This is an interesting thought provoking question. Though I don't think I've seen it done at the site level, I can think of these possible alternatives:
1. (Simplest) Site permissions can be set to only allow specific login ids into the site
2. If you are using a live connection, depending on what type of database, you can pass the login credential to the database, and if the user has access, then they will be able to see the data rendered via the db to your dashboard
3. If you are using trusted tickets, then there is the ability to turn on client ip matching for the redemption of the tickets Optional: Configure Client IP Matching
4. If you have a load balancer reverse proxy in front of your Tableau Server, then you may be able to have routing rules setup with your load balancer that only allows a set of IP ranges through to your site Configuring Proxies for Tableau Server
1 of 1 people found this helpful
I'll keep my reply simple
Out of the box (simple, built-in functionality)? No.
Via custom methods unsupported by Tableau and maintained by you? Yes (Jeff's excellent input).
Thanks for the response and ideas. I suspect that Toby is correct and that there is no easy solution. I pondered yours and I am not sure they are a perfect fit for what we are trying to achieve (please correct me if I am wrong ).
Below is a diagram of what we are trying to achieve. Note that this might be most easily solution-ed by having a second independent Tableau server. Note that in the image below, the 192.168.23.0 address range is a representation of a VMWare VDI environment that is the only way to access Site B. Note, also, that Mary, though she is credentialed to access Site B should not be able to do so from the 192.168.150.0 address range (used to represent all other address space):
For sure. I agree it can't be done out of the box, so that's why I offered up alternatives.
Even with a separate independent server, how would you restrict IP's?
I don't fully understand your pic, though I can tell you we have a shared cluster accessible by both internal employees "site B" and external clients "site A". Internal employees can get to both sites, but external clients can only get to "site A". How we achieved this for "site A" was by way of trusted tickets / reverse proxy config / firewall rules. And while it got it a bit complex, it managed to save licensing costs by sharing the common infrastructure.
Jeff ... let me make sure we are using the same definitions to help me see if your model works ...
- In my image presented earlier, Tom and Mary are both internal employees who work for different agencies
- When I use the term Site I mean it in the Tableau server sense ... one server with multiple sites
- Mary's credentialed access to Site B only works if she is on a specific subnet
- Mary and Tom can both access Site A
I am not sure how we would use firewall rules and/or reverse proxy settings to manage a single Table website with multiple internal Tableau/Sites. Wouldn't an inbound firewall rule for the 192.168.23.0 address space limit access for all sites to that scope?
The trusted tickets idea actually has promise but my reading of this indicates that it is used for restricting Tableau Server Managers to certain IP's. Have I misread this?
Yes, we're referring to site the same way. I think of it as a logical space within the same physical server.
In our implementation, we're not using trusted tickets with specific client IP matching. I just mentioned this as an option because it sounded like that's what you wanted. Rather, what we have deployed is the default method for trusted tickets where the trust is server to server in order to retrieve the trusted ticket.
high_level_arch.png 103.0 KB