In my previous post, I introduced the Alteryx Server Content Best Practices, discussing the overarching concepts of how content is managed in the Alteryx Gallery. This post will focus on the best practices for managing users so they can access the content across your Alteryx Server in a secure and controlled way.
Understanding Alteryx Server Authentication Mechanisms
As was mentioned in that earlier post, there are four authentication mechanisms:
- Local built-in authentication
- Integrated Windows Authentication (IWA)
- Integrated Windows Authentication with Kerberos
- SAML Authentication
Each of these methods has trade-offs in how they can be used, which we will discuss, but once you have decided on the authentication type, they mostly behave similarly in Gallery.
Unchangeable Decision: Choosing the Right Authentication Method
Choosing your authentication method is your only unchangeable decision when configuring Alteryx Server. It is unchangeable as the references and user identification mechanism in the MongoDB database can be incompatible between the authentication types. While it is possible to change, there is no guarantee that the database won’t be corrupted, requiring a full reinstall.
The primary difference between the Authentication types is how the Alteryx engine interacts with network drives and how Groups are integrated. When using either IWA option, Alteryx can impersonate individual Active Directory users to access Windows network shares with the permissions for each user. This is not possible for either built-in or SAML authentication.
The other difference is for IWA, Active Directory groups can be imported and used for Alteryx permissions. With the current version of the Alteryx server (2023.1), Groups from SAML can not be synced. All group management must be done in Alteryx manually or using the Alteryx Server APIs.
The standard recommendation for Alteryx authentication is either IWA or IWA with Kerberos, enabling managed network file access. This creates a trade-off where users have a different Single Sign On experience than any other web application. Users benefit from file access and network security leveraged from the established systems and don’t require additional permissions for Alteryx run-as-user.
User Roles vs. Permissions: Unlocking User Interactions and Content Accessibility
Once a user has been created on the Alteryx server, there are two different permissions concepts to consider; Roles and Permissions.
The User Roles define how a user can interact with the Alteryx Gallery, while User Permissions define what content a user can interact with.
Five different roles can be assigned to a user (as taken from User Roles and Permissions | Alteryx Help):
Curator: Curators (Server admins) can access the Admin interface to perform administrative tasks. Curators also have all the privileges of an Artisan.
Artisan: Artisans can publish, run, and share workflows in their private studio and shared collections.
Member: Members can run workflows that are shared with them via collections.
Viewer: Viewers can run public workflows on the Server UI home page and in districts.
No Access: Blocks access to all Server assets. The No Access role is typically used in Servers using Integrated Windows Authentication or SAML Authentication to control initial access to the Server UI when new users sign up.
Each of these roles changes how a user connects to the gallery. The higher the permission level, the greater the user’s access.
Permissions, conversely, define what content a user can access on the server. The permissions are inherited from the collection where the content is placed and the asset permission the user is given in that collection. I will explore collections more in a future post, where content-specific capabilities are extracted, but suffice to say the access becomes specific based on the collection.
Streamlining User and Group Management in Alteryx Server
Assigning default roles
When a user is onboarded to your Alteryx server, they receive a default role. There are two ways that a default role is assigned to a user. The first is a fallback role for all new users on a server. This is defined in the Gallery Admin Configuration page. This role is best defined as the lowest level of permission needed.
Depending on the possible URL and firewall access, you could define the role as viewer or no access. In an environment where the assumption is that if a user can access the server, they should have visibility of what has been made public, the viewer role would mean the user can see the content. That content must be in a public gallery or shared with a collection the new user can access.
If the security profile of the server requires explicit content permission for new users, then the no access option means they won’t see any content until their permission has been upgraded.
The second mechanism for assigning a default role is via creating groups. When creating the groups, there is an option to define the group’s default role.
It’s important to know that any default role that is assigned to a user can be overridden on an individual basis. The downside is that the amount of administration associated with individual users is significantly higher. That is where defining and managing groups comes in.
Creating custom groups & AD groups
Custom groups are created by curators in the User Admin section of the gallery. The actual creation is very simple. Choose a name and default role. This is all the configuration required for a custom group.
If you are using Integrated Windows Authentication as your authentication mechanism, then you also have the option to import Active directory groups. Once you import these groups, they can be used in other areas of Alteryx. You can assign them to collections or custom groups.
Adding users to groups
The final user management option is to add individual users to a custom group. These custom groups allow unified permission management across different collections and use cases.
Adding uses to a group is done from the group management page. You can add individual users to the group using the “Add User” button in the top right corner. Each user must be added one at a time, and there is no bulk-adding option in the gallery interface.
Once a user has been added, they inherit all group access. So if that group has access to an existing collection, the new user immediately inherits that permission.
Efficient Bulk Management of Users with the Server API
All configurations are done singularly when defining users, groups, roles and permissions in the Gallery UI. Create one group, assign a role to one user, and import a single active directory group. If there is a situation where you want to manage multiple entities at the same time, you will need to use the Server API. This API has user and group endpoints for managing access and content permissions. A future post will delve into how the Server API is accessed and what some of the key processes are for automating Alteryx server content
In my previous post, I introduced you to the Alteryx Server Content Best Practices, shedding light on how content is managed within the Alteryx Gallery. Here we delved deeper into the intricacies of user management, ensuring that users can access content across your Alteryx Server securely and with utmost control.
Here are three key takeaways to keep in mind:
1. Choosing the Right Authentication Method: When configuring the Alteryx Server, the choice of authentication method is crucial. You have options like local built-in authentication, Integrated Windows Authentication (IWA), Integrated Windows Authentication with Kerberos, and SAML Authentication. Each method has its trade-offs, so it’s important to consider factors like file access, network security, and Single Sign-On experience before deciding.
2. Unleashing the Power of User Roles and Permissions: Alteryx Server uses the concepts of User Roles and Permissions to shape user interactions and content accessibility. The User Roles, Curator, Artisan, Member, Viewer, and No Access, determine the level of interaction a user can have with the Alteryx Gallery. On the other hand, User Permissions define what specific content a user can access. Understanding and assigning the right roles and permissions is essential for effectively managing user access.
3. Streamlining User and Group Management: Alteryx Server provides practical ways to manage users and groups efficiently. You can assign default roles to new users through the Gallery Admin Configuration page or by creating custom groups with predefined default roles. Importing Active Directory groups adds another convenience layer, especially when using Integrated Windows Authentication. These features empower you to manage permissions across different collections and use cases seamlessly.
Now it’s your turn! Let’s kick-start a vibrant discussion on the community forums or connect on LinkedIn. Share your experiences and insights on user management in Alteryx Server. Which authentication method has worked best for your organization? How do you handle user roles and permissions? Let’s learn from each other and explore the possibilities of optimising user management in Alteryx Server together.
Remember, the real power lies in the community, so let’s join forces and take our knowledge of Alteryx Server user management to the next level!
Connect with me on LinkedIn to stay updated and engage in the discussion