Skip to content

Business Intelligence Software

Satori integrates with BI software to monitor and enforce security and privacy policy for data consumers who are using BI tools to access data. To bind the BI tools to Satori the BI tools must be connected to the data store via the Satori hostname.

BI Tool User Data Access

BI tools generally access data on behalf of end users using a single, shared user identity connected to the data store. When the BI tool connects to the data store via Satori, Satori is only aware of a single user "entity" and is not exposed to the full context of the real end user data access.

The following diagram illustrates how Satori cannot determine that the end user "Alice" is accessing data via the BI tool, and Satori only sees the shared BI_USER username. Screenshot

Making Satori Aware of Individual End Users

To enable Satori to be aware of the individual end users accessing data, Satori leverages the existing capabilities of the BI tools. Satori collects additional information about the BI tool's environment, including the identity of the end user.

The following diagram illustrates how the BI tool sends Alice's username when she connects to the data store via Satori, making Satori aware of Alice's user identity and enabling Satori to audit and enforce policies based on her true identity.

Screenshot

Looker

Looker supports sending additional parameters via JDBC connections. See the "Additional Parameters" section in the Looker documentation.

Note: Customizing the JDBC connection with additional parameters may disable Looker's PDT functionality. To ensure Looker's PDT functionality, make sure to override the Additional Parameters field with the previous value (without the SATORI_LOGIN_NAME) in the PDT Overrides section, or specify a unique user ID to the Looker PDT. For example, in a Snowflake connection use: SATORI_LOGIN_NAME=LOOKER&SATORI_LOGIN_TOKEN=<TOKEN>.

Using Snowflake

To send the "end user" username to Satori, add the following parameter in the Additional Parameters field: SATORI_LOGIN_NAME={{ _user_attributes['email'] }}&SATORI_LOGIN_TOKEN=<TOKEN>. To activate this functionality, you must first obtain an authentication token via the management console (Settings->User management->DAC Access Tokens) then replace the <TOKEN> above with the newly created token.

Using PostgreSQL or Redshift

To send the "end user" username to Satori, add the following parameter in the Additional Parameters field: options="SATORI_LOGIN_NAME={{ _user_attributes['email'] }}""SATORI_LOGIN_TOKEN=<TOKEN>". To activate this functionality, you must first obtain an authentication token via the management console (Settings->User management->DAC Access Tokens) then replace the <TOKEN> above with the newly created token.

PowerBI

Using SQL Server

To connect Satori with the PowerBI tool, create a new SQL Server connection and set the Satori URL as the server parameter. For example, server: abc123.us-east-1.a.s0.satoricyber.net and then press OK and enter your credentials.

Note: Unsecured connections are not supported (non-SSL driver option), to enable secure conectivity verify that the following settings are applied: - File -> Options and Settings -> Data Source Settings -> abc123-cluster-cajcpwqzmvbb.us-east-1.a.p0.satoricyber.net -> Edit Permissions -> Encrypt Connections

Using PostgreSQL

To connect Satori with the PowerBI tool, create a new PostgreSQL connection and set the Satori URL as the server parameter, For example, server: abc123.us-east-1.a.s0.satoricyber.net and press OK and enter your credentials.

Note: Unsecured connections are not supported (non-SSL driver option), to enable secure conectivity verify the following settings are applied: - File -> Options and Settings -> Data Source Settings -> abc123-cluster-cajcpwqzmvbb.us-east-1.a.p0.satoricyber.net -> Edit Permissions -> Encrypt Connections

Using Snowflake

To connect Satori with the PowerBI tool, create a new Snowflake connection and set the Satori URL as the server parameter, For example, server: abc123.us-east-1.a.s0.satoricyber.net and press OK and enter your credentials.

Note: Unsecured connections are not supported (non-SSL driver option), to enable secure conectivity verify the following settings are applied: - File -> Options and Settings -> Data Source Settings -> abc123-cluster-cajcpwqzmvbb.us-east-1.a.p0.satoricyber.net -> Edit Permissions -> Encrypt Connections

Tableau

Initial SQL

Tableau features an option to define an SQL command that runs whenever a new database connection is established. Satori utilizes a special SQL command to associate the Tableau users' identity with the connection. To activate this functionality, you must first obtain an authentication token via the management console (Settings->User management->DAC Access Tokens) then add the below snippet with the newly created token as an initial SQL.

SELECT 'satori_user: '[TableauServerUser]', satori_token: <TOKEN>'

Redash, Sigma, and Sisense (Periscope Data)

The integration to Satori is seamless, (i.e. no Initial SQL query is required), whenever the datastore is accessed, Redash/Sigma/Sisense will add a comment to the query that includes users' metadata to be associated with the connection.