Business Requirement

Sunbird generates a number of provides the capability to generate various datasets for reporting purposes. Some of these are can be downloaded by users via the UI (the Course progress exhaust, for example), whereas others are used by the Sunbird portal to generate reports and charts, which can then be viewed by users.

There is a need stated requirement for making all such datasets that are generated by SB to be made accessible via APIs. This will permit for these datasets to be pulled via APIs by the adopters, for usage in whatever additional manner they see fit - and enable them to create custom reports/ visualisations visualizations of their own.

Dataset generation Currently, following are the list of Datasets supported within SB currently happens for:

  1. Custom reports such as the course progress exhaust or the user PII data - these are generated by data products that run on a daily/ on-demand basis

  2. Portal based reports and charts - these are datasets generated from Druid, and power the charts shown on the ‘admin dashboard’ of the portal. These are generated based on the frequency of the reports as configuredDruid based Datasets/Reports (created via HE/APIs)

  3. Custom datasets created as data products and configured manually

    1. Ex: VDN reports, WFS, Collection Summary dataset

  4. On-Demand Datasets

  1. Sunbird Obsrv’s Data Service allows creation of reusable custom datasets and an ability to submit requests for generation of such reports. The datasets that are currently configured are course progress exhausts, the user information exhausts and the assessment response exhaust reports. These reports are are run on preset frequency or on-demand basis.

  2. Sunbird Obsrv’s Report Service allows creation of datasets that can be published as reports and charts that can be viewed from Sunbird Portal’s Admin Dashboard web UI. These reports are generated based on the frequency configured while publishing the report.

  3. Other custom data files such as Consent files and master data files (geo data, for example).

Image Added

Image Added

Dataset download considerations:

Sunbird should enable provide an adopter ability to provision for data security - and allow access to datasets based on the nature of the data they contain. Consequently, a dataset that is not considered sensitive may be made available for public access, whereas any sensitive data may require to be protected.

In order to enable different types of access, SB will support configurations that can make the datasets ‘PUBLIC’ or ‘PRIVATE’ - as the adopter may choose - this ‘PROTECTED’. The type of access will determine whether a dataset can be accessed publicly using the API without any additional authorisationauthorization, or whether it needs additional approval from admins for access.

Problem Statement

As part of opening of DIKSHA Infrastructure to wider ecosystem, there is a need to provide access to open anonymized data to third party ecosystem players to develop custom solutions on top of DIKSHAto validate the user before providing access.


Current Implementation

  • Currently, Sunbird Observation Obsrv supports Reports Service API to list and access all published reports. However, only metadata of a report is accessible through this the Report Service API. There are associated The data files that contain the detailed data of a given report. These are currently not accessible through API.There is an internal endpoint at the portal backend layer which downloads the respective datasets from the azure reports container. This endpoint is accessible only by the logged in person(session based) having roles (REPORT_and associated data are not currently accessible through the Report Service API.

  • The Sunbird portal allows access to the configured datasets using the Sunbird portal backend APIs. However, the APIs make use of the authorization through the Sunbird portal’s session logins with the access controls that are controlled by different roles in the Sunbird portal such as REPORT_ADMIN, REPORT_VIEWER , and ORG_ADMIN).

  • Moreover, there is Data isolation is supported by performing a slug or org based validation so that they do not access other tenant’s data.

  • For parameterized reports, respective endpoints are injected based on the logged in user’s context.

  • As part of current implementation datasets cannot be accessed by non logged in person or any third party.

  • Supported parameters the access to a specific tenant’s data is controlled using the user’s login context.

  • The Sunbird user’s login context is used for parameterized reports where the parameters are injected from the user’s login context. The list of supported parameters are:

    • $slug

    • $channel

    • $state

    • $board

Current Report Config Structure


Below diagram explains the high level working flow on how the reports are rendered on the Portal Admin Dashboard.


  • Roles which are supported in Admin Dashboard workflow

    • Report_Admin

    • Report_Viewer

    • Super_Admin - INSTANCE_ADMIN





List Page

Image Added

  • Can see all Reports.

  • If report is parameterized, can see all the resolved parameterized versions of that report.

  • Can see all live, retired and draft reports

  • Can see reports + parameterized reports from only the resolved parameter value.

  • For Example - if Report is parameterized by state. Then REPORT_ADMIN belonging to Rajasthan can see only the Rajasthan report version, not others.

  • Can see all live, retired and draft reports.

  • Can see datasets tab.

  • Can see only live reports .

Report Detail Page

Image Added

  • Can Publish, Retire, Add Report/Chart Summaries for all the reports + their parameterized versions.

  • Switch b/w other parameter versions.

  • Can publish, Retire, Add Report/Chart Summaries for that report.

  • Can view only live reports

  • Cannot perform any other action.


Current Report Config

Code Block
reportid varchar(40) NOT NULL PRIMARY KEY,
title text NOT NULL,
description text NOT NULL,
authorizedroles jsonb NOT NULL,
templateurl text,
slugstatus varchar(108) NOT NULL,
reportgenerateddate timestamptz NOT NULL DEFAULT now(),
reportduration jsonb CHECK (status IN ('live', 'draft', 'retired')) DEFAULT 'draft',
type varchar(8) NOT NULL DEFAULT jsonb_build_object('startDate', now()::timestamptz, 'endDate', now()::timestamptz),
tags jsonb CHECK (type in ('public', 'private')) DEFAULT 'private',
reportaccessurl text NOT NULL UNIQUE,
createdon timestamptz NOT NULL DEFAULT now(),
updatedon timestamptz NOT NULL DEFAULT now(),
createdby varchar(50) NOT NULL,
updatefrequencyreportconfig textjsonb NOT NULL
templateurl text,
slug varchar(810) NOT NULL,
DEFAULT 'report'

New Column Additions

  • visibility

    • type - varchar(10)

    • enum - [public, private, protected, parent]

    • Details - Link

  • accessPath

    • type - jsonb

    • Details - Link

Current Api Structure


This API is associated with viewing and reading out the specific report on the Sunbird Platform. It returns only the metadata information for the report.





reportgenerateddate timestamptz NOT NULL DEFAULT now(),
reportduration jsonb NOT NULL DEFAULT jsonb_build_object('startDate', now()::timestamptz, 'endDate', now()::timestamptz),
tags jsonb NOT NULL,
updatefrequency text NOT NULL
reportType varchar(8) NOT NULL DEFAULT 'report'

New Column Additions

  • visibility

    • type - varchar(10)

    • enum - [public, private, protected]

    • Details - Link

  • accessPath

    • type - jsonb

    • Details - Link

  • visibilityFlags

    • type- jsonb

    • Description - Whether to show/hide the report on specific pages.


Access Control Spec

  • Controls who can access a report based on certain rules.

  • This can be achieved using two attributes visibility and accessPath.


It can be defined both at the report level or it's children (i.e table, chart, map etc ) within a report.



public (default)

Accessible by all users. Anyone can discover and consume these Reports.


Accessible only to a limited set of users based on a criteria defined by the access path attribute.

Default can be user with REPORT_VIEWER role belonging to the same channel or tenant.


Similar to “protected” - accessible only by the creator of the report.


This attribute is applicable for Reports with “protected” or “private” visibility only. This attribute can be used to restrict the access based on or more of the following criteria: organisation, role, group, user id, and location.

AccessPath interface is as follows :-
**Note - All keys are optional. Also very fine grained accessPath may not be required in this case. Replicating the actual schema defined for ActionSets as is and to be re-used for datasets as well.

Code Block
interface IAccessPath {
  organisation: Array<string> | string;
  role: Array<string> | string;
  channel: Array<string> | string;
  group: Array<string> | string;
  userType: Array<string> | string;
  framework: Array<string> | string;
  isSuperAdmin: Array<string> | string;
  board: Array<string> | string;
  userId: Array<string> | string;
  userLocation: {
    state: Array<string> | string;
    district: Array<string> | string;
    block: Array<string> | string;
  ...anyOtherAttribute: any


Current API Structure

titleGET- /report/get/:reportId

This API is associated with viewing and reading out the specific report on the Sunbird Platform. It returns only the metadata information for the report.


Code Block
  "id": "string",
  "labelver": "string",
  "tableparams": [
    "resmsgid": "string",
        "namemsgid": "string",
    "status": "success",
        "valuesExprerr": "string",
    "columnsExprerrmsg": "string"
  "responseCode": "OK",
  "result": {
 }   "reports": [
          "titlereportid": "string",
          "chartstitle": ["string",
        "description":    {
              "colors": ["string",
        "authorizedroles": [
         { "string"
        "borderColorstatus": "string",
        "type": "string",
        "backgroundColorreportaccessurl": "string",
        "createdon": "string",
      }  "updatedon": "string",
   "createdby": "string",
          "optionsreportconfig": {
                "title"id": {
           "textlabel": "string",
          "table": [
       "display": true,    {
              "fontSizename": 16"string",
 "valuesExpr": "string",
              "legendcolumnsExpr": {
              "displayconfig": {}
false            }
    },      ],
          "scalestitle": {
                "xAxes"charts": [
  {            "colors": [
         "scaleLabel": {      {
                  "displayborderColor": true,
                  "labelStringbackgroundColor": "string"
       }       ],
             } "options": {
                ],"title": {
                  "yAxestext": ["string",
                  "display": true,
{                  "fontSize": 16
   "scaleLabel": {            },
            "display": true,     "legend": {
                  "labelStringdisplay": false
"string"                },
       }         "scales": {
          }        "xAxes": [
         ]           {
     },                 "tooltipsscaleLabel": {
                        "modedisplay": "string",true,
                        "intersectlabelString": false,"string"
 "bodySpacing": 5,                  }
"titleSpacing": 5                 }],
                  "responsiveyAxes": [
  true               },   {
           "datasets": [          "scaleLabel": {
     {                   "labeldisplay": "string",true,
                        "dataExprlabelString": "string"
                }      }
        ],            }
  "chartType": "string",               "labelsExpr": "string",]
               "dataSource": { },
                "idstooltips": [{
    mode": "string",
           ],       "intersect": false,
        "commonDimension": "string"         "bodySpacing": 5,
    }             } "titleSpacing": 5
        ],        },
  "dataSource": [             {"responsive": true
             "id": "parameterizedPath" },
              "pathdatasets": "/reports/$state/abc.json"[
            },    {
        {             "idlabel": "nonParameterizedPathstring",
                  "pathdataExpr": "/reports/tn/abc.jsonstring"
            }    }
      ],        ],
  "description": "string",           "downloadUrlchartType": "string"
       },         "sluglabelsExpr": "string",
    "reportgenerateddate": "string",         "reportdurationdataSource": {
          "enddate": "string",     "ids": [
    "startdate": "string"         },    "parameterizedPath"
    "tags": [           "string"],
        ],         "updatefrequencycommonDimension": "string",
  "parameters": [         }
 "string"         ],
          "report_typedataSource": "string" [
    ],     "count": 1   }

Datasource Schema :-

id -: job_id

path -: endpoint to the portal-backend layer which download the dataset file - the path can be both parameterized and non parameterized . Portal backend populates the parameters using logged in user context details and downloads the respective file.

Proposed Solution

API to get Metadata + Data Files

There is a need to create API in report service that will provide access to the meta data as well as the report data files that are used to generate the reports in the 'Admin dashboards' page on the Sunbird portal with certain access controls.

Proposed API Structure to get the metadata + datasets.


URL: /report/datasets/get/:reportId


 "id": "parameterizedPath",
              "path": "/reports/$state/abc.json"
            "id": "nonParameterizedPath",
            "path": "/reports/tn/abc.json"
          "description": "string",
          "downloadUrl": "string"


slug": "string",


reportgenerateddate": "string",






enddate": "string",


startdate": "string"




























Datasource Schema

Code Block
interface IDatasource {
  id: string



id: Job id for the dataset

path: Endpoint for downloading the dataset file(s) - the path can be both parameterized and non parameterized . Portal backend populates the parameters using logged in user context details and downloads the respective file.


Proposed Solution

API to get materialized data Files

There is a need to create API in report service that will provide access to the meta data as well as the report data files that are used to generate the reports in the 'Admin dashboards' page on the Sunbird portal with certain access controls.

Proposed API Structure to get the metadata + datasets.


URL: /report/datasets/get/:reportId?from=<>&to=<>&since=<>

Proposed response structure - to get meta + datasets.

Success Scenario - Status Code 200

Code Block
    "id": "",
    "ver": "string",
    "ts": "timestamp",
    "params": {
      "resmsgid": "string",
      "tnmsgid": {"string",
      "status": "success",
         "err": "string",
      "signedUrlerrmsg": "urlstring"
    "responseCode": "OK",
    "result":  {
  },      "metadata": {... similar to above API},
         "...otherParametersdatasets": { [
                "signedUrldataset_id": "urldataset_id_1"
                "isParameterized": true,
   }             "parameters": ["$state"],
   }             },
"data": {
           "dataset_id_2": {        "rj": {
       "isParameterized": false,                "signedUrl": "parametersurl":
  null,                 "data": { },
                    "defaulttn": {
                        "signedUrl": "url"
                  }  "...otherParameters": {
 "signedUrl": "url"
      }     }

Explaination -

  • If the report dataset file path is parameterized then

    • isParameterized - true

    • parameters - paramater attribute

    • data object will contain all resolved parameter values along with the signed Url to download the file

  • Else

    • data object will have default key with the signed Url to download the file

Unauthorized Access - Status Code 401
Code Block
{         }
"id": "",     "ver": "v1",     "ts": "timestamp",   }
 "params": {         "resmsgid": null},
        "msgid": "string",   {
     "err": "UNAUTHORIZED_USER",           "statusdataset_id": "UNAUTHORIZEDdataset_id_USER2",
        "errmsg": "You are not authorized."    "isParameterized": }false,
     "responseCode": "UNAUTHORIZED",     "result": {} }
Internal Server Error - Status Code - 500
Code Block
{   "idparameters": "",null,
     "ver": "v1",     "ts": "timestamp",      "paramsdata": {
  "resmsgid": null,     "msgid": "string",     "err": "string",     "statusdefault": "SERVER_ERROR",{
    "errmsg": "string"   },   "responseCode": "SERVER_ERROR",   "result": {}
Invalid Report Id - Status Code 404
Code Block
{        "idsignedUrl": "",url"
              "ver": "1.0.0",   "params": { }
   "resmsgid": "string",     "msgid": null,     "status": "failed", }
    "err": null,     "errmsg": "no report found"  }
     },   "responseCode": "string",]
   "result": {}

Access Control Spec

  • Controls who can access a report based on certain rules.

  • This can be achieved using two attributes visibility and accessPath.


It can be defined both at the report level or it's children (i.e table, chart, map etc ) within a report.






public (default)


Accessible by all users. Anyone can discover and consume these Reports.




Accessible only to a limited set of users based on a criteria.

Default can be users belonging to the same organisation or tenant etc.




Similar to “protected” - accessible only to a limited set of users defined by the “access path” attribute.




Accessible only from within the parent object, i.e access to the users is based on the visibility of the parent object.

Can be defined at chart, table or map defined within a parent report.



Code Block
interface IAccessPath {
  organisation: Array<string> | string;
  role: Array<string> | string;
  tenant: Array<string> | string;
  channel: Array<string> | string;
  group: Array<string> | string;
  userType: Array<string> | string;
  framework: Array<string> | string;
  isSuperAdmin: Array<string> | string;
  board: Array<string> | string;
  userId: Array<string> | string;
  userLocation: {
    state: Array<string> | string;
    district: Array<string> | string;
    block: Array<string> | string;
  ...anyOtherAttribute: any



Explanation -

  • If the report dataset file path is parameterized then

    • isParameterized - true

    • parameters - parameter attribute

    • data object will contain all resolved parameter values along with the signed url to download the file

  • Else

    • data object will have default key with the signed url to download the file.

Error Response

Unauthorized Access - Status Code 401

Code Block
    "id": "",
    "ver": "v1",
    "ts": "timestamp",
    "params": {
        "resmsgid": null,
        "msgid": "string",
        "err": "UNAUTHORIZED_USER",
        "status": "UNAUTHORIZED_USER",
        "errmsg": "You are not authorized."
    "responseCode": "UNAUTHORIZED",
    "result": {}

Internal Server Error - Status Code - 500

Code Block
  "id": "",
  "ver": "v1",
  "ts": "timestamp",
  "params": {
    "resmsgid": null,
    "msgid": "string",
    "err": "string",
    "status": "SERVER_ERROR",
    "errmsg": "string"
  "responseCode": "SERVER_ERROR",
  "result": {}

Invalid Report Id - Status Code 404

Code Block
  "id": "",
  "ver": "1.0.0",
  "params": {
    "resmsgid": "string",
    "msgid": null,
    "status": "failed",
    "err": null,
    "errmsg": "no report found"
  "responseCode": "string",
  "result": {}


Search Report API

This API is associated with Searching Reports on the Sunbird Platform.


Example of Request payload with visibility and accessPath

Code Block
    "request": {
        "filters": {
            "visibility": "privateprotected",
            "accessPath": {
                "organisation": [
                "tenant": "tn",
                "role": [

Success Response - Status Code 200

Code Block
  "id": "",
  "ver": "1.0.0",
  "params": {
    "resmsgid": "string",
    "msgid": "string",
    "status": "string",
    "err": "string",
    "errmsg": "string"
  "responseCode": "string",
  "result": {
    "reports": [
    "count": 1

Error Response - Status code 500

Code Block
  "id": "",
  "ver": "v1",
  "ts": "timestamp",
  "params": {
    "resmsgid": null,
    "msgid": "string",
    "err": "string",
    "status": "SERVER_ERROR",
    "errmsg": "string"
  "responseCode": "SERVER_ERROR",
  "result": {}
