Community Spring Cleaning week is here! Join your fellow Maveryx in digging through your old posts and marking comments on them as solved. Learn more here!
The Product Idea boards have gotten an update to better integrate them within our Product team's idea cycle! However this update does have a few unique behaviors, if you have any questions about them check out our FAQ.

Alteryx Server Ideas

Share your Server product ideas - we're listening!
Submitting an Idea?

Be sure to review our Idea Submission Guidelines for more information!

Submission Guidelines

Alteryx Gallery API running as an account

In the Alteryx Gallery UI, it's possible to set up workflow credentials so that a workflow published to the gallery runs as a specific user.  

 

Unfortunately when that workflow is run from the Alteryx Gallery API, it appears to only ever run as the Alteryx Server Run-As account. 

 

Our developers in working with this figured out that if they called the (undocumented) API that runs the actual Alteryx Gallery directly, they can achieve what they want, but it seems a risky strategy.

 

The idea would be:

-Either unify the APIs so that the Gallery itself uses the same API to run workflows as what you present as the "Gallery API" (the eat your own dogfood way)

-Alter the Gallery API to enable us to run as a different workflow credential

 

Without this, we're forced to permission the run-as account to access anything that uses this method, which in turn then becomes a bit of a security hole (any workflow run will have access to everything that the run-as account uses) 

40 Comments
cam_w
11 - Bolide

@brianturner- from original post:

 


@michael_renwick wrote:

 

Our developers in working with this figured out that if they called the (undocumented) API that runs the actual Alteryx Gallery directly, they can achieve what they want, but it seems a risky strategy.

But I agree, this contains risk that would need to be mitigated by your team that uses it.

brianturner
6 - Meteoroid

@CiaranA I think this has the same security hole, a team without access could add a workflow to a data source which they don't have access or don't have complete access, the underlying default account would have to have the broadest permissions of anything needing to run.

 

@piotrzawistowski That would be great, no ETA yet, though.  I had suggested multiple Run As accounts, they followed up asking about how that was going.

brianturner
6 - Meteoroid

@cam_w Any idea how to get those?  Perhaps that would be better in terms of risks than the multiple Run As accounts, really depends on if Alteryx is just going to open up the internal APIs or do something different.

TanyaS
Alteryx Alumni (Retired)

@piotrzawistowskiThe "accepted" status does not mean that work is set for an immediate release. "Coming soon" is used that it will be implemented in the next 1-2 releases. "Implemented" means that it is generally available. This work has been accepted, meaning that it has been evaluated to be valuable and is on the roadmap.

CiaranA
10 - Fireball

@brianturner Yes we have mitigated this by running private studios with specific service accounts as their default credentials i.e. avoiding using the default underlying service account for anything other than executing flows via API (and strictly managing who can do this).

KylieF
Alteryx Community Team
Alteryx Community Team
Status changed to: Coming Soon

Thank you for your idea! This feature will be available in an upcoming release, we'll update this idea again once that release is available for download.

CiaranA
10 - Fireball

Great news 🙂

veruzi
8 - Asteroid

We need this badly.

We assumed that one you save the workflow on the Gallery to run with specific credentials, the same behavior will be ported to the Gallery API as well, instead the "Run-as" User is used from the API, which is not working for us as most of our users are saving to the Gallery with their own credentials.

Please release this soon!

KylieF
Alteryx Community Team
Alteryx Community Team
Status changed to: Implemented

Hi All!

 

Thank you for your feedback! This functionality was included in our newest release of Server, 2020.2, which you can download here!

CiaranA
10 - Fireball

Thanks!