1 2 Previous Next 15 Replies Latest reply on Jun 30, 2018 1:10 AM by daniel.andell Branched to a new discussion.

    Tableau Row Level Security Reference

    Mark Wu

      Data security has been one of the top concerns for Tableau enterprise adoption. Tableau handles data security by permission and row level security. Permission controls what workbooks/views an user can see. Row level security controls what data sets this user can see. For example APAC users see APAC sales, EMEA users see EMEA sales only while both APAC and EMEA users have the same permission to the same workbook.

      There are many options to implement row level security:

      1. ISMEMBEROF as data source filter or workbook filter
      2. USERNAME() x-db join with user entitlement table outside main data source (v10 feature) - can be either data source filter or workbook filter
      3. USERNAME() data source blending with user entitlement table outside main data source  - can be either data source filter or workbook filter
      4. USERNAME() x-db filter with user entitlement table outside main data source (v10 feature)
      5. Query banding for TeraData DB that has both user entitlement and main data source
      6. Initial SQL for Vertica, Oracle, SQL Server, Sybase ASE, Redshift etc where DB has both user entitlement and main data source

       

      More details:

      • Blog  @ http://enterprisetableau.com/datasecurity/
      • Row level security March 24, 2017 webinar  PPT slides 
      • Zoom webinar recording @ here.
      • USERNAME() sample workbooks (v10.2) used in the PPT and Zoom webinar. Pls note that you need to have the attached User Entitlement.xlsx and Tableau superstore sample database to make those sample workbook work.
      • ISMEMBEROF sample workbooks (v10.2) used in the PPT and Zoom webinar. Pls note that you need to setup server groups listed in PPT slides #4 and assign some users to each of those groups in order to view any data when you open those sample workbooks. See, it is row level security....

       

      Feel free to share other alternative approach to implement row level security.

        • 1. Re: Tableau Row Level Security
          Jeff Strauss

          thanks for posting Mark!  We are starting to use #4 and it seems to work nicely.  (USERNAME() x-db filter with user entitlement table outside main data source (v10 feature))

          • 2. Re: Tableau Row Level Security
            John Kuo

            Wonderful! Thank you, Mark!

            • 3. Re: Tableau Row Level Security
              jennifer.bielak.0

              Hey Jeff,

               

              this is just a matter of 'I haven't tried it yet' but just to confirm: the way to make sure a user doesn't remove the data source filter is to deny them the ability to edit the data source correct?

              • 4. Re: Tableau Row Level Security
                Jeff Strauss

                yes, this is true for the datasource filter if it's embedded within a published datasource.  But depending on which method you choose (i.e. we do #4 - cross db filter), you may need to deny edit of the workbook too.

                • 5. Re: Tableau Row Level Security
                  mortenbodaugaard.jrgensen

                  What about SQL Server Analysis Services?

                   

                  Personally I find the only good way to handle security is through the use of Kerberos and live connecting to Cubes in with this kind of data source.

                   

                  But that is also quite resource demanding (maintaining a good Kerberos environment)

                  • 6. Re: Tableau Row Level Security Reference
                    Chan Tony

                    Hi Mark, great ppt on Row level security.

                     

                    Any plans to create a similar document with Field/Column level security? 

                     

                    I played around with adding a calculated field with ISMEMBER() to mask a field if the user did not belong to a certain security group.  Also trying to use Kerberos to Denodo.

                     

                    Thanks, Tony

                    • 7. Re: Tableau Row Level Security Reference
                      Mark Wu

                      Column level security is very similar as row level security. Here is my process with attached Superstore sample data:

                       

                      How to Implement Tableau Column Level Security:

                      1. For example, you want to show sales & profit measure only to a group : Sales_Managers and a few super users while others see sales only but not profit.

                      2. Renamed Superstore sample data measure Profit to ProfitSource

                      3. Created calcualtion profit as following:

                      IF (ISMEMBEROF('Sales_Managers')

                        OR USERNAME() = 'Superuser1')

                        OR USERNAME() = 'Superuser2')

                        ) 

                      THEN [ProfitSource] 

                      ELSE NULL 

                      END

                      4. Drag sales and profit (calcualtion) to rows and dates to columns

                      5. Connect to Tableau server

                      6. Use user simulator at the bottom of screen to type 'Superuser1', you will also see both sales and profit. Select Sales_Managers  group, you see both sales and profit; Select one of the users of Sales_Managers group, you will also see both sales and profit.

                      7. If you select other users who are not part of Sales_Managers group, profit will not show

                      8. Same calcualtion can be in the published data source

                      3 of 3 people found this helpful
                      • 8. Re: Tableau Row Level Security Reference
                        Chan Tony

                        Thanks Mark!  I've tested this in my environment.  We have different groups with different column requirements.  For each group I think we will need to publish separate data source.  We're hoping Kerberos SSO to Denodo with field level security will be supported later this year.

                        • 9. Re: Tableau Row Level Security Reference
                          Matthias Mazur

                          How do you solve the issue of securing a data source with the Row Level Security? When connecting to the published Tableau Server the User Filter stops working and only works when the Data Source is embedded in the Workbook.

                          • 10. Re: Tableau Row Level Security Reference
                            Mark Wu

                            Hi Matthias, I do not recommend User Filter, not only for the reason you mentioned but also User Filter takes a lot of more maintenance when you need to add or remove users, specially in large organizations. When User Filter is used, any user change involves workbook modification. If you use ISMEMBEROF, here is tips on how to reduce on-going maintenance:

                            1. Assuming your Directory groups are syncing with Tableau server, you can just add or delete group members from Directory, the users will sync automatically to your Tableau server groups so you do not need to update workbooks or data sources that have row level security.
                            2. How about new dimension value? Let's say that your row level security goes by products and the existing products are: A, B, and C. You know that there will be product D to be released but the D value is not available in your source data yet. The tip is to code D logic even dimension D does not exist in source data. I tested and it works.
                            • 11. Re: Tableau Row Level Security Reference
                              Matthias Mazur

                              M

                               

                              HI @Mark Wu,

                               

                               

                              I am showing you here the example of how a User Filter ( Calculated using ISMEMBEROF() ) suddenly starts working when creating a local copy of the published data source. Do you have a solution for this issue?

                              • 12. Re: Tableau Row Level Security Reference
                                Mark Wu

                                It it a known issue or known behavior. The tricky part is to replace data sources before workbook publishers to publish workbooks. Pls reference manual fast way @ http://vizdiff.blogspot.com/2015/07/replacing-data-source-fast-way.html or a hacky way @ https://community.tableau.com/thread/127890#218987

                                • 13. Re: Tableau Row Level Security Reference
                                  daniel.andell

                                  Thanks Mark Wu for a great presentation

                                   

                                  I have managed to get it all to work with your instructions. But I would like to combine ISMEMBEROF for users who should have access to a high level of data with Username() for the rest of the users.

                                   

                                  I cant find any answers if this is possible or not.

                                   

                                  Hope you can help me out.

                                  Thanks

                                  • 14. Re: Tableau Row Level Security Reference
                                    Mark Wu

                                    Daniel, Glad to know you are able to make it work.

                                     

                                    If you detail out the scenarios you wanted to do with combination of ISMEMBEOF() and USERNAME(), maybe others in this community can help with some ideas.

                                     

                                    I am sure that you are aware that both ISMEMBEOF() and USERNAME() can be used in the same calculation. Something like this below: 

                                     

                                    ISMEMBEROF('Phone') AND [LOB] = 'Phone' OR

                                    USERNAME()='zzzz' AND [LOB] = 'Phone' AND  [Region] = 'West'

                                    1 of 1 people found this helpful
                                    1 2 Previous Next