Hi Tableau Admins. We're in conflict with a vendor, who is resisting our contractual agreement to apply a security model to Tableau workbooks, published on our Tableau server. I would greatly appreciate your thoughts if you have experience with (or ammunition for) the scenario described below. Logical, analytical arguments have not proved very helpful, but volume of argument may help.
We are in the healthcare industry, and need to use row level security (RLS) on dashboards according to a user's role on up to 3 levels. Think of it as organization filter > clinic filter > provider filter. Our users will also mostly be external, so this is happening via Okta/SAML. We are contracting with the vendor for both a data warehouse and Tableau applications, building both at the same time.
WE WANT TO
Join SQL user tables to SQL data sources in Tableau and apply row level security using calculated fields. These are narrow and deep user tables, containing Tableau usernames and NPIs (healthcare identifier codes that will join to the data source) that we prepare separately, and will be automating. The best solution seems to me to place the user tables directly in the SQL database where the data sources reside. For some reason, still very unclear, they do not want to do that--although, I'm not sure what they might do, since we're hosting the server/s (both Tableau and data warehouse).
Their latest suggestion is for the Tableau Admin to set security "manually" in the Tableau Admin Console--this could only mean Groups. We would need to maintain a starting group of about 150 users in over 20,000 Groups to use ISMEMBEROF in calculated fields. $#@!* The Tableau Server instructor said this was a bad idea last March, when I went for training, but the vendor is not listening to us.
The vendor also thought we could wait for Tableau 10 and use cross-database joins (CDJ). I do not want to commit to that approach because it will not be ready in time for us to test and approve our sharing model (which is part of the contract). I've also read about performance concerns with CDJ, and that they may or may not work with extracts (apparently part of current beta 3 testing). While greatly anticipating Tableau 10, I bristle at vendors (who have much less skill w/Tableau than they indicated) dictating to us when we update versions.
Another option is to use custom SQL to pull the user tables from another database and I have done this for a workaround in testing. I don't favor this approach as it doesn't seem to be best practice and we do have full access to our data sources.
I appreciate your advice or insights. The sad part is that we're actually coming up with a great security solution, that we had contracted with them to be a part of. They're missing an excellent opportunity to grow their skill in Tableau and healthcare. We're currently on 9.3.