The good: Dashboard extensions give you the ability to interact with data from third-party applications directly in Tableau. Capabilities like write-back to a database, custom actions, and deep integration with other apps are all at your fingertips.
The bad: Dashboard extensions also means potential data vulnerability when third-party extension used even on Desktop or Server :
- Extension can access workbook's summary data by default and full data with additional confirmations.
- Extension can access the user's IP address, Tableau Desktop or browser versions, screen resolution, and device type.
How to adopt Dashboard Extensions at large enterprise?
- Extension for Desktop:
- Extension should be turned off by default on Desktop if your company controls user Desktop installation
- Some super technical Desktop users can turn extension on by themselves. Read here for details.
- Extension for Server : Tableau server should have the following policy setting or enforcement (no matter Linux or Windows):
- Unknown extensions can’t run on Tableau server - this is the most important setting. Similar as guest account should be turned off by default, 'enable unknown extension to run' should be off by default.
- Unfortunately you will have to do this for every site. Please vote IDEA
- Every extension has to be added to the safe list by server admins
- Hopefully server admins have policy to add only https://*.company.com/xxx URL in safe list. It means that third-party extension has to be hosted on-premise before it can be used.
- Extension Gallery :
- Some people may not agree with me here. For me, any third-party extensions is unsafe since they can change extension definition without your knowledge or agreement, includes those from Extension Gallery from official Tableau website
- The secure approach requires all extensions hosted in your company's web server.
- From high level, extension is not safe if it is hosted outside your company. Extension is considered 'safe enough' if it is hosted within your company's firewall.
- Large enterprise should consider to create your own extension gallery for your publishers to share their extensions within your firewall.