Permissions with BigQuery Connectors and data sources stored in library

[Stephie EDWIGE]

Dear Spotfire Community User,

 

I’m currently working with BigQuery connectors stored in the library for our dashboards. I’ve encountered an issue that I hope to get some insights on.

I created a data source and multiple connectors stored in the library. Analysts are using these connectors in their dashboards and sharing them with collaborators. However, it appears that even if collaborators have access to the BigQuery datasets, the data source and the connectors in the library, they can only retrieve data if they have modification permission on the connectors. This seems inconsistent with how information links operate.

When collaborators lack modification permission on the connector, they receive the error: "The customQuery was not allowed to execute because it is not trusted" (see screenshot attached). This behavior is a little bit confusing, and I’m trying to understand why it differs from information links. Additionally, I don't want to allow everyone to modify the connectors.

Spotfire version: 11.4.6 LTS

Any insights or guidance on this issue would be greatly appreciated. Thank you for your time!

 

Best regards,
SE

 

Edited Tuesday at 02:50 PM by Stephie EDWIGE
change the screenshot

[Olivier Keugue Tadaa]

Hi @Stephie EDWIGE

This issue sounds to me more related to the custom queries trust mechanism than the permission to the connections itself. 

Indeed the custom queries should be trusted by someone member of the "Custom Query Author" group.

Can you try this (trust all the custom queries and save the connections)?

[Stephie EDWIGE]

From what I understand, to trust a custom query, it needs to be verified before being stored in the library. I did this, but it didn't solve the issue for users who do not have modification permission on the connectors. Regarding the custom query author group, I am not sure if I am part of it. I will need to check with an admin.

What is really confusing for me, is that it works for users who have modification permission on the connector. If I'm not a custom query author or my custom query is not verified, shouldn't it not work for anyone?

[Olivier Keugue Tadaa]

since the connection is not embedded in the dashboard, this can explain why a permission level is required. Please try to join the "Custom Query Author" group and save the custom queries again so that they will be trusted for everyone. This is the prerequisite and that responds to a security requirement. and the recommended solution 👍

Also could you embed the connections in the reports? This can also be a workaround solution allowing any user to trust the connection themselves. But I wouldn't recommend this approach. 👎

[Stephie EDWIGE]

Ok I'll do the request. This definitely looks like the best option to share the connectors in a safe way. I don't like either to embed the connection in the dashboard because if the custom query needs to be modify, I will have to update each dashboards ...

Thanks a lot for your help ! I'll mark your post as solution as soon as I completed the test as custom query author.

[Olivier Keugue Tadaa]

Good, let me know.