PATTERN Cited by 1 source

Signed embed URL with role mapping¶

Signed embed URL with role mapping is the canonical pattern for embedding a BI provider's dashboards inside a host application, where each dashboard load is authorized per-viewer through a short-lived signed URL minted by a backend that translates the host app's identity into the BI provider's permission model.

The load-bearing architectural move is that the embed URL is the authorization capability itself — it carries the viewer's identity, permissions, and row-level-security filters, signed by the BI provider, with a short TTL. The host app's iframe doesn't authenticate separately; the URL has already done the work.

Components¶

Host app (Infor OS, CRM, support tool)
    │ 1. iframe requests embed URL
    ▼
API Gateway
    │ 2. authn/authz, CORS enforcement, rate-limiting
    ▼
Lambda (embed-URL minter)
    │ 3. validate host session token
    │ 4. map host role → BI user + permissions
    │ 5. apply per-user row-level-security filters
    │ 6. call BI provider's signed-URL API (e.g. GenerateEmbedUrlForRegisteredUser)
    ▼
Signed embed URL (short TTL)
    │ 7. returned to host app
    ▼
iframe loads URL → BI provider validates signature, filters, renders

Canonical implementation (AWS/QuickSight)¶

Session token validation. Lambda extracts the host app's session token from the incoming API Gateway request, validates it against the host app's identity provider.
Role → permission mapping. Lambda converts the host role (e.g. Infor organization + role + facility) into a QuickSight registered-user ARN + dashboard-level permissions + RLS predicates.
GenerateEmbedUrlForRegisteredUser. Lambda calls this QuickSight API passing the mapped user and dashboard ID. The API returns a time-limited signed URL.
CORS + rate limiting. API Gateway enforces CORS per host domain; configured rate limits prevent runaway iframe loads.
Iframe embeds the returned URL. The host app's frontend loads the signed URL in an iframe; QuickSight validates the signature, enforces RLS, and renders.

Why this shape¶

Zero trust between provider and host app. The provider doesn't need to know anything about the host app's identity model — only its registered BI users. The host app doesn't need to share credentials with the provider.
Forwarded URL blast radius is bounded. A forwarded or leaked URL only works for a short TTL and reveals only the specific viewer's authorized rows.
Scaling back-pressure in one place. The per-load GenerateEmbedUrlForRegisteredUser call is the back-pressure throttle point — rate limit it at API Gateway and the BI provider's own capacity is protected.

Structural trade-offs¶

Cold-start on rare dashboard loads. Lambda cold starts can add hundreds of ms to the first dashboard load per idle period. Provisioned concurrency addresses this at a cost.
Embed URL TTL tuning. Shorter TTLs reduce leak blast radius but force more mints per user session (every time an iframe re-mounts). QuickSight's default session-lifetime is in the 10–15 minute range.
RLS predicate correctness is critical. A bug in the role → filter translation leaks cross-tenant data. This logic should live in one well-tested module, not scattered.
Two places to configure CORS. API Gateway (for the minting endpoint) and the BI provider (for the iframe domain) — both must agree. Misconfiguration fails silently at iframe load.

Seen in¶

sources/2026-04-21-aws-oldcastle-infor-aurora-quicksight-real-time-analytics — canonical wiki instance. Oldcastle embeds QuickSight dashboards inside Infor OS via API Gateway + Lambda calling GenerateEmbedUrlForRegisteredUser with Infor-role-to-QuickSight-permission mapping and RLS filters baked into the embed URL.