Call workflow output rows conditional on user permissions

I am not too experienced with call workflows / Containers.

I have a parent workflow will data which I would like a child workflow to call.

Parent workflow:
Table | Salary | Server Permissions
Emp1 | $50,000 | abc
Emp2 | $60,000 | abc
Emp3 | $45,000 | def

Child workflow (only Server permission to “abc”):

When the child workflow is run, I am trying to call only the following rows:
Emp1 | $50,000
Emp2 | $60,000

Thank you!

Hi @Rokank -

I’m afraid I don’t understand what you’re trying to do. You describe the data in your workflows, but it’s not clear what task each workflow is supposed to implement.

Are you possibly just trying to do a join or filtering operation between two tables here? In that case, a call workflow framework would definitely be overkill.

If you can provide a bit more context that would be helpful. Thanks!

Hi ScottF,

I have a Snowflake data source with confidential data by team. I would like to filter the data to various teams by mapping it by Knime Server permissions.

I would like each team to be able to call the workflow using Knime, but only see the data where a field in the main data source matches the end user Knime Server permissions.

Hi @Rokank - I asked internally about this and here’s what I heard back:

This is do-able but will require a bit of setup. Basically this is role based access, and Snowflake does this very well. There are two ways our SEs have seen this implemented.

  1. Snowflake supports role and row based security, here. KNIME Server isn’t responsible for the access, it just passes the credentials along, and the DB does the work.
  2. Access or entitlement tables maintained within KNIME Server (for example a knime table, or another DB table), and that table is “joined” to restrict data.

From our experience #1 is the solution both KNIME and Snowflake would recommend. #2 is functional and useful, but comes with risks, and can require lots of maintenance.

Does that help?

As per your recommendation, we will go with Option #1.
Thank you.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.