8 Replies Latest reply on Apr 4, 2018 11:59 AM by Chan Tony Branched to a new discussion.

    Tableau Row Level Security Reference

    Mark Wu

      Data security has been one of the top concerns for Tableau enterprise adoption. Tableau handles data security by permission and row level security. Permission controls what workbooks/views an user can see. Row level security controls what data sets this user can see. For example APAC users see APAC sales, EMEA users see EMEA sales only while both APAC and EMEA users have the same permission to the same workbook.

      There are many options to implement row level security:

      1. ISMEMBEROF as data source filter or workbook filter
      2. USERNAME() x-db join with user entitlement table outside main data source (v10 feature) - can be either data source filter or workbook filter
      3. USERNAME() data source blending with user entitlement table outside main data source  - can be either data source filter or workbook filter
      4. USERNAME() x-db filter with user entitlement table outside main data source (v10 feature)
      5. Query banding for TeraData DB that has both user entitlement and main data source
      6. Initial SQL for Vertica, Oracle, SQL Server, Sybase ASE, Redshift etc where DB has both user entitlement and main data source

       

      More details:

      • Blog  @ http://enterprisetableau.com/datasecurity/
      • Row level security March 24, 2017 webinar  PPT slides 
      • Zoom webinar recording @ here.
      • USERNAME() sample workbooks (v10.2) used in the PPT and Zoom webinar. Pls note that you need to have the attached User Entitlement.xlsx and Tableau superstore sample database to make those sample workbook work.
      • ISMEMBEROF sample workbooks (v10.2) used in the PPT and Zoom webinar. Pls note that you need to setup server groups listed in PPT slides #4 and assign some users to each of those groups in order to view any data when you open those sample workbooks. See, it is row level security....

       

      Feel free to share other alternative approach to implement row level security.

        • 1. Re: Tableau Row Level Security
          Jeff Strauss

          thanks for posting Mark!  We are starting to use #4 and it seems to work nicely.  (USERNAME() x-db filter with user entitlement table outside main data source (v10 feature))

          • 2. Re: Tableau Row Level Security
            John Kuo

            Wonderful! Thank you, Mark!

            • 3. Re: Tableau Row Level Security
              jennifer.bielak.0

              Hey Jeff,

               

              this is just a matter of 'I haven't tried it yet' but just to confirm: the way to make sure a user doesn't remove the data source filter is to deny them the ability to edit the data source correct?

              • 4. Re: Tableau Row Level Security
                Jeff Strauss

                yes, this is true for the datasource filter if it's embedded within a published datasource.  But depending on which method you choose (i.e. we do #4 - cross db filter), you may need to deny edit of the workbook too.

                • 5. Re: Tableau Row Level Security
                  mortenbodaugaard.jrgensen

                  What about SQL Server Analysis Services?

                   

                  Personally I find the only good way to handle security is through the use of Kerberos and live connecting to Cubes in with this kind of data source.

                   

                  But that is also quite resource demanding (maintaining a good Kerberos environment)

                  • 6. Re: Tableau Row Level Security Reference
                    Chan Tony

                    Hi Mark, great ppt on Row level security.

                     

                    Any plans to create a similar document with Field/Column level security? 

                     

                    I played around with adding a calculated field with ISMEMBER() to mask a field if the user did not belong to a certain security group.  Also trying to use Kerberos to Denodo.

                     

                    Thanks, Tony

                    • 7. Re: Tableau Row Level Security Reference
                      Mark Wu

                      Column level security is very similar as row level security. Here is my process with attached Superstore sample data:

                       

                      How to Implement Tableau Column Level Security:

                      1. For example, you want to show sales & profit measure only to a group : Sales_Managers and a few super users while others see sales only but not profit.

                      2. Renamed Superstore sample data measure Profit to ProfitSource

                      3. Created calcualtion profit as following:

                      IF (ISMEMBEROF("Sales_Managers")

                        OR USERNAME() = "Superuser1")

                        OR USERNAME() = "Superuser2")

                        ) 

                      THEN [ProfitSource] 

                      ELSE NULL 

                      END

                      4. Drag sales and profit (calcualtion) to rows and dates to columns

                      5. Connect to Tableau server

                      6. Use user simulator at the bottom of screen to type "Superuser1", you will also see both sales and profit. Select Sales_Managers  group, you see both sales and profit; Select one of the users of Sales_Managers group, you will also see both sales and profit.

                      7. If you select other users who are not part of Sales_Managers group, profit will not show

                      8. Same calcualtion can be in the published data source

                      2 of 2 people found this helpful
                      • 8. Re: Tableau Row Level Security Reference
                        Chan Tony

                        Thanks Mark!  I've tested this in my environment.  We have different groups with different column requirements.  For each group I think we will need to publish separate data source.  We're hoping Kerberos SSO to Denodo with field level security will be supported later this year.