Multi-tenant Filtering

Bobsled supports multi-tenant filtering, enabling you to control data access at the tenant level in a multi-tenant data environment.

To set this up you’ll do some configuration in Bobsled and also in the source data warehouse. This feature ensures the right data gets to the right customer without having to manage custom views per customer.

Configuration Options and Source Data Warehouse Support

Bobsled supports multi-tenant filtering using a database user. When configured Bobsled will run queries with a specified user name associated with a given tenant.

Currently, multi-tenant filtering is only available for Snowflake Source.

NOTE:
When an account is set to multi-tenant filtering mode, unsupported sources are not available for use.

Setting Up Multi-Tenant Filtering

To enable multi-tenant filtering, you need to engage with your account team for activation in your Bobsled account.

Data warehouse users are linked to consumer organizations within Bobsled and then when a consumer organization is added to a share that consumer org’s user will be used for all data queries to the given data warehouse. In multi-tenant filtering mode a consumer organization with a warehouse user must be added to a share to transfer any data.

Example of adding a Data warehouse user, and how it renders in a Share.

SQL View Configuration for User Name Filtering in source data warehouse

To establish user name filtering, you need to create SQL views similar to the one below.

SQL for Snowflake

CREATE BOBSLED_VIEW_1 AS (
SELECT d.*
FROM data_table d
JOIN entitlement_table e
  ON d.tenant_id = e.tenant_id AND e.user_name = CURRENT_USER()
)

Using a join to an entitlement table to join tenant_id to the user name assigned to the given tenant, the current user of a query will only see the data with its tenant_id.

Below is an example of an entitlement table required to accompany the view definition. Each tenant that will receive a share in Bobsled will need an entry in this table and a user created for them.

Permissions for the user
Each tenant user will need to be set up like the below. It will need access to the role setup for Bobsled.

create user ACME_USER
  login_name = ACME_USER
  display_name = ACME_USER
  default_role = BOBSLED_ROLE;

grant role BOBSLED_ROLE to user ACME_USER;

Impact on Data Access

With the multi-tenant filtering in place, each user will see data filtered according to their assigned multi-tenant filter configuration when Bobsled queries your source data warehouse.

The default Bobsled user will run schema queries and other queries needed to cache and populate the UI. The best practice is for the default Bobsled user to not be included in the entitlement table. All other queries that transfer data must use a specific consumer organization data warehouse user to complete.