As companies broaden their analytical capabilities, the necessity for job automation, comparable to consumer provisioning, turns into more and more evident. Handbook processes devour precious time and introduce the potential of errors. This text delves into automating consumer provisioning in GoodData, utilizing the GoodData Python SDK. Whereas our instance employs Auth0 because the OIDC supplier, the core rules stay relevant to different suppliers like Okta.

Conditions:

Earlier than we dive into the automation course of, guarantee you will have the next:

• A GoodData Cloud account with out the ManagedOIDC entitlement When you want to change the OIDC IdP that your trial surroundings is utilizing, contact us on our group portal.
• An OIDC supplier (we use Auth0 on this article however the ideas apply to different suppliers like Okta, Cloud IAM, Keycloak, and so on.).
• Configured authentication utility with Callback URLs and Secrets and techniques. Within the case of Auth0, see the documentation for particulars.
• Configured OIDC authentication in GoodData. See the documentation for particulars.
• Put in gooddata-sdk and auth0-python. Ideally, you must have configured a digital surroundings.

Tip: The code repository is open-sourced.

Step 1: Customers and Roles in OIDC

Start by populating your OIDC supplier with customers. On the next display screen, you may see customers in Auth0.

Defining consumer roles is crucial to regulate entry. As an example, “Admin” and “Person” roles could be arrange.

Now you can transfer to the subsequent step, which can configure all of the required surroundings variables for the answer.

Step 2: Configure Setting Variables

For Auth0, you will want to outline the next three surroundings variables:

• AUTH0_DOMAIN
• AUTH0_CLIENT_ID
• AUTH0_SECRET

You will discover all of those within the Auth0 utility.

Then copy & paste their values into the next code snippet.

export AUTH0_DOMAIN='<auth0-domain>'
export AUTH0_CLIENT_ID='<auth0-client-id>'
export AUTH0_SECRET='<auth0-secret>'

The final step on this part is to configure GoodData surroundings variables. When you do now know find out how to get a GoodData API token, see our documentation for particulars.

export GOODDATA_HOST='<gooddata-host>'
export GOODDATA_TOKEN='<gooddata-token>'
export GOODDATA_WORKSPACE_ID='<gooddata-workspace-id>'

Tip: You will discover the GoodData host and GoodData workspace ID within the URL <GOODDATA_HOST>/dashboards/#/workspace/<GOODDATA_WORKSPACE_ID>.

Step 3: Create Person Teams in GoodData

Manage customers in GoodData utilizing consumer teams. On this instance, we use “adminGroup” for customers with Admin roles and “userGroup” for these with Person roles.

def create_user_groups():
    # adminGroup already exists, it implies that solely userGroup must be created
    user_group = CatalogUserGroup.init(user_group_id="userGroup")
    gooddata_sdk.catalog_user.create_or_update_user_group(user_group=user_group)

You’ll be able to see within the script above that you don’t want to create the adminGroup as a result of it already exists in GoodData.

Step 4: Create Permissions in GoodData

Outline permissions to control consumer entry inside GoodData. The “MANAGE” permission permits customers (who’re within the adminGroup within the instance under) to create and edit visualizations and dashboards. In distinction, the “VIEW” permission grants customers (who’re within the userGroup within the instance under) read-only entry.

def create_permissions():
    declarative_permissions = gooddata_sdk.catalog_permission
        .get_declarative_permissions(gooddata_workspace_id)
    admin_group_permissions = {
        "title": "MANAGE",
        "assignee": {
             "id": "adminGroup",
             "sort": "userGroup"
        }
    }
    user_group_permissions = {
        "title": "VIEW",
        "assignee": {
            "id": "userGroup",
            "sort": "userGroup"
        }
    }

    declarative_permissions.permissions = [admin_group_permissions, user_group_permissions]
    gooddata_sdk.catalog_permission
        .put_declarative_permissions(gooddata_workspace_id, declarative_permissions)

Tip: Test the Handle Permissions part of our documentation for extra info.

Step 5: Provision Customers From Auth0 to GoodData

An important half is appropriately mapping customers from the OIDC supplier (in our case Auth0) to GoodData. First, retrieve consumer knowledge and roles from Auth0:

def get_auth0_users():
    return auth0.customers.checklist()


def get_auth0_user_role(auth_id: str):
    return auth0.customers.list_roles(auth_id)

With customers and roles from Auth0, it’s simple to map customers to GoodData and assign them the suitable permissions.

def create_or_update_user(user_id: str, authentication_id: str, user_group_ids: Record[str]):
    gooddata_sdk.catalog_user.create_or_update_user(
        CatalogUser.init(
            user_id,
            authentication_id,
            user_group_ids
        )
    )


def provision_users():
    customers = get_auth0_users()

    for consumer in customers["users"]:
        # user_id is the authentication_id on this case, it's auth0|<user_id>
        auth_id = consumer["user_id"]
        user_id = auth_id.substitute("auth0|", "")
        # consumer can have assigned extra roles, I assigned only one
        function = get_auth0_user_role(auth_id)["roles"][0]
        role_name = function["name"]


        # if consumer has an admin function, it's assigned to adminGroup
        if role_name == "Admin":
            create_or_update_user(user_id, auth_id, ["adminGroup"])
        else:
            create_or_update_user(user_id, auth_id, ["userGroup"])

After this step, all customers from the OIDC supplier are provisioned to GoodData. For seamless consumer provisioning, automate the whole course of.

Step 6: Automation of Person Provisioning

Schedule common execution of the provisioning script, which checks for brand spanking new customers and maintains synchronization. You should utilize Auth0 Actions (or comparable instruments from different OIDC suppliers) for superior use instances. In our instance, working a easy cron job is sufficient:

def run_provisioning():
    print("Checking new customers...")
    create_user_groups()
    create_permissions()
    provision_users()
    print("Accomplished")


schedule.each(1).hour.do(run_provisioning)

whereas True:
    schedule.run_pending()
    time.sleep(1)

The script above ensures that the provisioning of latest customers runs each hour.

A Identified Limitation

The outlined consumer provisioning strategy lacks change administration logic. Within the situation supplied, even when we take away customers from the OIDC supplier, they may stay inactive in GoodData. Whereas integrating change administration logic is possible, we’ve got omitted its implementation on this context for the sake of article simplicity.

Last Ideas

Automating consumer provisioning is a pivotal step in scaling your analytics endeavors. By integrating the GoodData Python SDK and Auth0, you may effectively handle consumer entry and permissions, guaranteeing correct knowledge evaluation and reporting. If in case you have any queries or require help, do not hesitate to succeed in out on the GoodData Slack channel. Able to get began? Discover the chances by signing up for our free trial as we speak!