This site uses different types of cookies, including analytics and functional cookies (its own and from other sites). To change your cookie settings or find out more, click here. If you continue browsing our website, you accept these cookies.
I have an Analytical App that uses an Input Data tool to run a database query. The Input Data tool uses a connection string which includes credentials. I want my end user to run the App on our Gallery, but I want them to enter their credentials which will then pass to the Input Data tool and be used to run the query.
I successfully built a sample App that collects the credentials using 2 Text Box tools (one for ID, one for password.) In the Text Box tool I'm using for the password, I have selected the check box for "Mask Text (for Passwords)". This works great! I can publish this to our Gallery and run it, entering credentials when prompted. So far so good.
HOWEVER, then I went digging in the MongoDB. In the AlteryxService database, collection AS_Queue, if I use the ServiceDataParse macro to unpack the ServiceData field... the password entered through the Text Box tool is stored in plain text in the WizardValues field.
THIS IS A PROBLEM. Please tell me I'm missing something! How can I pass credentials to an Input Tool and keep that password from being stored anywhere unencrypted?? Self-service analytics was one of our major selling points for getting Server, but I can't in good faith recommend my Designers publish workflows with their credentials included for others to run on demand if I have no way to validate those users' credentials against the data sources.
@CMichaelBNSF I recommend exploring the Data Connection Manager (DCM) for this use case. DCM was released with 2021.4 and allows users to store their credentials in a secure password vault and synchronize the vault to Alteryx Server. The app could then leverage a DCM Connection Interface tool allowing the user to select the credential from their vault, without entering their username or password. A simple example of what this could look like is shown below.
Data Connections can be defined in the Server UI, so it is not necessary to have a Designer license. DCM functionality is enabled and configured in the Server System Settings. Additionally, data connections can be shared with users or groups. Here is a list of supported Connectors and Tools.
Additional clarification: I do not want my users to have to set up an entire DCM data source (the ODBC connection string). I just want them to be able to enter their user name and password in some way (DCM or other) and have those credentials securely injected into the Input Data tool ODBC connection string.
The DCM Connection Interface Tool was released in 2022.1. You will not have access to the tool in 2021.4, although the DCM does exist in 2021.4. The user will need to configure the DCM Data Source but they can paste in a DSN set up on the Server machine, rather that populating the full ODBC string. I encourage testing this in a Sandbox environment to verify it meets your requirements.
Someone with access to the Server machine would need to configure the DSN initially, but the end users could set up the connection themselves referencing the DSN created. From that perspective, the goal is to take the burden of doing this off of a Server admin. I understand that may generate questions depending on the user's proficiency with the Server or connectivity. I encourage you to submit your suggestions to our Server Ideas forum.