How to handle Individual User Privileges for Server?

Question

Assuming the server is setup in a way that the account/workstation has elevated privileges to be able to handle the different queries/access that teams require. Since the server account has elevated user priveleges, what's the method to prevent the following:

* Accessing a file location on a network drive location via server that they normally would not have access to in desktop designer
* Malicious/Careless SQL commands that when done locally on the users machine will not work, but through the elevate service account will
* Other cases where a user can access data they normally wouldn't be able to since server is using an elevated service account

I don't know the technical terminology for much of these issues, but it is a thought that has cross my mind for the possibility of implementing server at an enterprise level. Would we need separate service accounts based on user groups through server? I could see this requiring a lot of maintenance on a go-forward basis.

What I am imagining is Windows Integrated Authentication but on a user level within server.

ArnaldoSandoval · Accepted Answer

Hi @npariso

Very interesting questions you are asking, generally the Alteryx Server account has limit access to resources, my answers are based on my experience although I did not know if the Alteryx Service had elevated privileges.

* Accessing a file location on a network drive location via server that they normally would not have access to in desktop designer

We were not able to access network locations other than the ones granted to the service account, actually developers and service account shared similar access privileges; there were situations where the data was located at a folder out of reach, we handled this via making the data available via email (mostly Excel or CSV files).

* Malicious/Careless SQL commands that when done locally on the users machine will not work, but through the elevate service account will

Our connections to database resources was managed by the administrators, so we only have readonly access to databases.

* Other cases where a user can access data they normally wouldn't be able to since server is using an elevated service account

Very difficult because the access privileges to applications, databases, file systems was very well managed.

When we developed workflows for departments with strong access rules, usually these departments have their own developers, with access to their daily data, the workflow was published to the Gallery and its access controlled with collections, and login credentials, in Alteryx, at the time of publishing we can configure the workflow to request login credentials (login account and password) usually by member of the team with those restricted access permissions.

Perhaps you should read this article How Workflow Credentials Work on a Gallery

hth

Arnaldo

KPOLU · Accepted Answer

Hello,

Regarding first question, I'd recommend following based on my experience (You will have to enable Windows Integrated Authentication for this)

1. Whenever you onboard a team, ask them to setup a service account and share the credentials with you.

2. Setup credential in admin page.

3. Share the credential with the team by adding individual ids or AD group.

4. Enforce them to use this credential for running their jobs on server (Users can select credential while publishing the workflow into gallery)

To enable selecting credentials, you will have to go Admin page of the gallery and then Configuration page. Look for Workflow Credential setting and change it to "Allow User to Select".

The run as account requires permissions on the Worker nodes. Please refer below article - https://help.alteryx.com/20221/server/configure-required-run-user-permissions

I am not sure about other questions but hope this helps.