In our company we are using Tableau to provide our customer with some interactive analysis that they can use to browse financial information. The integration is made embedding the Tableau viz URL into an iFrame and also through a SAML assertion (through SSO).
The concerning I have are around the security of this solution.
Basically in the iFrame that I provide comes with the embedding parameters that isolate the view from rest of the the tableau container, however if I manipulate the URL, like copy paste into a new browser window and remove the embedding parameters, I can still access to the full tableau environment.
Of course the user belongs to a group and has limited rights in that environmen however we would totally exclude access to the main dashboard and expose just the visualization ?
I was thinking to use an Apache server with mod proxy and rewrite to force the URL to append always the embedding parameters but I don't know if that will work as we are using a SAML assertion. Also I don't know if this practice is valid and accepted froma support perspective.