Each user in the system has one group or more he is member of. These groups are used to assign permissions to this user. I will add the option to set a datasource to belong to one or more groups. This will mean, that a user who is a member of this group, will have access to the datasources that belong to this group.
In technical terms: have a many to many relationship between groups and datasources. And have a calculated property on the User class, that will return the list of data sources he has access to.
Next we need to enforce this restriction:
- In the datasources list API call, we will filter out the ones the user don't have access to. Or as an alternative: ask for the ones he has access to, and return only them.
- For all queries and query results related API calls, we will check if the current user has access to the given query (based on the data source it belongs to), and if not, won't return it or filter it out from a group of queries.
- For all dashboard/widgets/visualization APIs, do the same check and filter out widgets the user doesn't have access to.
It's a lot of text, but once you understand the code, it should be quite simple to implement. All the changes are either in the models (to implement the datasources->groups->users relationship) and controllers/API handlers (for filtering unallowed results). If I'm not mistaken, no UI changes required.