System Settings: Gallery
In System Settings, on the Gallery screens, configure the Gallery component. The Gallery component is available for configuration if the local machine is configured as a Gallery.
The Alteryx Gallery is a cloud-based application for publishing, sharing, and executing workflows. It communicates directly with the Alteryx Service for the management and execution of the workflows and utilizes a MongoDB persistence layer for all state maintenance. This allows the Gallery to be deployed across multiple servers behind a load balancer (not provided as part of the architecture) to support horizontal scalability.
Alteryx offers a public Gallery (https://gallery.alteryx.com/), where users can sign up and share workflows, apps, and macros, and a private Gallery, which allows companies to offer the Gallery to internal users hosted on their own server infrastructure.
The General screen includes configuration options such as where temporary files and log files should be stored.
- Gallery Workspace: The workspace is the location where the Gallery stores temporary files. By default it is a folder within the global workspace folder. This path should point to a location that is safe to store large amounts of files.
- Logging Directory: This is the location where log messages specific to the Gallery services will be stored. See Log Files.
- Base Address: This is the URL that users use to go to the Gallery. Although the domain configuration must be done elsewhere, this URL is used in areas such as email content when links to workflows are made available.
- Enable SSL: Enabling this changes the URL in the Base Address field to https. If you enable SSL and your certificate is set to a port other than the default 443, include the port in the URL (e.g., https://localhost:445/gallery/). See Enable Gallery SSL.
- Default Run Mode: Determines the level that workflows are permitted to run in the Gallery. Workflows that contain certain tools or access may need to be blocked. If a user has a workflow that uses one of the prohibited tools in a safe manner, they may request an exemption from the Gallery Admin. Exemptions are managed on the Workflows page in the Gallery. See Workflows.
Safe and Semi-safe options can only be used if the Run As setting is enabled in System Settings on the Worker Run As screen. See Worker.
- Unrestricted: Any workflow can be run.
- Semi-safe: Block workflows that read or write data that is not located within the directory or a sub-directory of the workflow staging directory (workspace) from running.
- Safe: Block workflows that read or write data that is not located within the directory or sub-directory of the workflow staging directory (workspace) from running. Workflows using certain tools and events are also blocked from running. The tools and events include: Run Command tool, Download tool, Email tool, R tool, Python tool, Run Command event, and Send Email event.
The Authentication screen includes configuration options for the type of authentication you want to use to access the Gallery.
- Authentication Type: Alteryx Server supports built-in authentication, integrated Windows authentication with or without Kerberos support, and SAML authentication.
- Built-in: Allows users to access the Gallery using an email address and password.
- Integrated Windows authentication: Allows users to access the Gallery with internal network credentials.
Alteryx Server supports multiple domains for Windows authentication. There is no configuration needed within Alteryx Server to enable this, but the following capabilities and permissions must be present across the domains.
- The domain the Gallery is running on needs the same trust policy as other domains users are working on so Active Directory can resolve and determine user permissions.
- Both domains need to be part of the same forest.
- The Alteryx Service needs to be able to read all attributes from CN=Users and CN=Computers containers for both domains. The Alteryx Service runs under the Local System account on the server it is installed on. If a dedicated service account is defined instead of using Local System, the account needs permissions to read all attributes from both containers to enable authentication for both domains.
- Integrated Windows authentication with Kerberos: Allows users to access the Gallery with internal network credentials using Kerberos authentication protocols.
- SAML authentication: Allows users to access the Gallery with Identity Provider (IDP) credentials.
Once an authentication type has been selected it should not be changed or Gallery functionality may be compromised.
- Select an option for obtaining metadata required by the IDP: Alteryx provides support for configuring SAML using an IDP Metadata URL, or an X509 certificate and IDP SSO URL.
- SAML IDP Configuration: To configure SAML authentication for Single Sign On (SSO), you must have an account with an Identity Provider (IDP) that supports SAML.
Before configuring SAML authentication for the Gallery, you must add Alteryx Server as a Service Provider application within the IDP. The IDP may require the ACS Base URL (for example: http://localhost/aas/Saml2/Acs) and SP Entity ID (for example: http://localhost/aas/Saml2). The IDP may also require email, firstName, and lastName attribute statements to be mapped to corresponding fields in the IDP so users can be authenticated.
- ACS Base URL: The URL for the Assertion Consumer Service, that accepts SAML messages for the purpose of establishing a session.
- IDP URL: The URL for the Alteryx application configured in the IDP. It may also be referred to as the IDP Entity ID.
- IDP Metadata URL: The URL provided by the IDP that includes the IDP SSO URL and the X509 certificate for configuring the Alteryx Authentication Service.
- IDP SSO URL: The SSO URL, provided by the IDP, that the Alteryx Authentication Service uses to log into the IDP.
- X509 certificate: The public certificate provided by the IDP for secure communication with the Alteryx Authentication Service.
- Verify IDP: Click this button to open a browser window, log in, test the IDP configuration, and set the Default Gallery Administrator.
- Default Gallery Administrator: A Gallery Administrator account must be created to administer the site (manage users, workflows, and more). If the Gallery is enabled in the System Settings > Environment > Set Up screen, the Default Gallery Administrator is a required field. See Environment.
- If using Built-in, enter the administrator's email address (ex. email@example.com).
- If using Integrated Windows authentication, enter the user account (ex. Domain\Username).
- If using SAML authentication, click Verify IDP to test the IDP configuration and populate the field with IDP credentials.
The SMTP screen includes configuration options for enabling SMTP. If the Gallery is enabled on the Setup screen, the information on the SMTP page is required so that the server can send email notifications for various events such as registering your Gallery account, changing your password, or sharing a workflow.
- In From Email, type the email address from which emails are to be sent.
- Type the email service host name in Host.
- Type a username and password in Username and Password, if the SMTP server configuration requires it.
- Click Test. If the test is successful, an email is sent to the email address in From Email.
Deselect Enable SMTP to complete the Server setup without enabling SMTP. Email notifications from the Gallery will be disabled until SMTP settings are configured.
If the SMTP server is setup to use SSL, select the Use SSL checkbox.
Use Controller Persistence Settings: The Gallery stores information for users, collections, etc. in MongoDB. Select this option (which is on by default) for the Gallery to use the persistence options set on the Controller > Persistence screen. See Controller. If you would like the Gallery to use a different MongoDB connection than the Controller, specify the host, user name, and password information.
Same settings as Web Persistence: Indices for search functionality within the Gallery are also stored on Mongo. Select this option (which is on by default) for the Search indices to be persisted using the same options as the Web Persistence. If you would like the search indices to use a different MongoDB connection than the Web Persistence, specify the host, user name, and password information.