Analytics Hub offers extensive security features including network level encryption, multiple authentication options, and a robust authorization system used to customize permissions and sharing. These topics are covered in more detail in the sections below.

Authentication

Analytics Hub requires a user to authenticate before accessing the environment. Three possible authentication options exist (Local, LDAP, and SSO), and all three can be enabled simultaneously for maximum flexibility.
 

Figure 1: Users can sign in with an email and password, or link to a Single Sign-On provider such as Okta.

Local

Local authentication allows Analytics Hub Platform and Site Administrators to create users by specifying a unique email address. Administrators can send the user an email to complete their sign up by creating a new password. Local authentication is the quickest to implement as there are no requirements on other systems.
 

LDAP

LDAP authentication allows Analytics Hub Platform Administrators to import Analytics Hub users from an LDAP Server for user authentication. Supported Directories are Active Directory and Open LDAP. Administrators need to specify a few parameters to connect to the LDAP such as the LDAP host, port, bind account, base DN, and user/group filters. Analytics Hub provides default filter and attribute values to quickly connect to the most common LDAP implementations. Alternatively, Administrators can fine-tune these values to increase performance against their specific configuration. For maximum security, LDAP over SSL (LDAPS) is supported and encouraged for encryption in transit of user credentials.

Administrators can also customize the synchronization interval (default 24 hours) which specifies the frequency that Analytics Hub checks the LDAP for any users to add or remove. This takes the burden off Analytics Hub administrators to control which users to add to the environment, as any new users added to the LDAP that match the LDAP search criteria will be imported to the platform as a user that Site Administrators can add to their Sites.  Additionally, any users removed from the LDAP will be deactivated in Analytics Hub and their license will be reallocated to the License pool for another user.
 

Single Sign-On (SSO)

Single Sign-On authentication allows a user to authenticate to an Identity Provider instead of to Analytics Hub or an LDAP. This allows other applications integrated with the same Identity Provider to provide a Single Sign-On experience to the end user, thus only having to enter their credentials one time. Examples of validated Identity Providers include Okta and PingOne. For many enterprises using single sign-on across data sources, reporting systems, and internal company applications, this provides a streamlined user experience. Currently, single sign-on can only be used for authentication through a web browser.  It is not yet available for Alteryx Designer connections.

Authorization

After authenticating to Analytics Hub, authorization rules and permissions define what a user has access to. Analytics Hub provides enhanced security by performing three authorization checks:
 

1. The user must be a member of one or more Sites.
2. The user must have a role on the Site(s). (either a user role or a group role)
3. The user must be licensed.

Users must be a member of at least one Site to gain access to Analytics Hub. If they are a member of one Site, they are automatically directed to that Site after login. If they are a member of multiple Sites, they are prompted to choose the Site after login:

Figure 2: Users who are members of multiple Sites are prompted to select a site after login.

The User must also have a valid role on the Site. User roles include Consumer, Contributor, and Data Steward. They have increasing levels of access as defined below:

Figure 3: User Roles

At a very high level, the user roles are as follows:

·       The Contributor role is intended for the Alteryx Designer user who is building workflows, reading and writing data, and sharing Alteryx Workflows and Analytic Apps with others.

·       The Consumer role is intended for the end users who are consuming the workflows that the Contributors are building.

·        The Data Steward is for the data source power user who is responsible for managing data source access.

·       The Site Administrator role is also an assignable role on the Site, specifically for users designated to manage the Site. The Site Administrator has unrestricted access to the Site.

A user may have different roles across different Sites to provide maximum flexibility. So, a user could be a Consumer on the Marketing Site and a Data Steward on the Finance Site.

Finally, a user must be licensed to gain access. Users are licensed at the Platform level, meaning that a User who is a member of multiple Sites only consumes one license.

Groups

Administration of users in large environments can be tedious and difficult. Analytics Hub offers custom Groups to provide more efficient management and control. Groups can be defined at two levels:
 

• Public Group – A public group can be seen and used by all Site Admins to add users to their Site. Only the group’s creator can change membership of the group.
• Private Group – A private group can only be seen and used on the Site that created it.

Groups provide many efficiencies for Administrators. Using groups, a Site Administrator can:
 

• Add a group to a Site, giving all members of the group access to a Site..
• Assign a default role for all members of the group.
• Share Workspaces, Folders, and individual Files with a group.

Permissions

In addition to Roles, more detailed Permissions are available on the Files and Folders within Virtual File System. These permissions can be customized based on the user’s role to provide maximum flexibility and control. Available permissions include the ability to View, Create, Delete, Download, and Edit. For greater customization, a file can have a different set of permissions than the parent folder’s permissions.

Figure 4: Permissions provide fine grained access controls.

Also, a user’s permissions are the superset of any group roles and permissions, and their personal role and permissions. Therefore, Site Administrators can assign a less permissive group role (ex. Consumer) and provide specific individuals within that group with a more permissive user role (ex. Contributor). This configures the environment as efficiently as possible while keeping the environment secure by only providing functional access to those that need it.

Encryption

Analytics Hub protects data in transit with the use of HTTPS for all communication to the Frontend, Backend, and Workers. The administrator may choose between a self-signed certificate generated by the Analytics Hub installer or use trusted CA-issued certificates. A CA-issued certificate is encouraged for production environments. Any remote Worker nodes in a scaled-out environment need the certificate configured as well for successful and secure communication to the primary Analytics Hub machine.

Figure 5: Communication between Analytics Hub components is encrypted with HTTPS.

Auditing

Many organizations require an auditable log of all actions in a system for regulatory and security reasons. Analytics Hub meets these needs with a detailed audit log. Audited events include:
 

• User: Add, Delete, Login
• Files: Create Asset, Modify Asset, Delete Asset
• Job: Start, Complete
• Role: Grant, Remove
• Schedule: Create, Complete

To maximize security of this information, the log is only accessible from the file system at <INSTALL_HOME>\Backend\analytics-hub-audit.log. Additionally, usernames are intentionally left out of the log. Instead, actions are logged with the unique user ID that performed the action. A lookup table of the user ID and usernames is maintained in the PostgreSQL database.

Conclusion

This article has provided an overview of the security features of Alteryx Analytics Hub. For more detailed information, be sure to read through the Analytics Hub Help . Additional resources can be found in the Alteryx Analytics Hub Knowledge Base.