Security and access to reports are controlled by the groups assigned to a user.

By default, each user is assigned to the * group. This allows access to all reports.

When configured, OAUTH single sign on sets the groups of a user from the userinfo endpoint.

Groups are assigned during login. Membership of the admin group can be established by adding the user email to CUSTOM_ADMIN_USERS environment variable.

The admin group allows creating and editing reports, databases and other configuration settings.

Use CUSTOM_ADMIN_GROUP environment variable to specify a different admin group.

The editor group allows creating and editing reports.

Use CUSTOM_EDITOR_GROUP environment variable to specify a different editor group.

After login a script can be called to establish the group membership of the user.

Set this environment variable to the script / program location:

CUSTOM_GET_GROUP_SCRIPT=script location

It will be called with username and email as the parameters. Eg:

python get_groups.py user1 user1@email.com

The script should return a CSV list of groups the person is a member of.

Curl can be used to call an external end point. Example:

curl https://flong.com/get_groups/?username=${1}&email=${2}

Within the script command string any available environment variables can be used. An example:

#!/usr/bin/env python
import sys

# example script to return the groups for a user
# as a CSV line

USERNAME = sys.argv[1]
EMAIL = sys.argv[2]

print(f"{USERNAME},{EMAIL}")
sys.exit(0)

Admin group membership check is done after this script is run.