4 Replies Latest reply on Apr 2, 2018 1:30 PM by Mark Wu

    Can I Control Admins Who Can Access A Data Connection and Workbook?

    Mike Miller

      I am new to Tableau, forgive me as this is prob a very basic question.  I want to upload sensitive information, in this case, payroll data.  I want to completely lock down the data to only the person who set up the data connection.  There are several other system/server admins on our Tableau account who CAN NOT get access to this information.  Can I set up a data connection so that the only person who can access the data is the person who setup the connection?

       

      I read about data security below, but unclear if any of these methods will secure the data to only the HR department payroll person.

       

      • Database login account: When you create a data source that connects to a live database, you choose between authenticating to the database through Windows NT or through the database’s built-in security mechanism.
      • Authentication mode: When you publish a data source or a workbook with a live database connection, you can choose an Authentication mode. Which modes are available depends on what you choose above.
      • User filters: You can set filters in a workbook or data source that control which data a person sees in a published view, based on their Tableau Server login account.

       

       

      Data Security

        • 1. Re: Can I Control Admins Who Can Access A Data Connection and Workbook?
          Patrick A Van Der Hyde

          Hello Mike,

           

          I am going to move this thread to Server Administration for more help.  You mention that other administrators will have access.  Will they have Tableau Server admin privelages?

           

          Patrick

          • 2. Re: Can I Control Admins Who Can Access A Data Connection and Workbook?
            Mike Miller

            Yes, admins will have server admin privileges.  The goal is to store highly sensitive information in Tableau that should only be accessed by certain people.  There will be folks who have server admin privileges who I don't want accessing this information.

            • 3. Re: Can I Control Admins Who Can Access A Data Connection and Workbook?
              Ritesh Bisht

              Hey Mike,

               

              I think USER FILTER is best for you.

               

              I tested for a site for which I am Site Admin.

               

              Just created a calculation as below and drag it to filter saying 'True'

               

              Even being the Admin of the site I could not see since I gave  access to some other user.

               

              Note: User Name is your Login

               

              Screen Shot 2018-03-30 at 2.50.54 PM.png

               

               

              When I access the workbook it will come as a Blank since my CEC login is not matching  to 'yourusername'

               

              Please set this as CORRECT/HELPFUL if it really helped you so that it can help others as well.

               

              Thanks,

              Ritesh

              • 4. Re: Can I Control Admins Who Can Access A Data Connection and Workbook?
                Mark Wu

                What if you do not want server admins to see your data?

                • Security requirement: You are Ok for admin to see your project name, workbook names, data source names, but when admins click your workbooks, you do not want admins to see any data of your workbooks. Not only that, you also want to make sure that server admins have no way to see the data even admin can edit your workbook or change your workbook permissions or change your data source permissions
                • Solution: Your source data has to be in the database that your team controls with password. When you publish workbook, use live connections only (no extracts) and do not embed the password.
                • How it works? Tableau server users will be asked to enter your database password before any data can be queried from your database. Server admins will not have your database password although admins can still see your workbook name. Even admin can download the workbook, which is the .twb only, admin still can't see any of your data which is a live connection to your data source with password required.

                 

                ps. Ritesh's proposal works but admins can change your datasource/workbook filter - which will by-pass your access control.