Community Spring Cleaning week is here! Join your fellow Maveryx in digging through your old posts and marking comments on them as solved. Learn more here!

Alteryx Server Discussions

Find answers, ask questions, and share expertise about Alteryx Server.

AD Group for Gallery Admin

Csand
8 - Asteroid

Are you able to use AD Groups for Gallery Admin functionality rather than provisioning individual users? I've read the history and it sounds like this is implemented for collections (which i've tested successfully), but possibly not for Gallery-wide permissions.

10 REPLIES 10
naleti
6 - Meteoroid

We integrated OKTA with AD Groups, and when users in these AD Groups log into Gallery for the first time they will be provided default viewer access. Admin will individually assign roles for each user that is logged in via OKTA.

 

Even though AD Group information is sent in SAML assertion there is no way we could map the Groups to Roles in the Gallery. The Group option is just not available. Not even for Collections with SAML integration.

 

I am assuming this is only available when using Integrated Windows Authentication.

Csand
8 - Asteroid

Thank you, @naleti . I'm shocked that Alteryx can't handle group-based authorization for an enterprise server product.

OliverW
Alteryx Alumni (Retired)

Hi @Csand ,

 

did you check the newest Alteryx Server 2020.2 Version? 

 

There now is a possibility to assign Roles to Groups of Users, see here under the "Set a Group Role" paragraph:

https://help.alteryx.com/current/server/administer-users

 

Let me know, if this helps.

 

Best wishes

Olli

Csand
8 - Asteroid
Awesome. we are upgrading next month so will check it out!
--

---------------------------------
Chris J. Sanders
sanders.chrisj@gmail.com
MPohlers
8 - Asteroid

Hi @OliverW ,

 

can these groups be synced with AD groups or does this just work when importing the group?
Are all users that are part of the group bulk imported to Alteryx Server?

This answer suggests that this is not possible but it might be outdated:
https://community.alteryx.com/t5/Alteryx-Server/Sync-AD-users-with-AD-group-in-Gallery/idc-p/475145/...

 

revathi
8 - Asteroid

@OliverW  As mentioned in link you had shared, we were able to add an AD group and assign group role as well. Even though the group is added, users within that group do not have the permission granted through Admin -> users page. We experienced same issue in older version of Alteryx Server as well (2019.3). We would add an AD group to a collection -> users tab. Even though the group is added, users within that group never had access  to that collection. (Those users had curator access to gallery, yet permission through AD group to a collection didn't provide them access to that collection) 

 

I am certain that this issue/behavior is our env specific. What do you think could be blocking the permission through AD groups in our env ? Any ideas/suggestions ? (Note: all these users are in the same forest) 

adarsh2707
8 - Asteroid

This was useful. However I am curious, is it possible to set the following features (please refer to the image) for multiple users in one go rather than doing it individually for the users. Can someone please update me on this as we have over 500 users and it may be difficult to set it for each user

adarsh2707_0-1663850273148.png

 

patrick_digan
17 - Castor
17 - Castor

@adarsh2707 what version of gallery are you on? If it's 21.4+ and have some knowledge of APIs, then you can use the V3 endpoints . I imagine you'd do something like hit the v3/users endpoint to get a list of IDs, then for each ID that you want to update, you'd do a GET request against  /v3/users/{id}, make any updates that you need, and then a PUT request against /v3/users/{id} to update the record.

adarsh2707
8 - Asteroid

Unfortunately I am unaware of this V3 endpoints API. Will have a look.

While we are at it, Just another question @patrick_digan,

  1. Is there any direct way to update it for an AD group and in turn it gets affected for all users under that AD group.
  2. or would it be possible to add a Distribution list ( AD group email ID, with all users credentials grouped together) and ensure all users in that DL can be configured in one go

We need this to propose to our clients as they may not be comfortable with API