community Alteryx IO Alteryx.com
alteryx Community
Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Close
Free Trial

Alteryx Server Discussions

Find answers, ask questions, and share expertise about Alteryx Server.
SOLVED

Data Security

cookl
8 - Asteroid
‎07-04-2017 07:41 AM

Hi,

 

We are using Alteryx Designer 10.6 along with Alteryx Server and need a way to restrict the data a server user can see based on security level?

 

For example, we have an App based on sickness absence across the whole organisation, but need to restrict a users access so they can only see the sickness absence for their own area. Is there any way we can leverage the Active Directory to filter the data so that a user can't see any data outside of their own department? 

 

Many thanks,

Lucy

Labels:
Reply
0 Likes

Accepted SolutionSolved! Go to Solution.

9 REPLIES 9
MarqueeCrew
20 - Arcturus
20 - Arcturus
‎07-05-2017 05:15 AM

@cookl,

 

I was thinking about your question and immediately wondered if your server is setup with a service account or run-as the user (https://help.alteryx.com/server/current/admin/index.htm#Configuration/RunasPermissions.htm%3FTocPath...).  If running as a service account, there is no chance to limit based upon the userID itself.  That being said, my next question is how many departments do you have?  If you were to create an application per department and put them into studios which govern their access, then the application could include the department as part of a join/filter and prevent access.  This isn't quite as elegant as you are asking, but it could be an interim solution.

 

There are windows environment variables that you can query when you run an application (https://ss64.com/nt/syntax-variables.html).  Unfortunately, these functions are not supported in applications stored in the gallery.

 

GetEnvironmentVariable(Name)

Returns the environment variable specified in Name. To get a list of environment variables, go to Control Panel > System > Advanced System Settings > Environment Variables. A list of system variables appears. Any value from this can be used.

The GetEnvironmentVariable is not supported in apps saved to the Gallery.

Open
These are my morning thoughts for you.
 
Cheers,
Mark
Alteryx ACE & Top Community Contributor

Chaos reigns within. Repent, reflect and restart. Order shall return.
Please Subscribe to my youTube channel.
Reply
0 Likes
cookl
8 - Asteroid
‎07-05-2017 06:27 AM

Hi Mark,

 

Thank you for your response. In answer to your questions…

 

The server is set up to use a service account, but we would consider changing to run-as the user is it meant security could be implemented that way.

 

We have around 30 different business areas that would need to be segmented, which would mean a large overhead to create individual studios and apps for each one, especially when we have multiple apps/workflows and the departments themsleves move around and change fairly regularly.

 

I can't seem to get the GetEnvironmentVariable function to work, but if the functionality is not supported on server we wouldn't be able to use it for this anway, although it is good to know so I will keep persevering!

 

Lucy

 

Reply
0 Likes
MarqueeCrew
20 - Arcturus
20 - Arcturus
‎07-05-2017 06:42 AM

Lucy,

 

This might help.  If you use a "NET USE" command, it can take the user name (entered field) and password (entered & masked field) to validate the ID/Password combination (use error codes to determine if they authenticated).

 

If they authenticate and you can lookup the department from a table, now you know that the ID is valid and where it belongs.

 

There may be a more straight-forward approach, but this is more promising than having to setup 30 studios.

 

Cheers,

Mark

Alteryx ACE & Top Community Contributor

Chaos reigns within. Repent, reflect and restart. Order shall return.
Please Subscribe to my youTube channel.
Reply
0 Likes
cookl
8 - Asteroid
‎07-05-2017 07:14 AM

Ah okay, this sounds like it could be a solution!

Unfortunately I have just tried it, and got the message "The command prompt has been disabled by your administrator", so I will need to to take it up with IT, wish me luck!

 

Cheers

Lucy

Reply
0 Likes
adm510
11 - Bolide
‎07-05-2017 03:00 PM

To get around the running with a service account issue, I have a workflow that verifies which user is running it.  I then use an intermediary table, which is where I can assign data permissions to users/depts/active directory groups/etc...  There are a few examples on the forum on how to grab the username, search for this phrase "__cloud:UserId" without the quotes.  If you need help, I can also upload my copy of the workflow.

Reply
0 Likes
cookl
8 - Asteroid
‎07-06-2017 01:15 AM

@adm510 If you could upload your workflow that would be great!

Reply
0 Likes
adm510
11 - Bolide
‎07-06-2017 09:29 AM

This file was given to me by Keith Johnson (Alteryx Employee).  I've never had any success running it locally, but once it's published to the server, it runs just fine.

 

Once you get the app, open it, navigate into the macro.  From here you need to edit the MongoDB config to match your instance.  If you're using the built-in mongo, you can get your username/password in the System Settings (under Controller --> Persistence). Make sure to change the server name and the password (do not use admin password).  There are also additional fields in the User table (in the macro), that you can enable if you need access to them. 

Get user info.yxzp
Reply
cookl
8 - Asteroid
‎07-14-2017 02:27 AM

This is great, thanks!

Reply
0 Likes
KPost
7 - Meteor
‎06-21-2018 01:16 PM

Is there any role-based security for Alteryx Designer?

Reply
0 Likes
learn more about the python upgrade coming in may 2024
Labels