Spotfire Ideas Portal
When Spotfire is configured with trusted Authentication for access the Spotfire metadata DB, it is possible to create a datasource pointing to the same metadata DB also without having the credentails of the service account used for the MSSQL DB connection, this is easily achieved adding ";integratedSecurity=true" in the JDBC connection string.
The sql username/password will be completely ignored and as result it will expose all the metadata info (.e.g. users table).
The only mitigation suggested by the support is to limit the license to the Information Designer, however in a large enterprise environment where we have multiple infrastructures maintained by power-users in different projects, this is not a valid solution , because ultimately does not provide any real mechanism to block the problem.
My proposal would be: when spotfire is configured with trusted authentication to block the creation of datasource against the metadata dB in the designer.
Note that due to the complexity of Spotfire it is always possible to configure it in ways that are not secure for the intended use. The Spotfire team does not recommend configuring Windows Integrated Security to access the Spotfire database if permissions to create data sources isn´t limited to a few trusted users such as DBA's, Admins etc.
Admin thanks for your response, can you please clarify which configuration is not recommended, can this be fixed in future release.
This fix will help security flaw- voted.