1 Reply Latest reply on Nov 17, 2018 6:13 PM by Zach Leber

    Row level security using multiple Tableau groups

    Adrian Hall

      I'm trying to implement row level security by creating a calculated field which I'll then assign to the extracts data source filter.

       

      Only users assigned to one of the groups are allowed to see records.  A user could be a member of more than 1 group.  And within the calculated field, I'm assigning which group can see which team.    But after several re-writes of the logic, i can't get the RLS filter to work as expected.   

       

      Some example scenarios I may have on the server:

          User1 is a member of only A.  A group are power users & can see all records
          User2 is a member of only B.  B group can only see records where Team = AAA or BBB or CCC
          User3 is a member of B, C and D.   This user should be able to see only Teams assigned to groups B, C & D.
          User4 is a member of all groups but A.   They can see all teams assigned to all groups except for a few that are only viewable to power users in group A.

       

      If this matters, these groups are AD groups imported into Tableau server.

       

      Thank you in advance for reviewing this!!

       

      My latest RLS calculated field which I know isn't correct.  

       

      (
          //members of A group can see all rows
          ISMEMBEROF('A')
         
      )
      OR
      (
          ISMEMBEROF('B')
                  AND
          ([Team] = "AAA" or
          [Team] = "BBB" or
          [Team] = "CCC")
      )
      OR
      (
          ISMEMBEROF('C')
                  AND
          ([Team] = "AAA" or
          [Team] = "DDD" or
          [Team] = "EEE" or
          [Team] = "FFF")
      )
      OR
      (
          ISMEMBEROF('D')
                  AND
          ([Team] = "SSS" or
          [Team] = "TTT" or
          [Team] = "UUU")
      )
      OR
      (
          ISMEMBEROF('E')
                  AND
          ([Team] = "AAA" or
          [Team] = "FFF" or
          [Team] = "TTT" or
          [Team] = "UUU")
      )