4 Replies Latest reply on Aug 31, 2017 6:29 AM by Duncan Meredith

    Configuring Security using AD or Tableau Groups?

    Michael Damico

      I've read a decent number of articles on row level security with Tableau, and have proven out that I can get security to work at the row level for an individual user (using Security = USERDOMAIN() + "\" + USERNAME() ), as well as the group level using the IS_MEMBER_OF function through Tableau (bummed to learn that IS_MEMBER_OF doesn't work with AD Groups unless that has changed?)

       

      We have a list of groups and users. Users can see all data at their group level, but that's it (for example, User 1 can see User 1, User 2 and User 3 data, but not user User 4, User 5 or User 6 (User X in this case is a person that can see data from all groups)

       

      Group 1Group 2

      User 1

      User 4
      User 2User 5
      User 3User 6
      User XUser X

       

      From a data perspective, a row of data will only ever have 1 user associated with it.

       

      Here is what I am using for security and it works well, but requires maintenance:

       

      IIF(

      (ISMEMBEROF("Group 1")) and [Employee ID] = "0259147"

      OR

      (ISMEMBEROF("Group 2") AND  [Employee ID] = "019062" ),True,False)

      Where [Employee ID] is from the security table. If this is the best way to accomplish this let me know, and then please let me know how I apply this at the data source level so I don't have to update 20 vizs

       

      The Question: What I'm wondering is what is the best way to handle my unique needs: In this case, reducing the amount of time needed to make changes to security configurations in the future.

       

      Thanks for any advice!

      MD

        • 1. Re: Configuring Security using AD or Tableau Groups?
          Toby Erkson

          I moved this to the Server admin forum because admins are typically better at understanding Server permissioning and may thus be able to provide suggestions.

          • 2. Re: Configuring Security using AD or Tableau Groups?
            Michael Damico

            Revisiting this as our security requirements are getting more complex. Does anyone know whether or not the IS_MEMBER_OF function works with AD groups? Alternatively, has anyone implemented some type of security where we can modify permissions in say an XML file rather than opening up workbooks to manage security?

             

            Thanks!

            -MD

            • 3. Re: Configuring Security using AD or Tableau Groups?
              Mark Wu

              Michael, One option is to create a separate User Entitlement table (or spreadsheet if user list is small enough) outside main data source, then use USERNAME() cross-DB join, or USERNAME() data blending or USERNAME() cross-DB filter which are the option 2, 3, or 4 described @ Tableau Row Level Security Reference

               

              Here is how the User Entitlement table can be :

               

              Users         Entitlement

              User 1        User 1

              User 1        User 2

              User 1        User 3

              User 2        User 1

              User 2        User 2

              User 2        User 3

              User 3        User 1

              User 3        User 2

              User 3        User 3

              User x        User 1

              User x        User 2

              User x        User 3

              User x        User 4

              User x        User 5

              User x        User 6

              User 4        User 4

              User 4        User 5

              User 4        User 6

              User 5        User 4

              User 5        User 5

              User 5        User 6

              User 6        User 4

              User 6        User 5

              User 6        User 6

               

              One-time setup:

              1. Join the Entitlement column with the user field of your main data.
              2. Create calculation USERNAME()= Users
              3. Add the above calculation as workbook filter or data source filter with true.

              On-going:

              • After it is published to server, when User 1 login serve, User 1 is able to see all rows that have user field as User 1 and User 2 and User 3. User x is able to see User 1-6.
              • When you need to update user security, you only need to add or delete User Entitlement table and potential workbook permission,  but you never need to update the workbook itself
              • 4. Re: Configuring Security using AD or Tableau Groups?
                Duncan Meredith

                Mark Wu -

                I'm trying to implement a similar solution, but my environment has a couple of additional variables:

                1. The underlying data is based on Salesforce data.  Each row in my main data source has 1 SFID owner, in this case this ID represents the salesperson.
                2. The tableau server is using Active Directory authentication.

                 

                We have created our User Entitlement table as you describe above, though ours looks like this:

                SF_User_ID     Permitted_ID

                user 1               user 1

                user 1               user 2

                user 1               user 3

                user 2               user 2

                user 2               user 3

                etc...

                I also have a table mapping SFID to AD username.  My questions are these:  given this scenario, what should my joins look like and how to I "marry" the AD data into the mix?

                 

                Many thanks,

                DMM