Hello,
I had a question about the DOMO App Studio. Traditionally we have embedded DOMO dashboards into our customer facing app. We have always used public embed on the dashboard and relied on our company app for user authentication and login. We also do not use and PDP or row level filters in our DOMO dashboards. This allowed our customers to export the underlying data.
I rebuilt our customer facing dashboard in app studio and I embedded it within our company app, exactly like our previous DOMO dashboard. My issue is that when accessing the new dashboard as a customer, I am unable to export data behind any visualizations even when the App is embedded as public. Inside the app within my domo instance I can select a card and embed it as public, but that still does not work, and within the "public embed" option there is a warning stating "Making this Card public will allow anyone on the web to view it and the displayed data. It also gives Domo permission to publish the Card as part of a public Card newsfeed. Do not choose "make public" for any Card that contains confidential or personally identifiable information" which makes this option a non starter, even if it worked.
Is the only way to embed an App, having the same functionality of a traditional dashboard, assigning security protocols through the DOMO admin center?
Any help on this would be greatly appreciated.
@LeeJo I was browsing the slack channel and came across this https://github.com/clearsquare-dev/open-source-domo/tree/main/ddx-bricks/export-btn
Provided by @MattTheGuru
Here is a link to the slack thread. It’s not a perfect solution for my use case, but we would have implemented it if I had this data 2 months ago.
@pshull is your data sensitive?
If it is then you really shouldn't be using the public embedding mechanism. Anyone with the URL can view the content.
Much safer to use the private embed option.
With regard to exporting from app studio I think I had read that currently you can't export anything from app studio. Hopefully I'm wrong...
@Jones01 Our data is sensitive, but our distribution method has been vetted both internally and externally, as well as discussed at length with several DOMO employees, and there are no concerns or issues about security.
I spoke to a few of the App Studio developers at Domopalooza and they said that the Publish feature was not quite ready yet, but the embed feature was up and running. Hopefully someone knows how to address this issue. Thanks though.
@pshull apologies I must have misunderstood how you are securing the data but I always thought (perhaps wrongly) that public embed URLs can be accessed by anyone without authentication.
Regarding exporting someone asked something similar here I think but more about exporting the entire board. Hopefully this helps. 👍
@Jones01 You are correct that public embed url's can be accessed by anyone without authentication, but in my case the user has to pass through OAuth and SSO before they can view the dashboard and trace the link, which they can't do anything with except share their own company data. So anyone who can see the dashboard would already have the clearance to access company data, if that makes sense.
In regards to the link to the article from february, thank you for looking into the issue further. I had the same issue while app studio was still in Beta. I have noticed that I can embed each individual card within the dashboard if I choose private embed and the app will allow exporting of data from that card when previewing the card. We have about 60 cards in our dashboard and it looks like I will have to privately publish all of them and then set up one of the authorization methods for each card, then repeat it for each client. I'm sure there is a programmatic way to handle the task.
Thanks again 👍️
@pshull we are a bit off topic but I am interested in this as private embedding is incredibly slow so anything to skip the authentication stage would be great.
Are you saying people log into your portal and then access an iframe with the public embed URL set as the src?
If so I would still not be happy that there are URLs available that could expose the dashboards. Admittedly it would be tough for someone to find the URL but nevertheless they are available and stored somewhere in domo in plaintext.
@Jones01 Each of our clients has a dedicated instance of our platform that works exactly like logging into DOMO. For example, ”companyname.domo.com”. They are prompted for their employee email and their password, and if all of the authentication checks are passed they are logged into their instance of our app and can use it and its functions. If a client tried to login to an instance other than theirs by changing “companyname” and trying to log in, they are automatically redirected to their instance. One of the links within our app opens the public embed link to the Domo dashboard within an <iframe> where they can interact with it. If someone who already had the credentials wants to inspect the source code to find the public embed links for each page of the dashboard, then they can do it. We don’t use PDP row filters and once you have the embed link, you can’t do anything more with it than you could when it was in an iframe. The customer provides us with the data and we make a dashboard out of it and provide it to the customer. They can do what they choose to do with their data at that point. The only way someone could access the public embed link would be to typing in random DOMO embed links, and if a link to one of our dashboard reports was found, it would be one of thirty for a single company. The reports themselves don’t contain the navigation to get to any of the other DOMO reports for the same company. The data contains no PHI or HIPPA related data. I asked the same questions you are asking when I started working. I also spoke to someone at Domo last night and they confirmed that the public export option for apps is being talked about, but no firm plans or date yet.
@LeeJo I was browsing the slack channel and came across this https://github.com/clearsquare-dev/open-source-domo/tree/main/ddx-bricks/export-btn
Provided by @MattTheGuru
Here is a link to the slack thread. It’s not a perfect solution for my use case, but we would have implemented it if I had this data 2 months ago.
@LeeJo @pshull
I would heavily recommend against "publicly embedding with domain whitelisting"
If you show me the site that you are hosting on I can show you how easy it would be to get all your dashboards that are set to public.
Here is a video showing how this doesn't prevent bad actors from seeing data that they shouldn't.
** Was this post helpful? Click 💡/💖/👍/😊 below. **
** If it solved your problem. Accept it as a solution! ✔️ **
Or do you need more help? https://calendly.com/matthew-kastner/15-minute-chat
Did I help you out? Feedback is priceless and will help me more than you know.Write a review!
