Alteryx Server Discussions

robertfishel · ‎01-18-2019

Alteryx community, happy Friday :)

--------------------

Here is the situation I find myself in. I work in a department that has very sensitive (HIPAA) data. As it stands, we have Windows server installed on a virtual machine, and we access the Alteryx server through this same vm. I have noticed that when I package and then add a workflow to the gallery, when a user goes to run it, if there are any output or input tools they do not work. I had a co-worker from another department with less sensitive data tell me that it was because I don't have a service account. I don't believe that we are ever going to get data security to allow us to have a service account. Alteryx community, has anyone out there found themselves in the same scenario? Is a service account the only answer for this situation? Thank you.

patrick_mcauliffe · ‎01-22-2019

Hi @robertfishel

I work in healthcare and deal with PHI every day; went through a similar ordeal at my own organization.

The short answer is: no, a service account isn't the only solution. I'd say that it's not even a solution, although it depends on where you are trying to send output or pull input from.

The issue more likely comes from the way security is structured at your organization.

First, it's very surprising to me that any organization concerned with HIPAA security would allow a group of individuals to all log directly into the server's vm. Not saying its right or wrong; just that I've never heard of it and it is most likely a significant security risk.

Here are some questions to narrow down what can be done:

1. Are you all logging into the VM under the same account or do each of you have your own credentials to access the VM?

2. Are you using Windows role based security?

3. Do you have Alteryx installed on any desktops?

4. Is the Alteryx server a standalone or cluster (do your have separate VM's for Gallery and Workers)?

robertfishel · ‎01-22-2019

Patrick, thanks for your response. I don't have the answers to each of your questions yet but when I do I will respond accordingly.

jmelik · ‎01-22-2019

I don't believe you need a service account to accomplish your goal. If the server is not setup to run as a different worker, this is where you would define a service account or another user account, I believe it would run based on the credentials of the user trying to run the specific workflow. In this case, the user trying to run the workflow needs to have individual access to the data sources in the workflow. This way security is maintained based on whether the user running the report should truly have access to the data.

robertfishel · ‎01-22-2019

Patrick, to answer your questions:

1. Are you all logging into the VM under the same account or do each of you have your own credentials to access the VM?

We are not using the same account for each user. We sign onto the vm with our Windows PC name/password

2. Are you using Windows role based security?

I "think" that we are using role based security. For example, our manager is the admin on the Windows server behind the vm, while we are simply users with the ability to add workflows to the Windows server and upload (as admin in Alteryx gallery) to the gallery. he is the only one that can turn off Alteryx Service.

3. Do you have Alteryx installed on any desktops?

We have Alteryx installed on our local machines as well as a copy on the vm

4. Is the Alteryx server a standalone or cluster (do your have separate VM's for Gallery and Workers)?

I am not sure about this. I think it is a standalone because it appears as though we only have 1 server.

patrick_mcauliffe · ‎01-23-2019

@robertfishel that's an interesting set up.

If I'm following this correctly:

1. You have Alteryx Designer on your local machines.

2. You have a standalone VM Windows Server running a monolithic Alteryx Server, where your manager is the admin and your team are users.

3. You develop workflows on your local machine (do these get saved to a file share?).

4. You develop workflows under your own account while logged on to the Windows Server.

5. While logged on to the Windows Server your also develop workflows which you upload to the Gallery.

Given this information, the suggestion by @jmelik is correct (you just need a service account which has the same access level as users submitting work to the Gallery); although this would create the security gap you are trying to avoid.

Instead of that, I'd ask you to log on to the Gallery through the Admin page and go to the Workflow Credentials option on the left. On this page, what setting do you have for "Credentials setting for workflows"?

robertfishel · ‎01-23-2019

Hey patrick,

To answer your statements:

1. You have Alteryx Designer on your local machines. Yes

2. You have a standalone VM Windows Server running a monolithic Alteryx Server, where your manager is the admin and your team are users. Yes, while there are three admin on the Alteryx Server

3. You develop workflows on your local machine (do these get saved to a file share?). Yes, we save our workflows in certain folders on our network

4. You develop workflows under your own account while logged on to the Windows Server. The majority of our development takes place on our locally installed Designers ( we have a handful of licenses). After a workflow is developed, we copy it over to the vm and store it in a "production" folder within the server.

5. While logged on to the Windows Server you also develop workflows which you upload to the Gallery. We do make "on the fly" changes to our workflows while logged into the Windows server, using the instance of Designer installed on our Windows server.

Also, because our server doesn't have access to the network drive, we can't do the 'save as' option for most of our workflows in Alteryx Designer

For the setting "Credentials setting for workflows". we have allow users to select credentials option

patrick_mcauliffe · ‎01-24-2019

Perfect.
Take a look at this article:
https://community.alteryx.com/t5/Alteryx-Server-Knowledge-Base/How-Workflow-Credentials-Work-on-a-Pr...

robertfishel · ‎01-24-2019

I will read over it now. I forwarded the article to a teammate.

His reply was "I read this about 5 times yesterday😂still can’t figure out how the prompt credential works"

Will you elaborate on this point for his (and my) benefit?

patrick_mcauliffe · ‎01-26-2019

Starting at the most general level....
Your Windows credentials are what identifies you to your machine and your network.
When the network permits you to access something on the network (ie a file in another location/another machine) it first checks your credentials to see if you have permission.
When an application asks for admin rights, it is essentially asking your permission to use your credentials to carry out tasks (usually create, delete, modify files and network settings) which require some verification that an authorized user is performing the activity.
The reason the Gallery can't run apps and workflows that are secured down to your user ID or your team's access group/role is because the Gallery is not running under the authority (admin right) of a user which has that level of access.
When you create a service account for the Gallery, the idea is that you're creating a Windows account which is set up just like a user, but it is only intended to be used by an unattended application (no user is physically sitting in front of the machine). In that case the "user" (service account) has to have access to all of the locations on the network that any user of the Gallery would also need access to.
*This is a security hole* because anyone who has access to the Gallery would then be able to create apps which scan for all of the files the Gallery has access to (which the person creating the app may not have access to on their own) and then create apps to move those files into an area which they do have access to.
For example:
You have access to drive A and not drive B. I have access to drive B and not drive A.
We both want to build apps for the Gallery which use our respective network drives.
If the Gallery is given a service account which has access to both, I could deploy an app to scan all directories the Gallery has access to and return a file list - So I could see all of your files on drive A. I could also create an app to copy the files on drive A and move them to drive B. Since the Gallery's account would be doing the work, it would be permitted to do this since it's service account has both sets of access rights.

So, the workflow credentials are a way of not giving the Gallery it's own rights, but allowing it to use the rights that *you* have when you deploy an app.
That way, you control which users use your app, and therefore which users will have access to the files that your credentials do.

Looking back on it, the first part of that article is a little confusing. Ignore everything before the paragraph starting with "Workflow credentials are the most granular level of credential". From that point on it should make sense.

Alteryx Server Discussions

Using a Service Account with Alteryx Gallery