Community Spring Cleaning week is here! Join your fellow Maveryx in digging through your old posts and marking comments on them as solved. Learn more here!

Alteryx Server Discussions

Find answers, ask questions, and share expertise about Alteryx Server.
SOLVED

Text Box input not encrypted for passwords in MongoDB AS_Queue WizardValues

CMichaelBNSF
7 - Meteor

I have an Analytical App that uses an Input Data tool to run a database query.  The Input Data tool uses a connection string which includes credentials.  I want my end user to run the App on our Gallery, but I want them to enter their credentials which will then pass to the Input Data tool and be used to run the query.

 

I successfully built a sample App that collects the credentials using 2 Text Box tools (one for ID, one for password.)  In the Text Box tool I'm using for the password, I have selected the check box for "Mask Text (for Passwords)".  This works great!  I can publish this to our Gallery and run it, entering credentials when prompted.  So far so good.

 

HOWEVER, then I went digging in the MongoDB.  In the AlteryxService database, collection AS_Queue, if I use the ServiceDataParse macro to unpack the ServiceData field...  the password entered through the Text Box tool is stored in plain text in the WizardValues field.

 

THIS IS A PROBLEM.  Please tell me I'm missing something!  How can I pass credentials to an Input Tool and keep that password from being stored anywhere unencrypted??  Self-service analytics was one of our major selling points for getting Server, but I can't in good faith recommend my Designers publish workflows with their credentials included for others to run on demand if I have no way to validate those users' credentials against the data sources.

 

Appreciate your help!

11 REPLIES 11
MatthewO
Alteryx
Alteryx

@CMichaelBNSF I recommend exploring the Data Connection Manager (DCM) for this use case. DCM was released with 2021.4 and allows users to store their credentials in a secure password vault and synchronize the vault to Alteryx Server. The app could then leverage a DCM Connection Interface tool allowing the user to select the credential from their vault, without entering their username or password. A simple example of what this could look like is shown below.

 

image.png

 

 

CMichaelBNSF
7 - Meteor

Does this work for true end users (no Designer license, no Artisan privileges in Gallery)?  And are there any restrictions on which tools the DCM Connection Interface tool can feed?

 

Thanks!

MatthewO
Alteryx
Alteryx

Data Connections can be defined in the Server UI, so it is not necessary to have a Designer license. DCM functionality is enabled and configured in the Server System Settings. Additionally, data connections can be shared with users or groups. Here is a list of supported Connectors and Tools. 

CMichaelBNSF
7 - Meteor

Our Server is 2021.4, and I don't see the DCM Connection tool available until 2022.1.  Is there a way to pass DCM credentials in an App for 2021.4?

CMichaelBNSF
7 - Meteor

Additional clarification:  I do not want my users to have to set up an entire DCM data source (the ODBC connection string).  I just want them to be able to enter their user name and password in some way (DCM or other) and have those credentials securely injected into the Input Data tool ODBC connection string.

MatthewO
Alteryx
Alteryx

The DCM Connection Interface Tool was released in 2022.1. You will not have access to the tool in 2021.4, although the DCM does exist in 2021.4. The user will need to configure the DCM Data Source but they can paste in a DSN set up on the Server machine, rather that populating the full ODBC string. I encourage testing this in a Sandbox environment to verify it meets your requirements.

CMichaelBNSF
7 - Meteor

Thanks for confirming.  I'm far from thrilled with this answer, unfortunately, as it adds extra support requirements for all of our potential end users.

 

Is there anything on the Alteryx roadmap for enabling standalone DCM Credentials for use in apps/tools?

 

Again, appreciate your time in explaining.

MatthewO
Alteryx
Alteryx

Someone with access to the Server machine would need to configure the DSN initially, but the end users could set up the connection themselves referencing the DSN created. From that perspective, the goal is to take the burden of doing this off of a Server admin. I understand that may generate questions depending on the user's proficiency with the Server or connectivity. I encourage you to submit your suggestions to our Server Ideas forum.