Row Level Security

Row level security is User-Based Automatic Data Filtering. A user can only view the rows of data that they have access to when they view a Workbook, Data Source in tableau row level security Desktop, or Server. This is distinct from Permissions which control if someone can see / interact with / etc. With the Data Source or Workbook.

Row Level Security will follow this process regardless of how it’s implemented.

User is identified

All Data Entitlements can be used to retrieve the set of Data Rights for the User

This set of Data Entitlements filters the Data.

The end user receives the filtered data.

Tableau Security Filters Unbreakable

The following steps will secure Tableau’s user-based security filter:

You can create a Calculated Field in Tableau Desktop using a User Function or a Parameter (see Securing Tableau Parameters).

Create a Data Source Filter for the Calculated Field in Desktop

Publish the Data Source to Tableau Server

Most secure methods to achieve Row Level Security in Tableau Server require that each user has a unique username in Tableau Server, and that they are logged in under that username. Syncing usernames and groups can be done via Active Directory, LDAP on Linux or any other source that uses the Tableau Server REST API.

Standard Row Level Security (Entitlements within Database Tables)

There are many ways to implement Row Level Security with a Live Connection. Most of them use Tableau’s User Functions to match against a column in the database. The resulting rows limit what data can be seen.

As a Data Source, Stored Procedures

You face a dilemma when using Stored procedures (in the RDBMSs supported by Tableau): Tableau can link Tableau Parameters (but no User Functions) with Stored Procedure Parameter Values, but Tableau Parameters are not secure. Tableau Parameters are easily modified by end users via URLs or JavaScript.

There are a few choices:

You can access the Custom SQL dialog in Tableau if the Stored procedure returns a Table (is it a Table Value function) This is covered in the building of a security decoder.

Initial SQL to Pass Usernames for Stored Procedures and Views in SQL Server

Token Authentication / Authorization

Many organizations now use another service to generate auth tokens and authorize their users.

Always recommend that you log the user into Tableau using either an SSO (if embedding) method or a secure method such as Kerberos if they’re on your local domain.

Parameters and Attribute-Based Security

People often want to input “parameters” in order to set data security filters. This cannot be done securely with Tableau’s Parameters because either the user or the JS pages can change their values at any moment.

Web Services / RESTful data

Tableau offers the Web Data Connector framework to access web services/ REST APIs. However, it is built around a single user authentication framework. In other words, the only person a WDC can authenticate with is the one who authenticated at publish-time to Tableau Server. It doesn’t scale up because there isn’t an API to change these credentials or publish variations.

It is possible to extract larger subsets than per user data and then use Extracts Row Level Security techniques above to filter the data. This may be the most efficient way to achieve the highest performance, depending on how large your data is. The Hyper API is a better choice than the Web Data Connector for this purpose. You can offload your extract generation to another machine and then add your variations to your generation program. The Extract API is used to build a flexible extract generator. This allows your users to create and receive any number of Extracts.