Gallery

Version:
2020.1
Last modified: April 01, 2021

The Gallery is a cloud-based application for publishing, sharing, and executing workflows. It communicates with the service to manage and execute workflows. Gallery uses a MongoDB persistence layer for state maintenance. This allows you to deploy the Gallery across multiple servers behind a load balancer (not provided as part of the architecture) to support horizontal scalability.

The Gallery is a private website, hosted on your server infrastructure that allows internal users to share workflows, apps, and macros. Alteryx also offers a Public Gallery (https://gallery.alteryx.com/) where users can sign up and share workflows, apps, and macros.

Configure the Gallery component on the Gallery screens in System Settings. The Gallery screens are available for configuration if you've selected 1 of these options on the Environment > Setup Type screen: 

  • Complete Alteryx Server
  • Custom > Enable Gallery

Gallery General

The Gallery General screen has configuration options, such as where you want to store temporary files and log files.

Gallery Workspace

The Gallery Workspace is the location where the Gallery stores temporary files. By default, it is a folder within the global workspace folder. This path should point to a location that is safe to store large amounts of files.

  • Logging Directory: This is the location where you want to store Gallery log messages. See Log Files.
  • Base Address: This is the URL that users use to go to the Gallery. 
  • Enable SSL: Enabling SSL changes the URL in the Base Address field to https. If your certificate is set to a port other than the default 443, include the port in the URL (for example, https://localhost:445/gallery/). See Enable Gallery SSL.
  • Default Run Mode: Run Mode determines the workflows that Gallery users can run. Use Default Run Mode to block workflows with specific tools or directory access from running in the Gallery.

    Semi-safe and Safe are only available if you have enabled the Run As setting in System Settings on the Worker > Run As screen or if you have specified Run As. See Worker and Credentials for more information.

    If your Default Run Mode is Safe or Semi-safe, Gallery admins can change the run mode in each workflow on the Workflows page in the Gallery Admin interface. See Workflows.

    • Unrestricted: Gallery users can run any workflow.
    • Semi-safe: Block Gallery users from running workflows that read data from or write data to a location that is not within the workflow staging directory (workspace).
    • Safe: Block Gallery users from running workflows that read data from or write data to a location that is not within the workflow staging directory (workspace). Gallery users are also blocked from running workflows that use specific tools, events, and data connectors. See 

      Safe and Semi-safe Run Modes: Blocked Tools, Events, and Data Connectors.

Gallery Authentication

The Gallery Authentication screen has configuration options for the type of authentication you want to use to access the Gallery.

Authentication Type

Server supports built-in authentication, integrated Windows authentication with or without Kerberos support, and SAML authentication.

Server doesn't support changing the authentication type after configuration. Doing so might compromise Gallery functionality. If you want to change the authentication type, contact support to create a plan.

  • Built-in: Allows users to access the Gallery using an email address and password.
  • Integrated Windows authentication: Allows users to access the Gallery with internal network credentials.

    Multi-domain support

    Server supports multiple domains for Windows authentication. You do not need to configure anything in Server to enable this, but these capabilities and permissions have to be present across the domains.

    • The domain the Gallery runs on needs to have the same trust policy as other domain users so Active Directory can resolve and determine user permissions.
    • Both domains need to be part of the same forest.
    • The Alteryx service needs to be able to read all attributes from CN=Users and CN=Computers containers for both domains. The Alteryx service runs under the local system account on the server it is installed on. If you define a dedicated service account instead of using the local system, the account needs permission to read all attributes from both containers to enable authentication for both domains.
  • Integrated Windows authentication with Kerberos: Allows users to access the Gallery with internal network credentials using Kerberos authentication protocols.
  • SAML authentication: Allows users to access the Gallery with Identity Provider (IDP) credentials.

Select an option for obtaining metadata required by the IDP

You can configure SAML using an IDP Metadata URL or an X509 certificate and IDP SSO URL.

SAML IDP Configuration

To configure SAML authentication for Single Sign On (SSO), you have to have an account with an Identity Provider (IDP) that supports SAML.

Before configuring SAML authentication for the Gallery, you have to add Server as a Service Provider within the IDP. The IDP may require the ACS Base URL (for example, http://localhost/aas/Saml2/Acs) and SP Entity ID (for example, http://localhost/aas/Saml2). The IDP may also require that you map email, firstName, and lastName attribute statements to corresponding fields in the IDP to authenticate users.

  • ACS Base URL: The URL for the Assertion Consumer Service that accepts SAML messages to establish a session.
  • IDP URL: The URL for the Alteryx application configured in the IDP. It might also be referred to as the IDP Entity ID.
  • IDP Metadata URL: The URL provided by the IDP that includes the IDP SSO URL and the X509 certificate for configuring the Alteryx Authentication Service.
  • IDP SSO URL: The SSO URL, provided by the IDP, that the Alteryx Authentication Service uses to log into the IDP.
  • X509 certificate: The public certificate provided by the IDP for secure communication with the Alteryx Authentication Service.
  • Verify IDP: Select this button to open a browser window, log in, test the IDP configuration, and set the default Gallery administrator.

Default Gallery Administrator

A Gallery administrator account has to be created to administer the site (manage users, workflows, and more). The Default Gallery Administrator is a required field. 

  • If you use Built-in, enter the administrator's email address. Note, this user needs to complete their account creation. To do so, go to the Gallery sign-in page, and select the Don't have an account? Create one now to create he Gallery account and password.
  • If you use Integrated Windows authentication, enter the user account in this format: domain\username.
  • If you use SAML authentication, select Verify IDP to test the IDP configuration and populate the field with IDP credentials.

Gallery SMTP Configuration

The SMTP screen has configuration options for enabling SMTP. The information on the SMTP page is required for Server to send email notifications for various events, such as registering your Gallery account, changing your password, or sharing a workflow.

  1. Enter the email address from which you want emails to be sent in From Email.
  2. Enter the email service hostname in Host.
  3. Enter a username and password in Username and Password, if the SMTP server configuration requires it.
  4. Select Test to send a test email to the email address in From Email.
  5. The port default is 25 as this is standard for SMTP. You can customize this port if necessary.
  6. If the SMTP server is set up to use SSL, select the Use SSL checkbox.

Deselect Enable SMTP to complete the Server setup without enabling SMTP. Email notifications from the Gallery are disabled until SMTP settings are configured.

Gallery Persistence

On the Gallery Persistence screen, specify where you want to store Gallery information, like users, collections, etc.

By default, both Web Persistence and Search Persistence are set to use the same settings as those specified for the controller on the Controller > Persistence screen. See Controller.

Use Advanced Connections

Select Use Advanced Connections if you do not want to use the same location as specified for the controller or if you require support for these...

  • TLS/SSL
  • Replica Sets
  • Sharding
  • MongoDB Atlas

If you were using replica sets before the availability of the connection string option (2019.4 release), you have to change to a connection string.

When you select. Use Advanced Connections, the Web Persistence and Search Persistence sections display a Connection field for you to specify your MongoDB connection string.

Screenshot of gallery persistence settings with Used Advanced Connections option selected

Connection String Tips and Examples

  • Supported connection string parameters are driver dependent. Parameters must be supported by all below listed supported drivers to be used in a connection string. Supported driver versions include...
    • c 1.15 (mongoc)
    • c++ 3.4.1 (mongocxx)
    • c# 2.7.2 (mongoc#)
  • Special characters in usernames, passwords, or parameter values must be URL encoded.

Web Persistence Examples

  • On-premise, single-node example with SSL/TLS:

    mongodb://username:P%40ssw0rd@hostname.domain.tld:27017/AlteryxGallery?authSource=databasename&ssl=true

  • On-premise, replica set, example with SSL/TLS:

    mongodb://username:P%40ssw0rd@host01.domain.tld:27017,host02.domain.tld:27017,host03.domain.tld:27017/AlteryxGallery?authSource=databasename&replicaSet=rs0&ssl=true

  • Atlas example:

    mongodb+srv://username:P%40ssw0rd@host-0-1mngx.mongodb.net/AlteryxGallery?retryWrites=true&w=majority

Search Persistence Examples

  • On-premise, single-node example with SSL/TLS:

    mongodb://username:P%40ssw0rd@hostname.domain.tld:27017/AlteryxGallery_Lucene?authSource=databasename&ssl=true

  • On-premise, replica set, example with SSL/TLS:

    mongodb://username:P%40ssw0rd@host01.domain.tld:27017,host02.domain.tld:27017,host03.domain.tld:27017/AlteryxGallery_Lucene?authSource=databasename&replicaSet=rs0&ssl=true

  • Atlas example:

    mongodb+srv://username:P%40ssw0rd@host-0-1mngx.mongodb.net/AlteryxGallery_Lucene?retryWrites=true&w=majority

See the MongoDB Connection String documentation for help formatting your connection string.

Web Persistence

Select Use Controller Persistence Settings to use the same location as specified for the controller on the Controller > Persistence screen. This is the default option for Gallery web persistence. See Controller.

If you want the Gallery to use a different MongoDB connection than the controller, chose 1 of these:

OR

  • Uncheck Use Controller Persistence Settings and specify the Host, Database nameUsername, and Password.

Search Persistence

Indices for search functionality within the Gallery are also stored in the MongoDB.

Select Same settings as Web Persistence to use the same location as specified for web persistence. This is the default option for Gallery search persistence.

If you want the search indices to use a different MongoDB connection than web persistence, chose 1 of these:

OR

  • Uncheck Same settings as Web Persistence and specify the Host, Database Name, Username, and Password.

What's Next?

Configure Engine.

Was This Page Helpful?

Running into problems or issues with your Alteryx product? Visit the Alteryx Community or contact support. Can't submit this form? Email us.