First question: are you creating an extract in your real data set or are you using a live connection to the data source?
Second question: can you help me understand what you're doing in your Segment Security field?
if attr([Segment]) = ATTR([Sample - EU Superstore].[Segment]) - This is obvious: it evaluates to True for User1 and False for User2
or attr([Segment]) = "NZWW" - This is not obvious: it evaluates to False for User1 AND for User2 (what is NZWW - the real value from your actual data source?)
You're not testing for the ALL value, so there is no way to assign access rights to ALL. Put another way, as far as Tableau is concerned, User 2 has no rights at all, as there is no match on the blended field Segment between the 2 data sources.
I THINK you want something like this instead:
if attr([Segment]) = ATTR([Sample - EU Superstore].[Segment])
ELSEIF ISNULL(ATTR([Sample - EU Superstore].[Segment])
The only way you'll have a NULL in the secondary data source is if there is no match between the 2 tables, and the only way that happens is if the Security table contains 'ALL' - is that right?
I have done a step-by-step example on doing something similar with inner join here:
is that what you are looking for? If not, I can design another fitting your case.
That's the approach I've been using - but the dataset has exploded in size because of it and the performance is horrible, which is why I'm trying to find out if I can create a test that shows everything if you have access to all.
There are too many combinations to do it like this unfortunately.
I did your suggestion - now both can see consumer, but the user with all access isn't able to see anything else, so it's still not working as I'd hoped.
1 of 1 people found this helpful
I tend to avoid Logical Calculation since they could be overridden by users with the ability to edit the workbook.
For example in your Segment Security:
IF ATTR([Segment]) = ATTR([Sample - EU Superstore].[Segment]) OR ATTR([Segment]) = "NZWW" THEN "True" else "False" END
If we add another condition 1=1 then the security is gone since 1 is always equal 1.
IF ATTR([Segment]) = ATTR([Sample - EU Superstore].[Segment]) OR ATTR([Segment]) = "NZWW" OR 1=1 THEN "True" else "False" END
So such security works only for users who cannot edit the workbook, while Inner Join at Database level is not affected by it.
If that is not an issue then the approach Defusing Row Level Security in Your Extracts (Before They Blow Up) Part Two | Tableau and Behold!
1 of 1 people found this helpful
I found this - and it works!
would never have figured this out on my own.
If you decide Ball's method, you would need to introduce the Role field in your Security Data, where the members with 'All' view are like Ball's Executive.
IF USERNAME() = [User] THEN 'True' ELSEIF ISMEMBEROF('Executives') THEN IF [User] = 'All' THEN 'True' ELSE 'False' ELSE 'False' END
From Tableau 10.2, you can join with Calculations, so you do not have to write the SQL query above.
NB: This does not prevent overriding by users with editing power. Thus I will recommend your old way.
There must be another, we are have not thought off 'yet' to do it the old way but with good speed! I will keep looking pondering ...
I'm going to try your technique too - always good to know as many ways as possible to do something.
I've not been using ismemberof, because our process is to bring everyone in to tableau server on one AD group, and then set row-level security based on a join.
We have far to many unique combinations to this approach (this time).
But thanks for elaborating on it
Hi Kirstin, I have added this note to my previous comments on Re: Data security in Tableau
Note on Users with Access to Database Tables/Views
These methods do not work with users that have both permission to download the workbook and have access to the database tables/views.
Users with permission to download workbook can remove all kinds of filters, thus if they also have access to the tables/view in the database, they will be able to see all the data.
What to do:
- Make sure that those who can download the workbook do not have access to the database tables/views.
- If possible, revoke permission to download the workbook.