I am wondering if anyone has any information on the security of using the embedded credentials option for publishing data sources linked to live SQL databases. I understand how to set it up, but am wondering what the risks are from a security perspective... exactly how secure are the embedded credentials? I have researched the options, but am not clear exactly on how the live connections work. In the documentation, for live connections, it states that it establishes a pass through. But other information I have read leads me to believe that the connection is directly between desktop and the live DB. Does Tableau server "proxy" the data connection between desktop and the live DB when accessing a published data source, or are the credentials sent to desktop and it establishes a direct connection to the DB server?
I am an IT lead and am trying to determine the most secure way to grant access to data collected by our custom built web applications and stored in internally grown databases among our various employees and departments. These databases are generally not open to our employees and the relevant data must be accessed through reporting code on the application front-end. However, we are looking at ways to use Tableau to empower our end users to better meet their own needs without needing OIT resources. I am wanting to build out a data source for each of our primary DBs/regions and allow the end user to use them to build their own custom worksheets. We have created a specific user for Tableau use that contains the datareader role (read-only). But I am not certain if I like the idea of DB credentials being disseminated out to various external users and departments that have a lower "trust" level. I know our security team will have concerns about the integrity of the credentials if they are embedded in the data source; however, they will not want to establish an individual DB user for every employee who wishes to use the data source in Tableau.
I am also considering possibly ditching the live DB approach in favor of frequently refreshed extracts. Anyone who has handled a similar scenario have any thoughts? Thanks.