Ciara Brennan (Tableau)
📌 Security & Permissions | Resources
- Security Advisories
- Platform Security
- Security Hardening Checklist
- Permissions, Site Roles and Licenses
Leonid Trofymchuk (Member) asked a question.
I tried to run WDC3.0 example in Tableau Desktop - Basic Auth Connector
And I notices that user secrets is leaked in Documents/My Tableau Repository/Logs/log.txt file:
{"ts":"2025-01-24T13:05:17.680","pid":33588,"tid":"505d0","sev":"info","req":"-","sess":"-","site":"-","traceid":"-","user":"-","k":"msg","v":"EPS Response: {\"extractorType\":\"eps\",\"port\":9095,\"extractorId\":\"44e8a599-4e91-434f-8f99-8e4e09e1c031\",\"status\":\"extract\",\"connectionData\":{\"handlerInputs\":[{\"fetcher\":\"DataFetcher\",\"parser\":\"taco:excel-file-parser\",\"data\":{},\"name\":\"unique-workbook-name\"}]},\"secrets\":{\"username\":\"user\",\"password\":\"12345\"}}"}
However, In Documents/My Tableau Repository/Logs/EPS, secrets are masked as expected:
{"ts":"2025-01-24T11:05:15.340Z","pid":"33734","sev":"info","sourceName":"EPS","v":"{ listeningServer: 'EpsApi', method: 'POST', type: 'received request', url: '/extract/my-basic-auth-connector', headers: { host: 'localhost:9089', connection: '********', 'content-length': '119', secrets: '********', 'sec-ch-ua-platform': '\"macOS\"', 'plugin-path': my-basic-auth-connector%2Fmy-basic-auth-connector-1.0.0.taco', 'sec-ch-ua': '\"Not A(Brand\";v=\"8\", \"Chromium\";v=\"132\", \"Google Chrome\";v=\"132\"', 'caller-id': 'NwG3cjfaEhJKWOZkLr8l8i', 'connector-class': 'my-basic-auth-connector', 'sec-ch-ua-mobile': '?0', 'connection-id': 'my-basic-auth-connector.1dg174a1frc3pb12bjcnp1t0or8j', 'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36', 'eps-instance-id': '25b945c8-6a85-4fc2-9f41-540d3d6c0834', 'content-type': 'application/json', accept: '*/*', origin: 'http://localhost:9094', 'sec-fetch-site': 'same-site', 'sec-fetch-mode': 'cors', 'sec-fetch-dest': 'empty', referer: 'http://localhost:9094/', 'accept-encoding': 'gzip, deflate, br, zstd', 'accept-language': 'en-GB,en;q=0.9' } }"}
Is it issue in WDC3.0 example or Tableau Desktop security issue?
Software:
Tableau Desktop 2024.3.3
@tableau/taco-toolkit 2.1.0
Thank you!
Best Answer
@Leonid Trofymchuk (Member)
I will try to contact the devs about this question (I am a volunteer). I cannot promise anything (the correct way is to submit a case). However, I will keep you informed if I receive a message from them.
If this post resolves the question, would you be so kind to "Select as Best"?. This will help other users find the same answer/resolution and help community keep track of answered questions. Thank you.
Regards,
Diego Martinez
Tableau Visionary and Forums Ambassador
Trung Luong Thanh (Member) asked a question.
Hi guys,
Hope you all doing good.
I have encountered a problem. When I publish my report and tick the option "Show sheets as tab" like the picture below:
My report on the server will be like this:
It has 4 views next to each other
Questions:
So I would like to set permission to USER A, he can only see the views from 1-3, not the fourth(View Chi Nhanh). How can I resolve it or any workaround ?
Thanks a lot
Duy Van
Best Answer
From https://help.tableau.com/current/server/en-us/permissions.htm#show-or-hide-sheet-tabs
Although it is not recommended as a general practice, there are times when it can be useful to set permissions on views independently of the workbook that contains them. To do so, three conditions must be met:
When a workbook shows sheets as tabs, all views inherit the workbook permissions and any changes to the workbook permissions affect all of its views.
So you will have to publish 2 workbooks if you need this while showing sheets.
Tableau Community (Tableau) asked a question.
Hi,
I was looking at setting up viewing permissions on a visualization depending on what team people belong to.
The sheet shows how different projects are performing on different KPIs.
Basically, I would like users to only see projects that they are directly linked to.
Some people are staff members and should only see their own projects (to the exclusion of checking out how their colleagues are doing)
Some people are team leaders and should see all projects within their team
Some people are to see everything.
How would one set up this sort of structure?
Many thanks!
Jonathan Naert (Member) asked a question.
We recently upgraded tableau server from 2023.1 to 2023.3 during this upgrade we also installed an self-signed SSL certificate for the first time. However, users have been complaining about having to login twice even when using correct credentials.
When they get the signin screen they first get a blank page with a browser pop up asking them for their credentials, this step always seems to always fail however with the error "sign in failed". It brings them to the 'standard' login screen where they have the ability to enter credentials again or "sign in using your windows credentials" both of these work.
I personally have not experienced this issue, it succeeds after the first pop up. But i have seen other users and admins experience this issue.
we're using local authentication.
Do any of you have any idea what might be the cause of this?
Big thanks in advance!
Best Answer
Hi @Emeric LE SAULNIER DE SAINT JOUAN (Member)
Thanks for your help!
We think we've figured it out however, one of my colleagues tried adding the url to the local intranet (Control Panel > Internet Options > Security > Local intranet > Sites > advanced) in the windows options. It seems to have done the trick.
Sobhan Sai Kuriti (Member) asked a question.
I have denied filter permissions for a user. As expected, the user cannot view or interact with the filter. However, the user can still access and interact with the filter action (a sheet used as a filter in the dashboard).
Is this behavior expected or a potential bug?
I would like to restrict the user from interacting with the filter action as well. Are there any workarounds? Noticed the same behaviour in both cloud and server.
Reference for Filter actions - https://help.tableau.com/current/pro/desktop/en-us/actions_filter.htm
Best Answer
@Sobhan Sai Kuriti (Member) Hello Sobhan-- I think we need a bit more information.
It sounds to me that you've denied this person filter permissions in Server, but your views use Dashboard Actions which you also want to restrict.
My understanding is Tableau filter permissions do not affect Dashboard Actions: consequently, even with Server filters "off", they can still interact in a way that changes the view.
If you're in a desperate need of preventing this kind of interaction, you could drop a transparent container over your sheet and control it with DZV: leaving it in place for those who do not have permission, removing it for those that do.
The data will still be visible but protected behind a barrier. Your restricted viewers will not be able to hover to see more detail, however.
Michael Hesser (Tableau Forum Ambassador)
If this response has answered your question, kindly click "Best Answer"
Scott Naleway (Member) asked a question.
Our Tableau Server Deployment Details:
Tableau Server 2023.3.1
5 Windows 2019 Servers (HA env)
No Data Management (i.e. no Tableau Catalog)
No Advanced Management
What I am being asked to do for my Tableau Server deployment:
I work for a company in the financial services sector. My company's governance, risk, and compliance team is mandating that our Tableau Server admin team put in place a process to ensure that data living on the server does not become stale, or fails top get updated beyond a certain timeframe to ensure any customer data is handled in compliance with certain regulations and standards. Apparently there is either an internal record retention standard at my company or a legal statute that requires that certain types of data that lives untouched in the same storage location for differing periods of time "must be treated as a 'record,' and therefore, must follow a certain record retention schedule..." which would require a ton of additional processes and strain on our Tableau Admin team to meet.
Extracted content and content with external files
I have a solid understanding of the postgresql repository. From the repository, I am able to capture details about the age of extracted content and the age of the extracts/hyper files themselves pretty easily. However, I cannot find any details about how or where Tableau Server stores "external files" and how it maintains a link between these files and the content it is tied to, either a published data source or a published workbook.
What do I mean by "external files?"
When a creator publishes a workbook to the server and leaves the box check for Include External Files (see attached screenshot). Note: even if the external file has a "live" connection, it appears that Tableau Server still uptakes a copy of that file (or data and metadata from the file).
How can the Tableau Community help?
I'd like to know:
What I have found in my research thus far:
Say I publish a workbook with one live connection to an Excel file, then I publish it to the server and leave the Include External Files box checked, it appears that Tableau Server may not actually store a hard copy of that Excel file on the server. Rather, it behaves as if it converts the data about the excel file into some encoded binary or XML data and likely stores this in the repository (there has to be a key or ID that somehow links the workbook XML to the external file data, but I cannot find it). Then, when a viewer opens up a dashboard form the workbook that uses the external Excel file data, Tableau creates a temporary copy of the actual excel file and places it in a temporary vizql folder that seems to disappear when the viewer's session has ended. The location of the temporary file might look something like this:
E:\Tableau Server\data\tabsvc\temp\vizqlserver_0.20233.23.1227.1336\TableauTemp\374687437\Data\Naleway\my_excel_file.xlsx
I was able to find this file on my server while I had a dashboard open online, but when I checked for it again, the folder and the file were gone.
Tip: I was able to find the file on the server due to the data contained in the repository in workgroup.public.data_connections.keychain for the connection to the excel file (see attached Data Connection Details - Live-Packaged Excel File.png). In that attached image, the top record is for an identical "live" connection in another workbook, however, for that one, I placed the file on an accessible fileshare and "did not check the include external files box." The bottom one corresponds to the connection where I did check the box for include external files.
Any and all help would be greatly appreciated!
Best Answer
Hi @Scott Naleway (Member), the XML for the workbook is stored as a BLOB (Binary Large Objects) inside the PostgreSQL database along with the embedded file. So the complete packaged workbook. The pg_largeobject table in PostgreSQL is a system table that is not specific to Tableau but is part of PostgreSQL's internal structure. It is used to manage large objects (LOBs), such as BLOBs. Also the table stores large objects in chunks.
You can login against Postgres as sysadmin with "tblwgadmin" user (execute tsm configuration get -k pgsql.adminpassword to get the password).
To join from your Workbook down to the BLOB:
You have to join table "public.workbooks" column "data_id" to table "public.repository_data" column "tracking_id", then table "public.repository_data" column "content" to system table "pg_largeobject" column "loid". There is one pageno per binary chunk in "pg_largeobject" so you should be able to reassemble and convert the data (in pageno sequence) or more easily using function "lo_export" on the filesystem if you wanted to.
That should be enough to get you started and I'm sure you will be able to derive a lot in regards to your audit questions.
I'm trying to figure out the best way to add permissions to Tableau Cloud Projects. We have Explorers (Publish), Viewers and Creators. We want to allow explorers to edit workbooks in production projects but not to be able to save them there. They can save their versions in Sandbox projects. We want to publish data sources to Data projects. I put together an attached document that seems to work, but I'd love to get ideas from others on what the best approach for implementing this is.
Twinkle Bansal (Member) asked a question.
Hi All,
I need to implement RLS in live connection so I created a calculated field like USERNAME() and then created a parameter and set that parameter to this calculated field on 'value when workbook opens to'.
Now in my CUSTOM sql I have used below join condition:
ON VIEW.LAN_ID=<Parameter.username>
It is giving me blank value while opening workbook and when I check the parameter it says cannot assign null values to parameter.
I also cannot set my sql to return all records since it is huge dataset. Please suggest how can I implement RLS with this setup?
Best Answer
@Twinkle Bansal (Member)
Hi, again the same instructions:
a. Create a new dummy datasource with a custom SQL like:
SELECT 'dummy' AS dummy
Note this will only produce 1 row. That all we need.
b. Create a new sheet, and drag the dummy field to detail.
c. Create a calculated field on your dummy datasource:
SELECT 'dummy' AS dummy
d. In the parameter option, value when workbook opens, use the new field you just created to assign the value of the parameter.
e. Drag this sheet to the dashboard, and make it really small so your sheet is almost not visible (1px height, 1 px width, 1px in X and 1px in Y).
Save your workbook, and reopen it.
1. When the dashboard is loaded, the parameter will be set to username() because it is a calculated field from dummy datasource that has a single record.
2. Your custom SQL will run, with the value from the parameter.
3. The info of your dashboard, should be filtered to the username.
From your responses
1. I have a custom sql in my original data source where am joining main table with permission table on cost center , product and till now was joining on username as well for RLS.
Now in my CUSTOM sql I have used below join condition:
ON VIEW.LAN_ID=<Parameter.username>
As you are using the username parameter it is ok.
2. Now I added a second data source and brought my permission table which hold the LAN_ID details.
My instructions does not say anything about bringing a new second data source table with your permissions. Create a second datasource with a CUSTOM SQL, with only one row:
SELECT 'dummy' AS dummy
3. I created a calculated field in this second data soure as: IF LAN_iD=USERNAME() THEN LAND_ID END.
My instructions clearly says: Create a calculated field on your dummy datasource:
USERNAME()
After this, you should be able to use this calculated field on your value when workbook opens configuration in the parameter <Parameter.username>
In the other hand, if you are using an entitlement table, and it is not used inside your custom SQL (instead you are using it in a Tableau join or relationship), then I suggest you to read:
https://www.tableau.com/learn/whitepapers/row-level-security-entitlements-tables
However, I think you are using the username parameter in your CustomSQL. Something like:
SELECT *
FROM [Fact Table]
INNER JOIN [VIEW] ON [VIEW].[LAN_ID]=<Parameter.username>
Then you should follow my directions.
If this post resolves the question, would you be so kind to "Select as Best"?. This will help other users find the same answer/resolution and help community keep track of answered questions. Thank you.
Regards,
Diego Martinez
Tableau Visionary and Forums Ambassador
Please check out our post with some tips on asking a question and how to help you get answers more quickly.
We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.