User Auditing for Multi Tenancy Environments
This applies to: Visual Data Discovery
Symphony supports two different levels of separation for user audit data. By default, user audit data is separated between accounts. If needed, you can further separate user audit data within a Symphony account by adding and using a custom attribute to separate the data.
Use Symphony to write audit data to a single table in your database or multiple tables to suit your organization's needs.
Database tables that contain user audit data are created automatically when you first trigger an audit event. Trigger table creation with user auditing enabled and properly configured before you create a data source for the tables or apply access controls at the database level.
Separation Between Symphony Accounts
Audit data for Symphony users, including administrators, are not visible to other accounts. You define this level of separation in the database in one of three ways:
- Tables: Configure Symphonyto collect and write user audit data to different tables, then give users database access only to their own audit data table.
- Views: Disable user auditing by account, then give users access to their own audit data, using specific views and database access rights.
- Row level security: Disable user auditing by account, then configure row level security, limiting access for each user to their own data.
See Enable User Audit Data for Symphony Accounts.
Separation Between Tenants Within the Same Symphony Account
Configure user auditing for tenants to restrict access to user audit data to their own user tenant data. Symphony account administrators can see aggregated data for all tenants in the Symphony account.
You can define this level of separation in the database in one of several ways, depending on tenant connection creation privileges.
- If tenant users don't have permission to create new connections, add a user attribute value, then make the data available by applying the appropriate row level filter to that value.
- If tenant users do have permission to create new connections, you must set up database-level access control mechanisms.
- Views per tenant: Define a tenant attribute, then define what user audit data users can access, using specific views and database access rights.
- Database level row level security: Define a tenant attribute, then configure row level security for the audit table data, allowing users access to appropriate user audit data through individual user database accounts.