Skip to content
Documentation

Dashboard Security

When you share a dashboard, you want everyone to see insights relevant to them — not a one-size-fits-all view. In Querri, each viewer sees the dashboard filtered by their own access policies, automatically.

How it works: shadow execution

Section titled “How it works: shadow execution”

When a viewer opens a shared dashboard, Querri doesn’t serve a cached copy of your results. Instead, it re-runs the entire data pipeline with the viewer’s security context. This means:

  • A regional manager sees charts filtered to their region
  • A department head sees data for their department
  • Someone with no policies sees everything the dashboard creator shared

This approach is called shadow execution — the system runs a “shadow” version of the data pipeline for each viewer, applying their access policies at query time.

What viewers see

Section titled “What viewers see”

Status indicators

Section titled “Status indicators”

When a dashboard is loading your personalized view, you’ll see status indicators showing that the system is applying your security context. This typically takes a few seconds — the system is re-running the data pipeline with your specific access policies.

Policy-aware filter options

Section titled “Policy-aware filter options”

If a dashboard has interactive filters (like a region dropdown), the options you see are filtered by your access policies. A user restricted to Southeast data won’t see “Northwest” as a filter option. This prevents information leakage — you can’t even discover values outside your access.

How it composes with other security

Section titled “How it composes with other security”

When a viewer opens a dashboard, all security layers apply in order:

  1. Table filters — admin-defined static filters on the data source
  2. Access policies — the viewer’s row-level security rules
  3. Dashboard filters — any interactive filter selections the viewer has made

All layers combine with AND. A row must pass every filter to appear in the dashboard.

The architectural choice

Section titled “The architectural choice”

Most BI platforms cache dashboard results — one render, same data for everyone. This is fast but fundamentally insecure for per-viewer access control. Querri chose correctness over caching: every viewer gets a fresh execution with their own security context.

This means shadow execution can be slightly slower than cached dashboards, but the data is always correct and always respects each viewer’s policies.

Next steps

Section titled “Next steps”
  • Access Policies — Set up the policies that drive per-viewer filtering
  • Filters — Interactive and admin-defined filters on dashboards
  • Audit Log — Track who viewed which dashboards