Advent of Code is back! Unwrap daily challenges to sharpen your Alteryx skills and earn badges along the way! Learn more now.
Free Trial

Alteryx Server Discussions

Find answers, ask questions, and share expertise about Alteryx Server.
SOLVED

Execute Workflow via API

igallion
7 - Meteor

Hello,

 

I am looking for guidance on the best way to execute an Alteryx workflow via the API with a service account. I am using Alteryx 2021.4 with the V3 API.

 

My first thought is to create a service account and grant it API access, however I will soon be implementing 2FA using our SAML provider so that would present complications in how to complete the second auth factor and who would be able and allowed to do so. 

 

This could be done using an individual user's API credentials, however this would present a problem if/when that employee leaves the company and their Alteryx Gallery access is removed. If you have implemented anything similar I would greatly appreciate any suggestions. Thank you!

6 REPLIES 6
apathetichell
19 - Altair

Have you reviewed this - https://help.alteryx.com/current/en/server/api-overview/alteryx-server-api-v3/server-api-configurati... as an admin you can grant api access to a user. The user can then create a PAT. the PAT would then auth the API. That's my memory. Yes - you would need to have a service account robot user to use a service account.

igallion
7 - Meteor

Yes I am familiar with the process of granting access and accessing the API. How have you handled access to the service account? In the case of SAML auth have you used an account through your IDP or is there a way to create a "local" account that may not be subject to the 2fa requirements of the IDP? For context I am planning a migration from Active Directory auth to SAML auth so I am not totally familiar with exactly how user accounts are handled in a SAML implementation.

 

The problem with a service account in our SAML implementation is that there are 2fa requirements for each account that logs in to the Alteryx Gallery which creates an issue of who "owns" the 2fa for the service account to allow it to log in to the Gallery.

apathetichell
19 - Altair

I haven't set this up in a while so my information is mad out of date. I have seen with other systems (ie not Alteryx) that a user (usuaully an Admin) is tied into a service account for the duration of setting up the API (in this case it would be retrieving the PAT) and then disconnected. The service account user now exsists with the PAT and is used orphaned from the 2FA for API connections. Yes - the alternative is to create a service account which is not tied into the 2FA. I would prefer if you could restrict IPs for these accounts - vs restricting IPs at a serivce level. I'd also love mandating JWT auth with RSA keys (Snowflake is heading in this direction). Not sure if I'll ever see that.  

 

I also expect that your IT team has active directory/Entra/whatever they are calling it this week/etc non 2FA accounts that they might be willing to share/create. Typically there are accounts with SAML providers which are expceptions to SAML rules.

igallion
7 - Meteor

Got it, do you know if Alteryx allows creating "local" Gallery users when using SAML auth? In other words, if you log in to the Gallery admin > Users is there an option to create a user that is not attached to the IDP? I do not see this option in our current instance using Active Directory but wasn't sure if maybe that's different when using SAML.

apathetichell
19 - Altair

Sorry - I'm not 100% sure. Hopefully someone else knows. My expectation is you can.

igallion
7 - Meteor

Alteryx support did confirm the ability to create a local user in Alteryx Gallery via the admin page. This will likely be my approach when we implement SAML auth. Thanks for your assistance!