To connect with Looker to Satori using the Satori service account credentials update the following parameters in Looker:

Username - select the Email option.

Password - copy the UUID Token value from the DAC Access Token tab in the Satori settings, for example: befdcb5b-e1b3-49e8-84d8-093116c9daf5.

PowerBI

Using SQL Server

To connect Satori with the PowerBI tool, create a new SQL Server connection and set the Satori URL as the server parameter.

For Example

server: abc123.us-east-1.a.s0.satoricyber.net and then press OK and enter your credentials.

Note: Unsecured connections are not supported (non-SSL driver option), to enable secure conectivity verify that the following settings are applied: - File -> Options and Settings -> Data Source Settings -> abc123-cluster-cajcpwqzmvbb.us-east-1.a.p0.satoricyber.net -> Edit Permissions -> Encrypt Connections

Using PostgreSQL

To connect Satori with the PowerBI tool, create a new PostgreSQL connection and set the Satori URL as the server parameter,

For Example

server: abc123.us-east-1.a.s0.satoricyber.net and press OK and enter your credentials.

Note: Unsecured connections are not supported (non-SSL driver option), to enable secure conectivity verify the following settings are applied: - File -> Options and Settings -> Data Source Settings -> abc123-cluster-cajcpwqzmvbb.us-east-1.a.p0.satoricyber.net -> Edit Permissions -> Encrypt Connections

Using Snowflake

To connect Satori with the PowerBI tool, create a new Snowflake connection and set the Satori URL as the server parameter.

For Example

server: abc123.us-east-1.a.s0.satoricyber.net and press OK and enter your credentials.

Note: Unsecured connections are not supported (non-SSL driver option), to enable secure conectivity verify the following settings are applied: - File -> Options and Settings -> Data Source Settings -> abc123-cluster-cajcpwqzmvbb.us-east-1.a.p0.satoricyber.net -> Edit Permissions -> Encrypt Connections

Tableau

Initial SQL

Tableau features an option to define an SQL command that runs whenever a new database connection is established. Satori utilizes a special SQL command to associate the Tableau users' identity with the connection.

To activate this functionality, you must first obtain an authentication token via the management console (Settings->User management->DAC Access Tokens) then add the below snippet with the newly created token as an initial SQL.

SELECT 1 -- 'satori_user: '[TableauServerUser]', satori_token: <TOKEN>'

Google Data Studio

To connect to Satori from Google Data Studio, you will need the SSL certificates that are associated with one or more of the Satori DACs in your account. This is required when creating Data Studio connections, as they require SSL mode Verify CA.

To retrieve the SSL certificates perform the following:

  1. Open a terminal window on your local machine.
  2. Enter the openssl command: openssl s_client -showcerts -connect anyhost.us-east-1.a.p0.satoricyber.net:443 > dac_certs.pem
  3. Change the region "us-east-1" to the region where your DAC is deployed. This command will create a pem file dac_certs.pem in the current directory.
  4. Now edit the dac_certs.pem file with your favorite editor, and remove the two lines isted below:

    1 s:/C=US/O=Let's Encrypt/CN=R3 i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1

  5. Save the file.

This file is what you will then upload into Google Data Studio when creating a connection:

Screenshot

Redash, Sigma, and Sisense (Periscope Data)

The integration to Satori is seamless, (i.e. no Initial SQL query is required), whenever the datastore is accessed, Redash/Sigma/Sisense will add a comment to the query that includes users' metadata to be associated with the connection.