Restrict Access at the Data Row Level
When you share workbooks with others by publishing them to Tableau Server or Online, by default, all users who have access to the workbooks can see all of the data shown in the views. You can override this behavior by applying a type of filter that allows you to specify which data “rows” any given person signed in to the server can see in the view.
Suppose you created a quarterly sales report for a set of products over several years, in different geographic regions.
When you publish this report, you want to allow each regional manager to see only the data relevant to his or her region. Rather than creating a separate view for each manager, you can apply a user filter that restricts access to the data based on users’ characteristics, such as their role.
Restricting access to data in this way is referred to as row-level security (RLS). Tableau offers the following approaches to row-level security:
- Create a user filter and map users to values manually.This method is convenient but high maintenance, and security can be tentative. It must be done per-workbook, and you must update the filter and republish as your user base changes.
- Create a dynamic filter using a security field in the data.Using this method, you create a calculated field that automates the process of mapping users to data values. This method requires that the underlying data include the security information you want to use for filtering.The most common way to do this is to use a reference (or “look-up”) table that contains this information. For example, if you want to filter a view so that only managers can see it, the underlying data must include user names and specify each user’s role.Because filtering is defined at the data level and automated by the calculated field, this method is more secure than mapping users to data values manually.
Adding user filters to data sources
The two approaches in the previous section describe ways to add filters to data embedded in workbooks. If multiple workbooks connect to the same data, instead of wrangling filters on each workbook, you can filter the data source, and then connect the workbooks to the data source after you publish it.Workbooks that connect to your filtered data source expose only the data the user signed in to the server is allowed to see. In addition, all connected workbooks show data refreshes as they occur.
The related topic describes how to publish a live connection with user filters. Publishing extracts with user filters has its own complications around row duplication and performance. These are not addressed here.However, we can direct you a comprehensive discussion about row level security with extracts, on a blog maintained by a Tableau Sales Consultant who has extensive experience with this area. See the following two posts:
Thanks for your response. The solution you suggest hides the data within the column, but still exposes the column to the User. Ideally, I wouldn't want to show the column itself to the User.
Thanks for your response. For column level security I can vote in idea section.