Restrict User Access to Other Accounts
With Alteryx Analytics Cloud (AAC), users can join workspaces that belong to other organizations. This is useful when organizations and their customers need to collaborate in the same workspace, or when organizations have contractors doing work on their behalf.
To restrict user access to only workspaces under your account, follow this guide to configure your network security software.
Once configured, users in your organization on your network will…
Be able to sign in to workspaces and accounts managed by you.
Not be able to sign in to workspaces or accounts managed by others.
Not be able to sign in to trial workspaces created by users.
Not be able to make API calls to workspaces or accounts managed by others.
Note
This security control only applies to users who interact with AAC while on your network. It should be considered another layer in your defense-in-depth strategy, not a primary defense.
Prerequisites
You have told your Alteryx representative that you wish to enable this feature, and the feature has been enabled.
You have direct or indirect access to your network security software, and sufficient access to update policies.
Enable SSL decryption in your network security software.
You have direct or indirect access to your organization’s AAC account.
Configure your network security software.
Step 1: Retrieve Your AAC Billing Account ID
Sign it to your AAC account. Note that you need to sign in to your account and not a workspace.
Note the URL of your account.
Format:
<analytics-cloud-url>/admin-portal/<billing-account-id>/products
Example:
https://us1.alteryxcloud.com/admin-portal/02HJ4TP0AQ5V4BPSJ6MRC2Q4RY/products
Step 2: Inject Your AAC Billing Account ID as a Header
In your network security software, create a custom HTTP header insertion entry with these parameters:
URLs | Headers to Inject |
---|---|
|
Example:
|
AAC inspects this header each time a user attempts to access a workspace or account.
If the x-alteryx-allowed-account
header is present, AAC validates the HTTP requests to ensure the user is accessing a workspace associated with your account.
If a user tries to access another workspace which isn’t allowed, they will be denied access and redirected back to the sign in page.
Step 3: Verify AAC Access in Browser
Follow these steps to verify your configuration is correct…
Step 3a: Restricting user access to other accounts when the user is connected to a corporate network.
Ensure that you are connected to your corporate network and that your Secure Access Service Edge (network security) software controls the traffic.
Sign in to your AAC workspace to confirm that access to your account isn’t affected.
Create a trial using a new user to confirm that access to workspaces outside of your account is prohibited.
Instead of signing in to the trial, AAC should redirect you to the sign in page.
Step 3b: Restricting user access to a user’s account when the user isn’t connected to a corporate network.
Ensure that you aren’t connected to your corporate network that has the HTTP header injection policy.
Sign in to your AAC workspace from the restricted account to confirm that access to your account is prohibited.
Tip
If you are concerned about users accessing workspace resources via API while outside of your network, you can disable API access using the Allow users to generate OAuth 2.0 API tokens setting on the Workspace Settings Page.