I think you're on the right track.
You can embed credentials in the published data source on Tableau Server so that you/the DBAs don't have to supply the credentials to the database itself to users/Tableau Desktop developers at all. This eliminates the need to provide them any access to the database, and therefore you can restrict their access to only the "approved" elements you include in a published data source. (Table, View, Custom SQL statement, etc.)
Also in Tableau Server, the admin can restrict the permission of users as Connector or Editor. So you can even make it so that even if they do have database credentials, they cannot see the definition of the data source (as only connectors). Editors can download the published data source and "look at" the connection and source statement. (I think you can also set the permissions as custom levels which can deviate from the standard "Connector" or "Editor" permissions.)
Does that help?
Thanks for the update..I have a doubt in this case..Power users will download the data source which i have published in the server..But they are unable to do any data model(joins) in data source pan.
Is their any alternative to them to do some data model?
What activities are you saying "Power users" need to be able to do?
What do you mean by "to do some data model?"
Here are some different activities that require different permission settings:
1) Build Tableau views/dashboards using existing Tableau data sources
2) Build new Tableau data sources
3) Modify existing Tableau data sources
If 1 ONLY, you can get by with what I outlined--set up published data sources that perform all the desired SELECT and JOINs from the database.
If 2 OR 3, then you need to grant the users some permissions in the database itself so that they can test new queries/custom SQL statements.