Jump to content
  • Governing Spotfire® Mods in Your Organization


    A great thing about Spotfire® Mods is that it allows any Spotfire® user to enrich the palette of visualizations available for their data analysis. They can either build new mods themselves, or they can easily download mods from the Community Exchange or other places and add them to their Spotfire® environment. By saving a mod to the Library it can be reused in different analyses and shared with other users. This gives end users the freedom to fully vent their creativity without the need for administrators to put time and effort in preconfiguring the Spotfire® environment

    A great thing about Spotfire® Mods is that it allows any Spotfire® user to enrich the palette of visualizations available for their data analysis. They can either build new mods themselves, or they can easily download mods from the Community Exchange or other places and add them to their Spotfire® environment. By saving a mod to the Library it can be reused in different analyses and shared with other users. This gives end users the freedom to fully vent their creativity without the need for administrators to put time and effort in preconfiguring the Spotfire® environment

    Some organizations want to have more strict control of how Spotfire® is used, and with central governance they can put restrictions on what group of users have access to different features. This can also be applied to mods. An administrator can have full control over how mods are deployed and used in the organization. For example, it is possible to restrict who is allowed to trust mods and who can save mods to the library in order to achieve a pre-configured environment with only selected and approved mods being available to the end users.

    To achieve this, administrators have the following tools at hand:

    • Library access control
    • Licenses on group level
    • Preferences on group level
    • Server settings and commands

    This article walks you through the available options and how they can be used in practice to implement some common scenarios.

    For more information on Spotfire® Mods, see Spotfire® Mods Overview.

    Trust and certificates

    A built-in trust mechanism helps you keep your system safe when using Spotfire® Mods.

    Library access control for mods

    In the same way as for .dxp files, data functions and other Spotfire® artefacts, Library access control can be used to determine where mods can be saved and what mods are available for different groups of users. For each folder in the Library, the administrator can configure read / write / modify permissions for different groups of users.

    This is configured in the Library Administration tool, that is available under Tools > Library Manager in the Spotfire® Analyst client.

    Licenses to control the usage of mods

    Licenses are used to control what functionality are available to different groups of users.

    Licenses are viewed and edited in the Users & Groups section of the Spotfire® Server admin UI or using the Administration Manager tool, which is available under Tools > Administration Manager in the Spotfire® Analyst client. 

    The license features related to Mods can be found under the Spotfire® Extensions license.

    License feature

    Description

    Develop Visualization Mod

    Allows a user to create and develop visualization mods in Spotfire®.

    Open Visualization Mod from Library

    Allows a user to open visualization mods (.mod files) from the library.

    Save Visualization Mod to Library

    Allows a user to save visualization mods (.mod files) to the library.

    Open/Save Local Visualization Mod

    Allows a user to open and save visualization mods (.mod files) locally.

    Trust Mods

    Allows a user to determine whether to trust mods that are developed by others.



    Note that if this license is assigned to the Anonymous User group, users can trust mods, but trust decisions will not be stored, so the trust decision must be taken each time an analysis containing an untrusted mod is opened.

    Preferences to control the usage of mods

    Preferences customize the default settings in Spotfire® clients for members of a selected group. An administrator can view and edit preferences using the Administration Manager tool, which is available under Tools > Administration Manager in the Spotfire® Analyst client.

    Preferences related to Mods are located under the Application / Mods and Application / Trust sections.

    Application / Mods preferences:
    converted-file.thumb.png.0111b0b6418f8bbc202cc710a383b5d9.png

    Max export timeout

    Specifies the maximum time, in seconds, allowed for an export containing a visualization mod to be finished. The default value is 20 seconds.



    If you set the timeout to 0 (zero), it will be interpreted as no timeout. This means that there will be no upper limit for trying to finish the export.

    Pinned visualization mods

    With this preference you can specify which visualization mods to display by default on the Visualizations types flyout. 

    1. Start by pinning the visualization mods you want to display by default to the Visualization types flyout. 

    2. Open the Visualization types flyout.

    3. Click the three dots to the right of the search field.

    4. Select Copy info about pinned visualizations to clipboard from the menu that opens.

    5. Open Administration manager and locate the Pinned visualization mods preference.

    6. Paste the content you just copied into the text field.

    Application / Trust Preferences:
    converted-file.thumb.png.fdfa2c439224b1d02a167a2b2423d4ed.png


     

    Require valid signature to allow trust

    Lets you specify whether or not it should be possible to trust mods with invalid signatures. Default is True.

    Signer display name templates

    Lets you specify how names of mod signers should be displayed in Spotfire®.

    See the Administration Manager help for details.

    Server settings and commands to control the usage of mods

    A central part of the governance and security of mods is related to the trust mechanism based on code signing certificates.

    As an administrator, you have several options to monitor and configure the trust mechanism in your environment:

    See also Code trust commands for trust related administration tasks that can be performed from the command line.

    SameSite cookie attribute and HTTPS

    The SameSite cookie attribute is used to determine whether or not to allow cookies to be accessed in different scenarios. To be able to use mods with all supported browsers in web clients, the server must be configured with HTTPS, and SameSite must be set to None.

    Example scenarios

    Only admin can save new mods to the library, but all users can use approved mods

    For this rather restricted scenario, the admin would disable the Save Visualization Mod to Library license feature for all groups except for the Administrator group.

    All mods that are going to be used by the organization are then managed by the administrator, including approval and saving to the library. By configuring trusted items or signers at group level (see Adding trusted signers for a group), the mods can then be made available to the end users.

    Only a selected group of users are allowed to trust mods for themselves and save to the library, but all users can use mods signed by the company certificate

    Enable the Trust Mods license feature for those groups which members should be allowed to trust mods for themselves, disable for all other groups.

    Use the Package Builder tool to sign mods with the company code signing certificate. See Signing a visualization mod using Package Builder for more information.

    Use the Add trusted signers for a group workflow to give all users access to the mods signed by the company certificate. Typically the certificate will be added to the Everyone group or similar.

    Make the mods available to the end users through the library. 

    All users are allowed to trust mods for themselves

    This is a less restrictive scenario and is achieved by enabling the Trust mods license feature for all users. Also make sure to enable the Open Visualization Mod from Library, Save Visualization Mod to Library and / or Open/Save Local Visualization Mod license features so that mods can effectively be reused in different analysis.

    Admin can control what mods turn up in the visualizations menu by default for all users

    To give the end users quicker access to selected mods, you may choose to add those mods to the end users default configuration of the visualization flyout, using the Pinned visualization mods preference (see description in the Preferences section above).

    A prerequisite is that the mods are stored in a library location that is accessible to all users.

    Best practices

    Central deployment and pre-approval of commonly used mods

    For mods that will be frequently used across the organization, the admin can deploy those mods in a central location in the library and have them automatically trusted for all or a selected group of users (see Add trusted signers for a group).

    Pre-approval of trusted signers

    The more mods that have been pre-approved by the administrator, the fewer questions will be shown to the end users who try to add visualizations to their analyses. Also, end users who do not have permission to trust can only use mods that have been pre-approved by the administrator. It is therefore a good practice to have the administrator pre-approve signers that are regarded as trusted (see Add trusted signers for a group). This also makes it possible to limit the number of users who need permission (through the "Trust Mods" license) to trust mods themselves.

    Tip: All Spotfire Community Mods are signed with the TIBCO Software Inc certificate. By adding that certificate as trusted signer for all users (for example the Everyone group), they can use the community mods without being prompted for trust.

    Avoid duplicates of a mod in the library

    By avoiding duplicates of mods in the library it is easier for end users to search for mods. This is especially important for mods that are saved in public folders. Avoiding duplicates also makes it easier to keep your analysis files in synch when there is a new version of a mod deployed. 

    The basic step here is to make sure that the library is properly organized, with permissions, folder structure and naming. The admin can also use the the "Save Visualization Mod to Library" license to govern who can actually add mods to the library.

    Avoid invalid signatures

    Always make sure that the mods that are shared in the library have valid signatures. Mods with invalid signatures cannot be trusted or used by end users, but they can be browsed for and show up en search result which may cause confusion and frustration for the end user.

    Using the "Save Visualization Mod to Library" license, the admin can govern who can actually add mods to the library.

    When moving mods between different Spotfire® servers and the mods are signed with the server certificate, make sure the certificates are synched between the servers.

    If you have access to the mod source code, you can always use the developer workflow to save a mod to the library with a valid signature.

    If you don't have access to the source code, you can re-sign a mod using the Package Builder, before sharing the mod in the library.

    Synchronize certificates between test and productions systems

    When moving mods between different Spotfire® servers, such as from test to production, and the mods are signed using a Spotfire® server certificate, make sure the certificate are synched between the servers.

    Use an external cerificate when signing mods to be shared across organizations

    When building mods to be shared between different environments, it is recommended to sign the mods using a certificate from a trusted certificate authority (CA). See Signing a visualization mod using Package Builder.


    User Feedback

    Recommended Comments

    There are no comments to display.


×
×
  • Create New...