对于 BigQuery 以外的数据库，如何为 Data Studio 中的同一行授予多个用户访问权限？

Question

To enable row level security, I used Filter By Email option as suggested here . But I want to know can I enable access to same row for multiple users and also how to enable super users who can see all rows. For example if below is the sample data then I want to have different output based on who is logged in.

userId  age email
A       20  usera@gmail.com
B       15  userb@gmail.com
C       25  userc@gmail.com
Z       30  admin@gmail.com

When A is logged in

userId  age email
A       20  usera@gmail.com

When B is logged in

userId  age email
A       20  usera@gmail.com
B       15 userb@gmail.com

When Z is logged in

userId  age email
A       20  usera@gmail.com
B       15  userb@gmail.com
C       25  userc@gmail.com
Z       30  admin@gmail.com

Update1: I am using postgres instance for reporting (not bigQuery), so solution which make use of @DS_USER_EMAIL will not work

Answer 1

The filter by email simply provide you the email of the current logged user. You have to use it to filter your query. I designed a simple test like this

with sample as (
  select "a" as userId, 10 as age, "usera@gmail.com" as email
  UNION ALL
  select "b" as userId, 20 as age, "userb@gmail.com" as email
  UNION ALL
  select "c" as userId, 30 as age, "userc@gmail.com" as email
), auth as (
  select "usera@gmail.com" as user, "usera@gmail.com" as permission
  UNION ALL
  select "userb@gmail.com" as user, "usera@gmail.com" as permission
  UNION ALL
  select "userb@gmail.com" as user, "userb@gmail.com" as permission
  UNION ALL
  select "admin@gmail.com" as user, ".*" as permission
)
select * from sample
where REGEXP_CONTAINS(email,(select STRING_AGG(permission,"|") from auth where auth.user = @DS_USER_EMAIL))

I have the sample table with your data. I created a auth table with the link between the user email and the view authorization.

In the final request, I use a regex to check if the row is authorized or not. The admin has the value .* to view all the data. The other is simple an aggregation of all the rows, separated by a pipe |(OR in regex language)

EDIT

The power of BigQuery is the compliance with the SQL2011 standard, and a working query in postgres is similar. For the regex pattern use SIMILAR TO . Look at the admin regex pattern, it's not regex conventional, but it works

string_agg is an existing function

with sample as (
  select 'a' as userId, 10 as age, 'usera@gmail.com' as email
  UNION ALL
  select 'b' as userId, 20 as age, 'userb@gmail.com' as email
  UNION ALL
  select 'c' as userId, 30 as age, 'userc@gmail.com' as email
), auth as (
  select 'usera@gmail.com' as user, 'usera@gmail.com' as permission
  UNION ALL
  select 'userb@gmail.com' as user, 'usera@gmail.com' as permission
  UNION ALL
  select 'userb@gmail.com' as user, 'userb@gmail.com' as permission
  UNION ALL
  select 'admin@gmail.com' as user, '%' as permission
)
select * from sample
where email SIMILAR TO (select STRING_AGG(permission,'|') from auth where auth.user = @DS_USER_EMAIL)

The query works, but it's not usable with Datastudio because the @DS_USER_EMAIL exists only with BigQuery

The workaround is to use Cloud SQL federated query . And the final request is a mix between both db engine

with sample as (
SELECT * FROM EXTERNAL_QUERY("gbl-imt-homerider-basguillaueb.us.vertx-postgres", """ select 'a' as userId, 10 as age, 'usera@gmail.com' as email
  UNION ALL
  select 'b' as userId, 20 as age, 'userb@gmail.com' as email
  UNION ALL
  select 'c' as userId, 30 as age, 'userc@gmail.com' as email""")), auth as (
SELECT * FROM EXTERNAL_QUERY("gbl-imt-homerider-basguillaueb.us.vertx-postgres", """ select 'usera@gmail.com' as user, 'usera@gmail.com' as permission
  UNION ALL
  select 'userb@gmail.com' as user, 'usera@gmail.com' as permission
  UNION ALL
  select 'userb@gmail.com' as user, 'userb@gmail.com' as permission
  UNION ALL
  select 'admin@gmail.com' as user, '.*' as permission"""))
select * from sample
where REGEXP_CONTAINS(email,(select STRING_AGG(permission,"|") from auth where auth.user = @DS_USER_EMAIL))