The following mechanisms control security of the TERR service and to prevent users from running malicious scripts on the server.

• Restricted execution mode (REX).
• TERR engine in Docker containerization.
• Script trust and access control.

Only users in the Spotfire license group Script Author can create and mark TERR scripts as trusted. Trusted scripts run in an unrestricted execution environment (no REX or container) unless the TERR service enforces all scripts to be run in restricted mode. Untrusted scripts always run in REX mode or in a container.