Modern Data Governance Integrations in Posit Connect — designed with Novo Nordisk

With Novo Nordisk as our design partner, we are excited to announce support for integrations with Databricks, Snowflake, Microsoft Entra ID, and other third-party resources that enable viewer-based authorization and data governance patterns in dynamic content hosted on Connect. 

When viewers of your R and Python applications have different data permissions, you want to make sure people aren’t exposed to things they shouldn’t see, but you also don’t want to waste time building a customized app for each person or group. With new OAuth integrations in Posit Connect, each viewer can use their own credentials to access a personalized view of the data through a single, shared app. These OAuth integrations ensure that the data a viewer can see is aligned with your data governance policies and fine-grained access controls managed through external systems.

As an example, Zack Verham at Posit recently joined our Monthly Workflow Demo Series to showcase how one interactive application hosted on Connect can display different views of the data depending on the masks and filters for that data for the specific end-user in Unity Catalog on Databricks. The short video clip below is from the full demo recording on YouTube.

This feature is available in the Enhanced and Advanced product tiers. Upgrade to Posit Connect 2024.08.0 (or newer) and refer to the Posit Connect Admin Guide to learn more.

Comments from our design partner, Novo Nordisk

The ability to pass user context to the data layer brings about a range of benefits, from reducing administrative overhead to strengthening our security practices and improving data governance. This functionality significantly enhances our operational efficiency and security posture.

— Henrik Lynge, VP, Head of Architects & Strategy, Novo Nordisk

As a consumer of this feature, we appreciate the capability to seamlessly pass user context from our application to the data layer. This feature significantly reduces the burden of managing permissions for statistical applications on a per-app basis. Specifically, it addresses several critical pain points:

• Streamlined Security Management: By eliminating the need for manual and labor-intensive security work required for duplicated enforcement, we can now focus on more value-adding tasks rather than repetitive administrative work.
• Enhanced Data Segmentation and Protection: The ability to segment and protect our data is crucial for maintaining data integrity and compliance. This capability empowers us to ensure that sensitive information is appropriately safeguarded.
• Mitigation of Role Proliferation: With the current explosion of roles, it has become increasingly challenging to manage and maintain clarity. This feature helps mitigate the role explosion, simplifying our overall system administration and user management.
• Seamless Integration with Identity and Access Management: The stronger connection to our Identity and Access Management system is invaluable. It ensures that data access aligns closely with our established security protocols, reducing the risk of unauthorized access.
• Improved Clarity on Data Consumption: This feature provides increased clarity around the consumption of data from different roles, enhancing our understanding of how data is being utilized across the organization.

Get Started: Posit Connect OAuth integrations

What are OAuth integrations?

OAuth integrations allow content publishers to access the viewer’s temporary OAuth credentials securely, in order to serve customized data views.

When a publisher associates an OAuth Integration with an application hosted on Connect, visitors are prompted to authenticate to the external resource which allows secure access to the viewer’s temporary OAuth credentials. OAuth Access Tokens are short-lived and have a limited set of permissions. These credentials are used by the published content to access protected resources on behalf of the viewer, providing a personalized experience when interacting with content on Connect.

To configure and use an OAuth integration in Posit Connect, the following personas may be involved:

• OAuth application administrator – creates the OAuth application in the external system.
• Connect administrator – creates an OAuth integration in Posit Connect.
• Connect publisher – authors the content that accesses protected resources as the content viewer. For more information on authoring content that accesses protected resources, see the OAuth Integrations section of the User Guide.
• Connect viewer – views the deployed content on Connect. On visiting the deployed content for the first time, the viewer must grant consent for the content to use their credentials when accessing protected resources.

Learn more about OAuth integrations and the types of problems they solve by reading this Posit Connect engineering blog post.

What do Connect Administrators need to know?

Connect Administrators are responsible for working with the OAuth application administrator to create/register and configure an OAuth application integration between the external system and Posit Connect. Instructions for this process can be found in the Admin Guide.

The Admin Guide also has helpful sections covering:

• Security
• Troubleshooting
• FAQs

What do Connect Publishers need to know? 

Once an OAuth integration is configured, Connect Publishers can add it to deployed content by selecting it from the available integrations dropdown in the content Settings > Access pane. 

Publishers should refer to the User Guide for detailed information on how to author content and utilize the Posit SDK or Connect Server API to obtain viewer OAuth credentials. Example code is provided in the guide. 

Full working examples for several content frameworks are available for the Python Posit SDK:

• Databricks working examples (Dash, FastAPI, Flask, Shiny for Python, Streamlit)
• Snowflake working examples (Streamlit)