Data Export an Embedded App Question

Options

Hello,
I had a question about the DOMO App Studio. Traditionally we have embedded DOMO dashboards into our customer facing app. We have always used public embed on the dashboard and relied on our company app for user authentication and login. We also do not use and PDP or row level filters in our DOMO dashboards. This allowed our customers to export the underlying data.

I rebuilt our customer facing dashboard in app studio and I embedded it within our company app, exactly like our previous DOMO dashboard. My issue is that when accessing the new dashboard as a customer, I am unable to export data behind any visualizations even when the App is embedded as public. Inside the app within my domo instance I can select a card and embed it as public, but that still does not work, and within the "public embed" option there is a warning stating "Making this Card public will allow anyone on the web to view it and the displayed data. It also gives Domo permission to publish the Card as part of a public Card newsfeed. Do not choose "make public" for any Card that contains confidential or personally identifiable information" which makes this option a non starter, even if it worked.

Is the only way to embed an App, having the same functionality of a traditional dashboard, assigning security protocols through the DOMO admin center?

Any help on this would be greatly appreciated.

Best Answer

Answers

  • Jones01
    Jones01 Contributor
    Options

    @pshull is your data sensitive?

    If it is then you really shouldn't be using the public embedding mechanism. Anyone with the URL can view the content.

    Much safer to use the private embed option.

    With regard to exporting from app studio I think I had read that currently you can't export anything from app studio. Hopefully I'm wrong...

  • pshull
    pshull Member
    Options

    @Jones01 Our data is sensitive, but our distribution method has been vetted both internally and externally, as well as discussed at length with several DOMO employees, and there are no concerns or issues about security.

    I spoke to a few of the App Studio developers at Domopalooza and they said that the Publish feature was not quite ready yet, but the embed feature was up and running. Hopefully someone knows how to address this issue. Thanks though.

  • Jones01
    Jones01 Contributor
    Options

    @pshull apologies I must have misunderstood how you are securing the data but I always thought (perhaps wrongly) that public embed URLs can be accessed by anyone without authentication.

    Regarding exporting someone asked something similar here I think but more about exporting the entire board. Hopefully this helps. 👍

  • pshull
    pshull Member
    Options

    @Jones01 You are correct that public embed url's can be accessed by anyone without authentication, but in my case the user has to pass through OAuth and SSO before they can view the dashboard and trace the link, which they can't do anything with except share their own company data. So anyone who can see the dashboard would already have the clearance to access company data, if that makes sense.

    In regards to the link to the article from february, thank you for looking into the issue further. I had the same issue while app studio was still in Beta. I have noticed that I can embed each individual card within the dashboard if I choose private embed and the app will allow exporting of data from that card when previewing the card. We have about 60 cards in our dashboard and it looks like I will have to privately publish all of them and then set up one of the authorization methods for each card, then repeat it for each client. I'm sure there is a programmatic way to handle the task.

    Thanks again 👍️

  • Jones01
    Jones01 Contributor
    Options

    @pshull we are a bit off topic but I am interested in this as private embedding is incredibly slow so anything to skip the authentication stage would be great.

    Are you saying people log into your portal and then access an iframe with the public embed URL set as the src?

    If so I would still not be happy that there are URLs available that could expose the dashboards. Admittedly it would be tough for someone to find the URL but nevertheless they are available and stored somewhere in domo in plaintext.

  • pshull
    pshull Member
    Options

    @Jones01 Each of our clients has a dedicated instance of our platform that works exactly like logging into DOMO. For example, ”companyname.domo.com”. They are prompted for their employee email and their password, and if all of the authentication checks are passed they are logged into their instance of our app and can use it and its functions. If a client tried to login to an instance other than theirs by changing “companyname” and trying to log in, they are automatically redirected to their instance. One of the links within our app opens the public embed link to the Domo dashboard within an <iframe> where they can interact with it. If someone who already had the credentials wants to inspect the source code to find the public embed links for each page of the dashboard, then they can do it. We don’t use PDP row filters and once you have the embed link, you can’t do anything more with it than you could when it was in an iframe. The customer provides us with the data and we make a dashboard out of it and provide it to the customer. They can do what they choose to do with their data at that point. The only way someone could access the public embed link would be to typing in random DOMO embed links, and if a link to one of our dashboard reports was found, it would be one of thirty for a single company. The reports themselves don’t contain the navigation to get to any of the other DOMO reports for the same company. The data contains no PHI or HIPPA related data. I asked the same questions you are asking when I started working. I also spoke to someone at Domo last night and they confirmed that the public export option for apps is being talked about, but no firm plans or date yet.

  • LeeJo
    LeeJo Member
    Options

    @pshull , did you ever figure out a solution? I'm struggling with the same right now.

    I'd even be ok with an action that opens a traditional Dashboard form within the App, but those actions don't seem to work when embedding the App.

  • pshull
    pshull Member
    Answer ✓
    Options

    @LeeJo I was browsing the slack channel and came across this https://github.com/clearsquare-dev/open-source-domo/tree/main/ddx-bricks/export-btn

    Provided by @MattTheGuru

    https://domousergroup.slack.com/archives/C012FURNAS1/p1714592241476129 Here is a link to the slack thread. It’s not a perfect solution for my use case, but we would have implemented it if I had this data 2 months ago.

  • LeeJo
    LeeJo Member
    Options

    @pshull , thanks! My data is highly sensitive and I always get nervous with external calls… at a glance, does look like any data passes out of domo? I'm a bit over my head going through the git info but can probably figure it out.

  • LeeJo
    LeeJo Member
    Options

  • MattTheGuru
    MattTheGuru Contributor
    Options

    @LeeJo @pshull

    I would heavily recommend against "publicly embedding with domain whitelisting"

    If you show me the site that you are hosting on I can show you how easy it would be to get all your dashboards that are set to public.

    Here is a video showing how this doesn't prevent bad actors from seeing data that they shouldn't.

    https://www.loom.com/share/1b16dcc719f54562b1ec32e186af0de3

    Please 💡/💖/👍/😊 this post if you read it and found it helpful.
    Please accept the answer if it solved your problem.