Many Spotfire users want to extend the Spotfire environment in different ways. When allowing custom code to run within an analysis, it is important to consider security. Any custom item created by a malevolent person could potentially perform unexpected or undesired actions. Therefore, Spotfire uses different trust mechanisms to help you to keep your system safe.
In on-premises environments, administrators can control which users should be allowed to produce custom content, verified by licenses and group belonging, and trust can be predefined. If no predefined trust is available you will get a warning when custom items are used.
Spotfire Visualization Mods
Spotfire visualization mods can be created and also uploaded to the Spotfire library by any user with sufficient privileges. An on-premises Spotfire administrator has many tools to ensure that only trusted developers are allowed to add and execute code. See the Spotfire Server and Environment - Installation and Administration guide for more information.
As an end user, you might have different options to trust visualization mods for yourself, depending on your role in the environment.
Anyone who creates or adds a visualization mod to the Spotfire environment can sign it. The signing informs other people about the origin of the mod and makes it possible to make informed decisions regarding whether the mod can be trusted or not. Signed mods make it possible to verify the authenticity, integrity and publisher of the code.
Signing can be done, either through certificates created by a certificate authority (CA), or using the Spotfire account of the person who loads a mod project to an analysis file. When you are offline, you can only sign mods using a certificate from a CA, not using a Spotfire account. See Spotfire Developer Documentation > TIBCO Spotfire Package Builder for more information about signing mods using a certificate.
Trusting mods or signers
When a mod is signed, it is easier to decide if you dare to trust it; that is, you base your trust in the company or person who has signed the mod. It is possible to either trust all mods added by a certain person, that is, to trust the signer, or to trust specific mods only.
If you trust a specific mod version, the mod will be seen as trusted in all analyses where it exists, however, re-trusting will be required if any changes are made to the mod at a later stage. If you decide to trust the signer, instead of a specific mod, then all future mods or new versions of a mod from that signer will automatically be trusted.
The trusting may be performed on an individual level by end-users who have permission to trust mods but an administrator can also define trust for a group of users in the Spotfire environment.
Regardless if the mod is signed or not, attempts to add a mod that is not trusted to an analysis will lead to the question of whether or not it should be trusted (or, if you do not have permission to trust, it cannot be added). Mods should only be trusted if you are certain that they come from a reliable source.
If you have the permission to trust signers and items you can also revoke trust you have added to an analysis using the View all trusted signers button in the dialog takes you to the My account page on the server, where you can get an overview of all trusted signers and items, and revoke trust that has not been assigned by the administrator. Note that an administrator can withdraw trust for something that you have trusted, or invalidate a user's signature at any time.dialog. The
If your user account has been used to sign items that you do not wish to stand behind, you can invalidate all your signatures from a specific time and up until now. This is done from the My account page (if any signatures are available).
An administrator can also revoke the certificate for a signer to make a signature invalid, or block a signer or a specific mod, to prevent you from adding it.
Script and Data Function Trust
Spotfire scripts and data functions do not support signing, so those items are always shown under Unsigned items in the Manage trust dialog. Instead, Spotfire uses a trust mechanism, where users called Script Authors, verified by licenses and group membership, are the only ones that can make a script trusted for anyone in the organization.
In the web clients, it is not possible to assign trust to a script. If you encounter an analysis with untrusted scripts you must either open the analysis in Spotfire Analyst and trust the scripts before saving the file, or contact a script author to do it for you. Read more about Script and Data Function trust in the Spotfire Analyst User's Guide.
Data Functions written in R
TIBCO has its own implementation of the R language, TIBCO Enterprise Runtime for R (TERR), which is included in Spotfire applications. TERR comes with a restricted mode which is built to provide a secure environment when working with data functions. If the data function is trusted, then it can be executed without any restrictions. If a TERR-based data function is not trusted, Spotfire will make an attempt to run the data function in the restricted mode. If the script uses statements that are not available in the restricted mode, then the data function will be prevented from running until it has been trusted.
Using a different version of Spotfire?This help describes the web client version of Spotfire on TIBCO Cloud™. If you're looking for documentation for the installed client or other versions of Spotfire, visit the TIBCO Documentation Portal.