background
In the last part, we introduced the huge value of SaaS in data processing from the perspective of various functions of SaaS, and this time we will use an example to show you how the collision between SaaS and BI will spark. .
BI and SaaS integration example
Usually BI analysis tools provide rich interfaces to the database to process data more quickly and efficiently. Here we use a specific tool instance as the demonstration content, which provides a rich API interface based on GraphQL, and can obtain corresponding data and generate documents according to user context information through API and dynamic parameters. The specific embedding method can be adjusted reasonably according to the situation of the SaaS system.
1. Create a data source
For multi-tenant situations, sub-database processing is usually performed based on users. In this case, dynamic data sources can be created through user context information:
1.1 Add extended parameters to increase database information of user context
1.2 When creating a user, bind the database information of the user
1.3 When creating a data source, use dynamic parameter configuration
2. Create roles and users (use built-in users)
2.1 Create a role name:
POST /api/graphql?token=8908645b0958662d66731038944c7d236d3d7c1ee98e3e2de3c5268453965a8a
Content-Type: application/json
{"query":"mutation { addRole( roleName: \"2\" ) { name } }"} 
2.2 POST submission:
POST /admin/api/accountmanagement/api/v1/roles?token=8908645b0958662d66731038944c7d236d3d7c1ee98e3e2de3c5268453965a8a
Content-Type: application/json
{"Name":"2"} 
2.3 Assign permissions to roles:
POST
/admin/api/accountmanagement/api/v1/roles/3f497dc1-66a6-45cb-a999-6c7f4b1bb15f/permissions?token=8908645b0958662d66731038944c7d236d3d7c1ee98e3e2de3c5268453965a8a
Content-Type: application/json
{"Permissions":["create-data-source","create-semantic-model","create-dataset","create-dashboard","view-dashboard","create-report","view-report","schedule-reports","create-input-form","view-revision","allow-sharing"]} 
2.4 Create users and assign roles
POST /admin/api/accountmanagement/api/v1/users/?token=8908645b0958662d66731038944c7d236d3d7c1ee98e3e2de3c5268453965a8a
Content-Type: application/json
{"username":"2","email":"123@123.com","mobile":"","firstName":"","lastName":"","fullName":null,"password":"2","confirmPassword":"2","roles":["2"],"customizePropertyInfo":{"DBName":["Test"],"Password":["mAbQ5mlMDWck_xysj3rQ"],"Port":["3306"],"ServerIP":["192.168.32.100"],"Uid":["root"]}} 
3. API to generate Token
API interface for generating Token, in addition, all API calls require the Token parameter to access correctly
POST /connect/token
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=admin&password=admin&client_id=integration&client_secret=eunGKas3Pqd6FMwx9eUpdS7xmz&access-token-lifetime=86400 
* Note that when applying for a token, the access-token-lifetime parameter should be used to limit the valid duration of the token. The unit is seconds. If the permanent token is used without restriction for a long time, the login performance may be affected due to the accumulation of tokens (permanent tokens can be cleared by clearing the grants in the wynis database.) data in the table)
4. Create a portal directory
4.1 Get the maximum category ID
POST /api/graphql?token=8908645b0958662d66731038944c7d236d3d7c1ee98e3e2de3c5268453965a8a
Content-Type: application/json
{"query":"query { tags (type: \"system\") { id, parentId, order, name, url, color, iconCssClass, isFavorites } }"} 
4.2 Create a new portal category (order is equal to the maximum value returned in the first step + 1)
var order = Math.max(...res.data.tags.map((item) => item.order)) + 1;
POST
/api/graphql?token=8908645b0958662d66731038944c7d236d3d7c1ee98e3e2de3c5268453965a8a
Content-Type: application/json
{"query":"mutation { addTag(name:\"2\", urlName:\"2\", order: 1961, iconCssClass: \"mdi mdi-folder\", grant: [ {role:\"Everyone\", ops:[Read]} ] , color: \"null\", parentId: \"null\" ) { id } }"} 
5. Copy the document and upload it (optional)
According to the actual business scenario, if you need to add a default document that can be edited and saved separately for each user
It can be handled in the following 2 ways:
- Copy and rename documents by tenant using Wyn Tools or other tools
- Bulk upload documents (manual upload)
* You can also share a document to all users under a role for browsing by assigning role permissions
6. API classification
6.1 Get Category ID
POST /api/graphql?token=77c9bfccf16659f2ab62cf7796b640156f13cea35bc30cde1597ddb4457720c7
Content-Type: application/json
{"query":"query { tags { id, name}}"} 
6.2 Get document ID
POST /api/graphql?token=77c9bfccf16659f2ab62cf7796b640156f13cea35bc30cde1597ddb4457720c7
Content-Type: application/json
{"query": "query { documenttypes(key:\"rdl\") { documents { id, title, type} } }"} 
6.3 Set the classification for the document (the classification id and document id of the request parameter are from the first two steps)
POST /api/graphql?token=77c9bfccf16659f2ab62cf7796b640156f13cea35bc30cde1597ddb4457720c7
Content-Type: application/json
{"query":"mutation { tagDocument(tagId: \"eafd31d7-7aad-40b7-9206-f4866127a853\", documentId: \"f30ce97b-7369-424e-8b39-8ffa6b305838\") }"} 
7. API document authorization
7.1 Get document ID
POST /api/graphql?token=77c9bfccf16659f2ab62cf7796b640156f13cea35bc30cde1597ddb4457720c7
Content-Type: application/json
{"query": "query { documenttypes(key:\"rdl\") { documents { id, title, type} } }"} 
7.2 Get the role name
GET /admin/api/accountmanagement/api/v1/roles?token=77c9bfccf16659f2ab62cf7796b640156f13cea35bc30cde1597ddb4457720c7 
7.3 Giving document sharing role permissions
(The parameters use the report ID returned in the first step and the role name to be shared in the second step)
POST /api/graphql?token=77c9bfccf16659f2ab62cf7796b640156f13cea35bc30cde1597ddb4457720c7
Content-Type: application/json
{"query":"mutation {\n\t\t\tupdatePermissions( documentId: \"f30ce97b-7369-424e-8b39-8ffa6b305838\" , grant: [ { role:\"1\", ops: [ Read, Update ]}] )\n\t\t}"} 
If you need to integrate through URL with token, you can continue to refer to the following steps.
8. Splicing URL
8.1 Get document ID
POST /api/graphql?token=77c9bfccf16659f2ab62cf7796b640156f13cea35bc30cde1597ddb4457720c7
Content-Type: application/json
{"query": "query { documenttypes(key:\"rdl\") { documents { id, title, type} } }"} 
8.2 Generate Token (refer to the definition of parameters in the content of 3 Generating Token)
POST /connect/token?token=77c9bfccf16659f2ab62cf7796b640156f13cea35bc30cde1597ddb4457720c7
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=admin&password=admin&client_id=integration&client_secret=eunGKas3Pqd6FMwx9eUpdS7xmz&access-token-lifetime=86400 
8.3 Splice to generate URL
http://localhost:51980/dashboards/view/ [Report ID]?theme=default&lng=zh-CN&token=[TOKEN]
9. User identity information integration (single sign-on)
SaaS platforms usually have an independent user authentication system, but using BI analysis tools, we can directly integrate user information, realize unified identity authentication and unified management of multiple platform accounts, and the following is an introduction to single sign-on:
9.1 Overall Process
(The picture comes from the Internet)
9.2 Introduction to Custom Security Providers
In the custom security provider interface provided by Wyn, we need to complete the corresponding authentication and authorization logic according to the token requested during the call. This token can be derived from a unified identity authentication platform according to business needs, or by a certain Encryption protocol, which saves user information in the token to realize the transmission of permissions.
How to parse this token and implement user authorization is what needs to be implemented in the security provider.
9.3 Custom Security Provider - User Validation
When the user logs in from the screen, or obtains the login token through the aforementioned connect/token api call, the GenerateTokenAsync method is used to verify the user
For a SaaS platform that integrates a custom security provider, we can use the current user's token as the username and password to initiate a login request:
It can be seen that the user's token in the SaaS platform is passed to Wyn's authentication program, and which role this token is and what permissions it has can be obtained by sending a request to the authentication platform.
9.4 Custom Security Provider - Contextual Authorization
The above explains how to implement user authentication and login, and for the SaaS platform, each user's context information (database connection information, roles, etc.) needs to be provided from the unified identity authentication interface, we can either put it in the token Encrypted and saved, it can also be dynamically obtained from the authentication interface according to the obtained token:
GetUserInfo interface:
login successful:
In this way, we can centrally configure the user authentication service and cooperate with the authentication logic of the single sign-on component to achieve unified management and control of the databases and permissions of each tenant.
Summarize
This article introduces the collision between BI and SaaS in detail. If you encounter any problems during the operation, you can ask them in the comments.
In the future, we will bring you more interesting content. If you want to know more about BI related knowledge, you can visit:
https://gcdn.grapecity.com.cn/forum.php?mod=forumdisplay&fid=225&filter=typeid&typeid=273
Text version link: Search for the Grape City Open Class 
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。