5 Replies Latest reply on Jan 17, 2017 3:57 PM by Jamieson Christian

    Row-Level Security: How do you test it?

    David Hernandez

      Hi, everyone. I'm creating a proof of concept for row-level security in Tableau. I have two questions regarding this:

       

      Who has access to the "Filter as User" Tableau Desktop function?

      I first started off by building a POC that utilized a workbook level filter. I was able to test out whether this worked by clicking on my username at the bottom right and "spoofing" who I was by using this feature (see image below). I haven't been able to find much documentation on this so I want to ask, who can use this feature? Is there a mechanism that controls which users you can spoof? This would obviously undo any row-level security if any Desktop user has the ability to spoof. As an additional note, I have site administrator privileges.

       

       

      How can I test security filters for Published Data Source Extracts?

      The next step in my POC was to apply a Data Source filter on my extract (not an extract filter) so that row-level security is controlled at the data source level, rather than needing set-up for each individual workbook. I am utilizing a filter that evaluates the data using the USERNAME() function.

       

      At this point, the "Filter as User" function no longer seemed to work. Is there a way for me to spoof as a different user to test out security at the extract level without having to obtaining a user's credentials and log in as them?

       

       

      Thanks advance for any help!

        • 1. Re: Row-Level Security: How do you test it?
          Jamieson Christian

          David,

           

          I'll try to answer both questions as best I can:

           

          1. Who can adjust "Filter as User" on Tableau Desktop? Everyone. Tableau Desktop isn't for users, it's for authors. As soon as you give somebody a workbook to open on Tableau Desktop, they are an author and can change anything they want about the workbook. If you need to be able to enforce the row-level security, you must publish to Tableau Server / Tableau Online, or have your users run Tableau Reader instead of Tableau Desktop. (Tableau Reader does not allow the user to change the effective filter. It's also free, unlike Tableau Desktop!)
          2. How can I test user filters on a published workbook? I haven't found a good way to do this short of connecting with one of those users and have them pull up the published workbook so you can see what it looks like for them. My reports are consumed by a mix of in-house and in-the-field associates. Usually I take someone in-house, configure their access to be limited, and then walk over to their office and have them pull it up to make sure the filters were applied correctly for their USERNAME(). Not the most beautiful solution, but if you've thoroughly tested the workbook in Tableau Desktop using the "Filter as User" feature, your risk of erroneous behavior once you publish the workbook is relatively low.

           

          I hope this helps.

          1 of 1 people found this helpful
          • 2. Re: Row-Level Security: How do you test it?
            David Hernandez

            Hi Jamieson, thanks for chiming in. It's a good reminder to restrict access to anything you're publishing out in Server. It would have been great to be able to utilize a similar feature for data source filtering, but I suppose if it works as a report level filter, we should expect the same results.

            • 3. Re: Row-Level Security: How do you test it?
              Jamieson Christian

              David,

               

              If by "data source filtering", you mean Tableau's data source filtering, there is nothing that prevents you from incorporating user-based data source filters into your workbook. That's how I initially set up user security on a workbook that was published out to our field team. Data source filters support USERNAME(), just like report-level filters.

              • 4. Re: Row-Level Security: How do you test it?
                David Hernandez

                Sorry, I was a little vague in my response. When I said "it would have been great to be able to utilize a similar feature for data source filtering" the "feature" in question was the ability to spoof as a user (albeit only available to those who have the right permissions); I am currently utilizing that filter on my data sources.

                • 5. Re: Row-Level Security: How do you test it?
                  Jamieson Christian

                  Ah, I apologize, I misunderstood.

                   

                  Yes, I wish that I could do simulated "Filter as User" once a workbook was published to Tableau Server. It seems to make sense that the feature be available to the author/owner of the workbook, just not to all the other users of the workbook. I did a quick search to see if an Idea has already been posted to this effect, but I didn't find anything. (You can be the first!)