Skip to Main Content
Spotfire Ideas Portal
Status Future Consideration
Product Spotfire
Categories Data Access
Created by Guest
Created on Mar 13, 2017

SQL trusted authentication - forbid to create datasource against the spotfire metadata DB

When Spotfire is configured with trusted Authentication for access the Spotfire metadata DB, it is  possible to create a datasource pointing to the same metadata DB also without having the credentails of the service account used for the MSSQL DB connection, this is easily achieved adding ";integratedSecurity=true" in the JDBC connection string.

The sql username/password will be completely ignored and as result it will expose all the metadata info (.e.g. users table).

The only mitigation suggested by the support  is to limit the license to the Information Designer, however in a large enterprise environment where we have multiple infrastructures maintained by power-users in different projects, this is not a valid solution , because ultimately does not provide any real mechanism to block the problem.

My proposal would be: when spotfire is configured with trusted authentication to block the creation of datasource against the metadata dB in the designer.

  • ADMIN RESPONSE
    Jan 5, 2018

    Note that due to the complexity of Spotfire it is always possible to configure it in ways that are not secure for the intended use. The Spotfire team does not recommend configuring Windows Integrated Security to access the Spotfire database if permissions to create data sources isn´t limited to a few trusted users such as DBA's, Admins etc.

  • Attach files
  • Guest
    Reply
    |
    Jan 5, 2018

    Admin thanks for your response, can you please clarify which configuration is not recommended, can this be fixed in future release.

  • Guest
    Reply
    |
    Dec 12, 2017

    This fix will help security flaw- voted.