This topic describes how to use the Ticket embedding solution to prevent reports from being embedded in third-party systems and control the permissions of Quick BI reports embedded in third-party systems. This topic also describes how to use Ticket management to effectively prevent links from being maliciously shared and data breach. This topic is applicable to the Professional Edition.
Background information
Quick BI provides a security-enhanced embedded analysis solution, called Ticket Report Embedding Solution for short. When you use the Professional Edition of Quick BI, you can implement one-stop security control for multiple scenarios, such as linking, accessing, and viewing data. This solution helps you integrate with enterprise business systems at low costs and efficiently build data products with your own brand features.
Instructions for embedding parameters:
In embedded integration scenarios, combined with global parameter annotation can achieve the same report with thousands of people and thousands of faces.
The embedded parameter is only available to enterprise customers with 100 or more common users in the Professional Edition.
Usage notes
To use the Ticket report embedding solution, you need to pay attention to the following points:
Currently, you can embed only dashboards, worksheets, dashboards, and self-service data retrieval reports into other systems.
If you need to try out the global parameter capability, contact the person in charge of Quick BI operations.
The enhanced solution for the international site only supports sites in Singapore and China (Hong Kong).
NoteThe domain names of the Singapore and Hong Kong sites are as follows:
Singapore: bi-ap-southeast-1.data.aliyun.com
Hong Kong, China: bi-cn-hongkong.data.aliyun.com
In this topic, the domain name of the China (Hong Kong) region is used as an example. If you use other websites, replace it with the domain name of the corresponding website.
Step 1: Open the report to be embedded
The report embedding feature is supported only when the report is in the published state.
You can activate report embedding from the Open Platform module using:
On the Quick BI product homepage, follow the instructions shown in the following figure to go to the Embed Report page.
On the Embed Report page, select the target workspace and data object type, select the data object name from the drop-down list, and then click Enable Embed.
If there are too many reports, you can also enter the report name to help you quickly search for the target report.
In the Report Embedding Configuration dialog box, set the following parameters.
Header
Description
Embedded Object
Select the embedded object.
If you select Whole Page, the embedded object is the current dashboard.
If you select a widget, the embedded object is a widget in the current dashboard.
Display Configuration
Whether to carry the title of the current dashboard after embedding.
Security Authentication Type and Ticket Link
Select Ticket authentication and generate a Ticket link.
You can enter the URL of the ticket or click Generate to generate a ticket.
On the generated ticket page, you can set Bind User, Valid Duration, Watermark Parameters, and Access Times.
Obtain the embed code
URL and Iframe are supported.
Click Copy.
Step 2: Use an API operation to generate an AccessTicket ticket
Call the CreateTicket interface to generate the ticket to be used for report embedding.
The following table describes the parameters for generating an accessTicket.
Option
Job type
Full description
WorksId
String
The ID of the embedded report.
Currently, only dashboards and workbook are supported.
CmptId
String
The ID of the component. is the ID of a component in the preceding report.
For more information about the interface called to obtain the component ID, see QueryWorksBloodRelationship.
TicketNum
Integer
The number of tickets.
Default value: 1.
The recommended value is 1.
The maximum value is 99999.
Each time a ticket is used to access the ticket, the number of tickets is reduced by 1.
UserId
String
The Quick BI UserId, which is not the ID of your Alibaba Cloud account.
You can call the QueryUserInfoByAccount operation to obtain the UserId. UserId is
fe67f61a35a94b7da1a34ba174a7****.NoteYou can specify only one of UserId and AccountName. If you do not specify this parameter, the owner of the report is bound by default. For more information about how to configure row-level permissions, see Appendix 1: Configure row-level permissions.
AccountName
String
The account name of the user.
If the user is an Alibaba Cloud account wangwu, the format is [primary account], such as wangwu.
If the user is a RAM user zhangsan**@aliyun.cn, the format is [primary account: sub-account], for example, wangwu:zhangsan **.
NoteYou can specify only one of UserId and AccountName. If you do not specify this parameter, the owner of the report is bound by default. For more information about how to configure row-level permissions, see Appendix 1: Configure row-level permissions.
AccountType
Integer
The account type of the user.
1: Alibaba Cloud account
3:Quick BI a user-created account
5:RAM sub-account
NoteIf AccountName is not empty, AccountType also cannot be empty.
ExpireTime
Integer
The time when the backup expires.
Unit: minutes.
Default value: 240
WatermarkParam
String
The watermark parameter of the report.
It must not exceed 50 characters.
GlobalParam
String
The global parameters of the report filter.
The value is a JSON string
NoteIf you need to use the global parameter capability, contact the person in charge of Quick BI operations.
NoteLink sharing prevention control: We recommend that you set the value of TicketNum to 1, which indicates that the generated third-party embedded link is accessed only once.
The watermark parameter WatermarkParam can be bound when the report is embedded.
Generate an AccessTicket.
For more information about the sample code, see SDK examples.
Sample response:
{ "requestId" : "7D784AB0-5B77-077E-B628-E782B58D3898", "result" : "fd138bcb-****-4fde-b413-81bcee59bdb6", "success" : true }NoteThe
resultis the AccessTicket generated for this API call. The AccessTicket is thefd138bcb-****-4fde-b413-81bcee59bdb6.
Step 3: Create a logon-free URL
The following table describes the splicing process and examples.
Step | Dashboard example | Workbook example | Example of self-service data retrieval | Data dashboard example |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
|
The splicing format and report URL are as follows.
The dashboard is in the format of
https://<Quick BI domain name>/<Preview report URL>?pageId=<report ID>&accessTicket=<AccessTicket>. The generated URL is as follows:https://bi-cn-hongkong.data.aliyun.com/token3rd/dashboard/view/pc.htm?pageId=dd0****83f&accessTicket=fd138bcb-****-4fde-b413-81bcee59bdb6The format of the workbook is
https://<Quick BI domain name>/<Preview report URL>?id=<report ID>&accessTicket=<AccessTicket>. The generated URL is as follows:https://bi-cn-hongkong.data.aliyun.com/token3rd/report/view.htm?id=<42****18ef6>&accessTicket=fd138bcb-****-4fde-b413-81bcee59bdb6The format of self-service data retrieval is
https://<Quick BI domain name>/<Preview report URL>?pageId=<report ID>&accessTicket=<AccessTicket>. In this example, the website in China (Hong Kong) is used. The generated URL is as follows:https://bi-cn-hongkong.data.aliyun.com/token3rd/offline/view/pc.htm?pageId=<42****18ef6>&accessTicket=fd138bcb-****-4fde-b413-81bcee59bdb6The format of the data dashboard is
https://<Quick BI domain name>/<Preview report URL>?pageId=<report ID>&accessTicket=<AccessTicket>. The generated URL is as follows:https://bi-cn-hongkong.data.aliyun.com/token3rd/screen/view/pc.htm?pageId=<42****18ef6>&accessTicket=fd138bcb-****-4fde-b413-81bcee59bdb6
If you need to embed blocks in a report, you need to splice the &cmptId=XXX after the report URL. For example, if you need to embed a block in a spreadsheet, the resulting URL is:
https://bi-cn-hongkong.data.aliyun.com/token3rd/report/view.htm?id=<42****18ef6>&accessTicket=fd138bcb-****-4fde-b413-81bcee59bdb6&cmptId=XXXObtain the Quick BI domain name.
For example, Quick BI the domain name of the China (Hong Kong) site is
bi-cn-hongkong.data.aliyun.com, the environment-specific domain name prevails.Gets the preview report URL.
The URL of the preview page corresponding to the report is as follows. You can select the URL as needed.
Dashboard:
token3rd/dashboard/view/pc.htmspreadsheets:
token3rd/report/view.htmData dashboard:
token3rd/screen/view/pc.htmSelf-service data retrieval:
token3rd/offline/view/pc.htm
On the report editing page, obtain the report ID.
The ID of the dashboard. In this example, the value is
d01****c5f.On the dashboard edit page, obtain the value of the dashboard pageId in the address bar.
The ID of the workbook. In this example,
d0****3ba88On the workbook editing page, obtain the value of the workbook Id in the address bar.
The ID of the data dashboard. In this example,
3c****26bOn the Data Dashboard page, obtain the value of pageId in the address bar.
The ID of the self-service data retrieval. In this example, the ID is
b2****47.On the download editing page, obtain the value of pageId in the address bar.
Add the Quick BI domain name, preview report URL, report ID, and AccessTicket obtained in Step 2 to the following request URL.
https://<Quick BI domain name>/<preview report URL>?pageId=<report ID>&accessTicket=<AccessTicket>https://<Quick BI domain name>/<preview report URL>?id=<report ID>&accessTicket=<AccessTicket>https://<Quick BI domain name>/<preview report URL>?pageId=<report ID>&accessTicket=<AccessTicket>https://<Quick BI domain name>/<preview report URL>?pageId=<report ID>&accessTicket=<AccessTicket>
Appendix 1: Configure row-level permissions on data
If the UserId and accountName parameters are not specified, the view permission of the embedded report follows that of the report owner by default. You can follow the instructions in the following figure to configure row-level permissions and set UserId or AccountName parameters to bind the permissions of the target user. 
For more information, see Row and column permissions.
Appendix 2: Generate global parameters
Set the corresponding global parameters in the target dashboard or workbook. The global parameters are used to bind reports and generate AccessTicket.
The parameter name of a global parameter is GlobalParam. The parameter value of a global parameter is a JSON array:
[
{
"paramKey": "price", // The global parameter key.
"joinType": "and", // The connection method.
"conditionList": [
{
"operate": "=", // The operator. For more information, see the following
"value": "1" // The operation value. In the case of multiple values, the array ["1", "2"] is used.
},
{
"operate": "=", // The operator. For more information, see the following
"value": "2" // The operation value. In the case of multiple values, the array ["1", "2"] is used.
}
]
},
{
"paramKey": "area", // The global parameter key.
"joinType": "and", // The connection method.
"conditionList": [
{
"operate": "in", // operator
"value": ["North China","South China"] // The operation value. If multiple values are specified, an array is used.
}
]
}
]The following table describes the common enumerations for the global parameter operate field.
Operators (operate) | Description | Adjustable |
= | Equals | - |
!= | does not equal | - |
> | Greater than | - |
>= | Greater than or equal to | - |
< | Less than | - |
<= | Less than or equal | - |
in | in | Parameter value must be an array |
not-in | no in | Parameter value must be an array |
like | like | Keyword fuzzy match. The SQL statement is automatically parsed as |
contain | The string contains | The SQL statement is automatically parsed as |
start-with | What does the string start with | The SQL statement is automatically parsed as |
end-with | What does the string end with | The SQL statement is automatically parsed as |
Appendix 3: Quantity of Reports that Can Be Embedded
Number of Purchased Users | Number of Embedded Third Parties |
50 | 100 |
100 | 200 |
200 | 500 |
300 | 1000 |
The above is the default number of professional embedded reports.