Spotfire Visualization Mods

Spotfire visualization mods can be created and also uploaded to the Spotfire library by any user with sufficient privileges. The license features for handling visualization mods are found under TIBCO Spotfire Extensions. To ensure that only trusted developers are allowed to add and execute code, there are many things you can do as an administrator.

Sign mods

Anyone who creates or adds a visualization mod to the Spotfire environment can sign it. The signing informs other people about the origin of the mod and helps you to make informed decisions regarding whether the mod can be trusted or not. Signed mods make it possible to verify the authenticity, integrity and publisher of the code.

Signing can be done, either through certificates created by a certificate authority (CA), or using the Spotfire account of the person who loads a mod project to an analysis file. When the Spotfire account is used to sign code, the Spotfire Server will act as a certificate authority and issue a certificate for the user (on demand only). The certificate will expire after a period of time, and then a new certificate will be issued, if the user still remains in the system. This means that a Spotfire account cannot be used to sign mods while offline. It also means that you might need to copy certificates from one system to another to keep user signatures valid, if your company develops mods on one server and wants to use them on another server. See Moving certificates from one system to another for more information. See Spotfire Developer Documentation > TIBCO Spotfire Package Builder for more information about signing mods while offline or with certificates from a CA.

Trust mods or signers

The trusting may be performed on an individual level by end users who have permission to trust mods but, as an administrator, you can also predefine trusted signers for groups in the Spotfire environment. See Adding trusted signers to a group for more information.

For an end user, it is possible to either trust all mods added by a certain person, that is, to trust the signer, or to trust specific mods only. Signers and mods that have been trusted by an end user with trusting privileges can be reviewed on each user's My account page on the server. It is reached by clicking the username at the top right while being in the library or on any other server administration page. Users with trust permission can download certificates or remove previously added trust decisions they have made. As an administrator, you can also view all trusted signers and items for each user, under Users & Groups.

If a specific mod is trusted, the mod will be seen as trusted in all analyses where it exists, however, re-trusting will be required if any changes are made to the mod at a later stage. If the signer is trusted, instead of a specific mod, then all future mods or new versions of a mod from that signer will automatically be trusted.

Untrusted mods

Attempts to add a mod that is not trusted to an analysis will lead to the question of whether or not it should be trusted (end users who do not have permission to trust cannot add untrusted mods at all). The more mods that have been pre-approved by the administrator, the fewer questions will be shown to the end users who try to add visualizations to their analyses.

Remove trusted signers

You can always withdraw a previous decision to trust a certificate or a Spotfire user signature. See Removing trusted signers from a group for more information.

Invalidate signatures and revoke certificates

If a user account has been used to sign items that the user does not wish to be responsible for, each user can invalidate their own signatures from a specific time and up until now. This is done from the My account page of the user (if any signatures are available).

As an administrator, you can invalidate another user's signatures using the revoke-code-signing-certificate command in the CLI. If a user is suspected to try to add malicious mods on purpose, then you might also want to remove the user from the system.

Other users will be informed that the mod is signed by an invalid signature.

Block certificates, users or custom items

It is also possible to block certificates, users or specific mods from being used at all. See Blocking certificates, users or custom items for more information.

CLI commands

For a complete list of the commands available for handling visualization mod trust, see Code trust commands.

Script and Data Function Trust

Currently, there is no way to sign scripts or data functions. This means that all such entities will be seen as unsigned in all the user interfaces.

Instead, Spotfire uses a trust mechanism, where users called Script Authors, verified by licenses and group membership, are the only ones that can make a script trusted for anyone in the organization. See System groups and Spotfire extensions for more information.

End users who have access can still review and trust unsigned entities from the File > Manage trust dialog in the Spotfire installed client.

Data Functions written in R

TIBCO has its own implementation of the R language, TIBCO Enterprise Runtime for R (TERR), which is included in Spotfire applications. TERR comes with a restricted mode which is built to provide a secure environment when working with data functions. If the data function is trusted, then it can be executed without any restrictions. If a TERR-based data function is not trusted, Spotfire will make an attempt to run the data function in the restricted mode. If the script uses statements that are not available in the restricted mode, then the data function will be prevented from running until it has been trusted.