In [1]:
import atoti as tt

### Configuring session to connect to an LDAP authentication provider.

Refer to [atoti documentation](https://docs.atoti.io/latest/lib/atoti.config.authentication.ldap.html#atoti.config.authentication.ldap.LdapConfig) on the parameter of the LDAP configurations used below.  

The LDAP roles `ADMIN`, `USER`, `USA` and `EUROPE` are mapped the roles available in Atoti+ (`ROLE_ADMIN`, `ROLE_USER`, `ROLE_MARKET_EU`, `ROLE_MARKET_US` etc).

In [None]:
session_config = {"port": 9090}

session_config["authentication"] = {
    "ldap": {
        "url": "ldap://localhost:10389/",
        "base_dn": "dc=example,dc=com",
        "user_search_base": "ou=people",
        "group_search_base": "ou=roles",
        "role_mapping": {
            "ADMIN": ["ROLE_ADMIN"],
            "USER": ["ROLE_USER"],
            "EUROPE": ["ROLE_EU_FR", "ROLE_EU_DE", "ROLE_MARKET_EU"],
            "USA": ["ROLE_US_CA", "ROLE_MARKET_US"],
        },
    }
}

In [None]:
session = tt.create_session(name="Sales", config=session_config)

### Configure role based restrictions on data  

We can control the type of data that each user role can access. The below setup means that users with the given role can only access data within the restrictions listed below.

In [None]:
session.security.create_role(
    "ROLE_EU_FR",
    restrictions={
        "HOSPITAL_ID": [
            "FR_HOSP_1",
            "FR_HOSP_2",
            "FR_HOSP_3",
            "FR_HOSP_4",
            "FR_HOSP_5",
            "FR_HOSP_6",
            "FR_HOSP_7",
            "FR_HOSP_8",
            "FR_HOSP_9",
            "FR_HOSP_10",
        ]
    },
)

session.security.create_role(
    "ROLE_EU_DE",
    restrictions={
        "HOSPITAL_ID": [
            "DE_HOSP_1",
            "DE_HOSP_2",
            "DE_HOSP_3",
            "DE_HOSP_4",
            "DE_HOSP_5",
            "DE_HOSP_6",
            "DE_HOSP_7",
            "DE_HOSP_8",
            "DE_HOSP_9",
            "DE_HOSP_10",
        ]
    },
)

session.security.create_role(
    "ROLE_MARKET_EU", restrictions={"COUNTRY": ["FRANCE", "GERMANY"]}
)

session.security.create_role("ROLE_MARKET_US", restrictions={"COUNTRY": ["USA"]})

The rest of the cube implementation is the same as shown in [02_main_mssql_realtime.ipynb](02_main_mssql_realtime.ipynb).