Spotfire Ideas Portal
Context:
1) All manipulations in the Spotfire library (both read and write) are made by automation service scheduled jobs not on behalf of the user account, but on behalf of the dedicated automation service account. This service account is used by all automation jobs, regardless of who was the job author.
2) After allowing automation service account to access analysis, any other user with access to automation service can write the job that will access the analysis, send it to other email or copy it to another folder.
In other words, enabling automation service for the analysis implies that scope of the users having access to analysis - automatically includes every other spotfire user who can schedule an automation job. It is indirect, but still an access and security breach.
3) Considering that permissions are granted in Spotfire not per analysis, but per folder, the same applies to all content in the same library folder, and also dependencies like infolinks and datasources.
Issue:
In our library there is a lot of content that requires processing by automation jobs, but access data within this content should be limited to certain groups .
With the current security model, we have to refuse users to use Automation Services, and use Automation jobs only for the content already available to Everyone.
Proposed solution:
It should be possible to run automation jobs in a context of certain users/system users, so library permissions would be applied to the jobs. By default, jobs should run under the account of user who creates them.
Conclusion:
Current security model is so primitive that Automation Services cannot be used in a corporate environment for a lot of cases.