View Only

 How to apply row-level security on the reports created using Pentaho Report Designer?

  • General
  • ReportingAndAnalytics
  • Pentaho
  • Pentaho
  • Pentaho Server
Bhargavi Gali's profile image
Bhargavi Gali posted 05-12-2020 13:23

Hi Everyone,


I am new to pentaho and for one of the requirements we have to implement row-level security to the users according to the login to the Pentaho server. I got to know that we can implement the row-level security in Metadata Integrator. Can someone please help me with the step-by-step process on how to implement the row-level security.




Andrew Cave's profile image
Andrew Cave

Wouldn't it be easier to use a view as a data source and use the internal variable ${env::username} in the query?

Bhargavi Gali's profile image
Bhargavi Gali

Hi Andrew,

Thank you for the reply. We are creating reports in Pentaho Report Designer using PostgreSQL as data source and then publishing them to the server. When a user logs into the server he should see only his region data.

As I am new to this tool I didn't understand your answer. Can you please explain in detail on how to achieve this.


Andrew Cave's profile image
Andrew Cave

Hi Bhargavi


The datasource for the PRPT will be an SQL query . You can use the ${env.username} variable to get the logged in user Perhaps like this...






sensitive_information as si


si.allowed_user = '${env::username}'



The value of ${env::username} will be replaced with the logged in user.


Here's a tip on how to set it when you're developing a PRPT on your desktop



Bhargavi Gali's profile image
Bhargavi Gali

Hi Andew,


Thank you very much for the answer. This worked for us in the report designer.

We are embedding this reports to the web application. Will this query(env) automatically take the username from the application login or is there any other variable should be used.

It would be of great help if you help us with this.

Andrew Cave's profile image
Andrew Cave

If you are using the Pentaho BA server to present the report (I assume you are) then it will pick up the login

Leonardo Trigoserrano's profile image
Leonardo Trigoserrano

Does anyone know how to do the same, but with roles or users that come from an LDAP Security? In the method used, a table must still be created that identifies the user and is associated with the information that he can or cannot see.