Governing Spotfire® Mods in Your Organization

A great thing about Spotfire® Mods is that it allows any Spotfire® user to enrich the palette of visualizations available for their data analysis. They can either build new mods themselves, or they can easily download mods from the Community Exchange or other places and add them to their Spotfire® environment. By saving a mod to the Library it can be reused in different analyses and shared with other users. This gives end users the freedom to fully vent their creativity without the need for administrators to put time and effort in preconfiguring the Spotfire® environment

Some organizations want to have more strict control of how Spotfire® is used, and with central governance they can put restrictions on what group of users have access to different features. This can also be applied to mods. An administrator can have full control over how mods are deployed and used in the organization. For example, it is possible to restrict who is allowed to trust mods and who can save mods to the library in order to achieve a pre-configured environment with only selected and approved mods being available to the end users.

To achieve this, administrators have the following tools at hand:

Library access control
Licenses on group level
Preferences on group level
Server settings and commands

This article walks you through the available options and how they can be used in practice to implement some common scenarios.

For more information on Spotfire® Mods, see Spotfire® Mods Overview.

Trust and certificates

A built-in trust mechanism helps you keep your system safe when using Spotfire® Mods.

Working with trust and certificates

Library access control for mods

In the same way as for .dxp files, data functions and other Spotfire® artefacts, Library access control can be used to determine where mods can be saved and what mods are available for different groups of users. For each folder in the Library, the administrator can configure read / write / modify permissions for different groups of users.

This is configured in the Library Administration tool, that is available under Tools > Library Manager in the Spotfire® Analyst client.

Licenses to control the usage of mods

Licenses are used to control what functionality are available to different groups of users.

Licenses are viewed and edited in the Users & Groups section of the Spotfire® Server admin UI or using the Administration Manager tool, which is available under Tools > Administration Manager in the Spotfire® Analyst client.

The license features related to Mods can be found under the Spotfire® Extensions license.

License feature	Description
Develop Visualization Mod	Allows a user to create and develop visualization mods in Spotfire®.
Open Visualization Mod from Library	Allows a user to open visualization mods (.mod files) from the library.
Save Visualization Mod to Library	Allows a user to save visualization mods (.mod files) to the library.
Open/Save Local Visualization Mod	Allows a user to open and save visualization mods (.mod files) locally.
Trust Mods	Allows a user to determine whether to trust mods that are developed by others. Note that if this license is assigned to the Anonymous User group, users can trust mods, but trust decisions will not be stored, so the trust decision must be taken each time an analysis containing an untrusted mod is opened.

Preferences to control the usage of mods

Preferences customize the default settings in Spotfire® clients for members of a selected group. An administrator can view and edit preferences using the Administration Manager tool, which is available under Tools > Administration Manager in the Spotfire® Analyst client.

Preferences related to Mods are located under the Application / Mods and Application / Trust sections.

Application / Mods preferences:

Max export timeout

Specifies the maximum time, in seconds, allowed for an export containing a visualization mod to be finished. The default value is 20 seconds.

If you set the timeout to 0 (zero), it will be interpreted as no timeout. This means that there will be no upper limit for trying to finish the export.

Pinned visualization mods

With this preference you can specify which visualization mods to display by default on the Visualizations types flyout.

Start by pinning the visualization mods you want to display by default to the Visualization types flyout.
Open the Visualization types flyout.
Click the three dots to the right of the search field.
Select Copy info about pinned visualizations to clipboard from the menu that opens.
Open Administration manager and locate the Pinned visualization mods preference.
Paste the content you just copied into the text field.

Application / Trust Preferences:

Require valid signature to allow trust

Lets you specify whether or not it should be possible to trust mods with invalid signatures. Default is True.

Signer display name templates

Lets you specify how names of mod signers should be displayed in Spotfire®.

See the Administration Manager help for details.

Server settings and commands to control the usage of mods

A central part of the governance and security of mods is related to the trust mechanism based on code signing certificates.

As an administrator, you have several options to monitor and configure the trust mechanism in your environment:

View trusted signers and items - allows the administrator to monitor what signers or mods have been trusted by individual users
Add trusted signers for a group - to allow end users being able to use specific mods without having to perform trust themselves
Remove trusted signers from a group - to force end users to make their own trust decisions
Revoke a server certificate - to prevent all mods signed with a specific server certificate from being used
Block external certificates - to prevent all mods signed with a specific external certificate from being used
Move certificates from one system to another - to keep items signed with a server certificate valid when moving them between different systems, e.g. from test to production

See also Code trust commands for trust related administration tasks that can be performed from the command line.

SameSite cookie attribute and HTTPS

The SameSite cookie attribute is used to determine whether or not to allow cookies to be accessed in different scenarios. To be able to use mods with all supported browsers in web clients, the server must be configured with HTTPS, and SameSite must be set to None.

Use the server command-line configuration tool to specify the SameSite cookie attribute

Example scenarios

Only admin can save new mods to the library, but all users can use approved mods

For this rather restricted scenario, the admin would disable the Save Visualization Mod to Library license feature for all groups except for the Administrator group.

All mods that are going to be used by the organization are then managed by the administrator, including approval and saving to the library. By configuring trusted items or signers at group level (see Adding trusted signers for a group), the mods can then be made available to the end users.

Only a selected group of users are allowed to trust mods for themselves and save to the library, but all users can use mods signed by the company certificate

Enable the Trust Mods license feature for those groups which members should be allowed to trust mods for themselves, disable for all other groups.

Use the Package Builder tool to sign mods with the company code signing certificate. See Signing a visualization mod using Package Builder for more information.

Use the Add trusted signers for a group workflow to give all users access to the mods signed by the company certificate. Typically the certificate will be added to the Everyone group or similar.

Make the mods available to the end users through the library.

All users are allowed to trust mods for themselves

This is a less restrictive scenario and is achieved by enabling the Trust mods license feature for all users. Also make sure to enable the Open Visualization Mod from Library, Save Visualization Mod to Library and / or Open/Save Local Visualization Mod license features so that mods can effectively be reused in different analysis.

Admin can control what mods turn up in the visualizations menu by default for all users

To give the end users quicker access to selected mods, you may choose to add those mods to the end users default configuration of the visualization flyout, using the Pinned visualization mods preference (see description in the Preferences section above).

A prerequisite is that the mods are stored in a library location that is accessible to all users.

Best practices

Central deployment and pre-approval of commonly used mods

For mods that will be frequently used across the organization, the admin can deploy those mods in a central location in the library and have them automatically trusted for all or a selected group of users (see Add trusted signers for a group).

Pre-approval of trusted signers

The more mods that have been pre-approved by the administrator, the fewer questions will be shown to the end users who try to add visualizations to their analyses. Also, end users who do not have permission to trust can only use mods that have been pre-approved by the administrator. It is therefore a good practice to have the administrator pre-approve signers that are regarded as trusted (see Add trusted signers for a group). This also makes it possible to limit the number of users who need permission (through the "Trust Mods" license) to trust mods themselves.

Tip: All TIBCO Community Mods are signed with the TIBCO Software Inc certificate. By adding that certificate as trusted signer for all users (for example the Everyone group), they can use the community mods without being prompted for trust.

Avoid duplicates of a mod in the library

By avoiding duplicates of mods in the library it is easier for end users to search for mods. This is especially important for mods that are saved in public folders. Avoiding duplicates also makes it easier to keep your analysis files in synch when there is a new version of a mod deployed.

The basic step here is to make sure that the library is properly organized, with permissions, folder structure and naming. The admin can also use the the "Save Visualization Mod to Library" license to govern who can actually add mods to the library.

Avoid invalid signatures

Always make sure that the mods that are shared in the library have valid signatures. Mods with invalid signatures cannot be trusted or used by end users, but they can be browsed for and show up en search result which may cause confusion and frustration for the end user.

Using the "Save Visualization Mod to Library" license, the admin can govern who can actually add mods to the library.

When moving mods between different Spotfire® servers and the mods are signed with the server certificate, make sure the certificates are synched between the servers.

If you have access to the mod source code, you can always use the developer workflow to save a mod to the library with a valid signature.

If you don't have access to the source code, you can re-sign a mod using the Package Builder, before sharing the mod in the library.

Synchronize certificates between test and productions systems

When moving mods between different Spotfire® servers, such as from test to production, and the mods are signed using a Spotfire® server certificate, make sure the certificate are synched between the servers.

Use an external cerificate when signing mods to be shared across organizations

When building mods to be shared between different environments, it is recommended to sign the mods using a certificate from a trusted certificate authority (CA). See Signing a visualization mod using Package Builder.

Sign In