What are the options for securing reports in tableau?
Securing reports in Tableau
Managing the security of data and reports is a paramount consideration. Sophisticated security requirements are supported in a straightforward, easy-to-deploy manner that requires no customization, scripting or coding.
Tableau provides several ways for you to control which users can see which data. For data sources that connect to live databases, you can also control whether users are prompted to provide database credentials when they click a published view. The following three options work together to achieve different results:
- Database login account: When you create a data source that connects to a live database, you choose between authenticating to the database through Windows NT or through the database’s built-in security mechanism.
- Authentication mode: When you publish a data source or a workbook with a live database connection, you can choose an Authentication mode.
- User filters: You can set filters in a workbook or data source that control which data a person sees in a published view, based on their Tableau Server login account.
With the exception of a core-licensed server (with guest accounts enabled) all users must log into the tableau server before getting access to view any information. When applying permissions at the project level, you can efficiently manage access to a large number of workbooks and data sources while still providing the flexibility to alter security for a single group or user at any time. Securing reports are done using a combination of the application layer and data layer controls
- The application layer-tableau server credentials
- The data layer-database security
The application layer
Tableau server provides application layer security through user credentials. Users can be managed in one of the three ways:
- Local authentication
- Microsoft active directory
- Trusted ticket authentication
In the Installing tableau server post you have learned about the details related to managing security for users. Once a user has been authenticated to access the tableau server environment, you specify which projects, workbooks, and data sources that user is permitted to see. This is called object-level security. Tableau supports the assignment of object-level permissions for any user group or user by utilizing any of the subsequent objects:
- Data source
Using a top-down approach, permissions can be assigned at the project level-which may be inherited by any workbook or data source published to that project. Permissions assigned to a user group will automatically propagate to all users within the group unless a user has explicit permissions overriding the group settings. The publisher has ultimate control over whether to accept the default permissions or define the customized permissions. Tableau server came with three standard permission levels as already defined. These are called roles and includes viewer, interactor and editor. Figure 10.7 shows the interactor role permissions.
Figure 10.7 Interactor permission role menu
The permissions menu is accessed when your workbook is published by clicking the add button below the view permissions area seen in figure 10.7. Other roles can be viewed by selecting the role menu drop-down arrow. Custom roles can be defined by selecting a user or group, and then choosing the custom role option from the role menu. This allows you to set customized permissions while assigning your custom role to a specific user or group tableau’s manual providing step-by-step instructions for defining permissions. Access to the appropriate section of the manual from the help menu in the tableau and search for setting permissions.
Defining custom roles
Customizing roles is done by defining the permissions for the role. Understanding the permissions that you allow is important. Depending on the selection made, you may grant the ability for people to republish reports, change filters, redesign the workbook views, build new views, export data, download the workbook, share custom views, or even set new permissions. For a detailed description of each capability, use tableau’s help menu and search for permissions.
Care should be taken when granting permission to prevent the unauthorized circulation of data. The list below categorizes permissions according to the risk level. High risk items provide the ability for user to override permissions or disseminate data. Medium risk items convey the ability to alter or export views. Low risk permissions concern to viewing and commenting capabilities.
High risk permissions
- Write/web save
- Download/web save as
- Set permissions
Medium risk permissions
- Web edit
- View summary data
- View underlying data
- Export image
Low risk permissions
- Add comment
- View comments
These risk assessments are meant to be guidelines only. If your data is highly sensitive, care should be taken to mask confidential information at the data source level to assure that confidential information is not inappropriately exposed.
A permission-setting example
Content permissions ensure that only the right people can see and interact with your content. For example, you can tightly restrict who has access to your company’s financial information, but widely share organizational development content.
You assign content permissions to the following items:
- Data sources
Permissions can be defined so that it is possible to reuse a single workbook for groups with different access rights. For example, you may choose to group users, by office. Permissions for related projects could be set so that each office only gains access to the workbooks specifically related to their individual (office) groups.
At the same time, the university president’s office could access the workbook, but with different permission settings that permit access to all of the projects and all of the related data details.
As a result, financial aid users won’t see the admissions or career service reports. Instead, they will only see and have access to their financial aid reports. However, the university president’s group will be able to view reports related to all three groups. Using this model, administrators can efficiently manage security for large and diverse entities.
The data layer
When employing a live database connection in tableau desktop, you must provide credentials to authenticate the database server. This data-level security persists on the tableau server as well. When publishing a workbook or data source you must choose what type of authentication you’ll associate with your live connection.
It’s important to understand the difference between the application layer and data layer security. When a user logs into tableau server, the user is authenticated at the application layer but not the data layer. When accessing any report that utilizes a live connection, the user must also be authenticated. This is predicated upon what settings you select while publishing the workbook or data source. Your choices boil down to four options:
- Prompting the user to enter credentials
- Using embedded credentials
- Using a server run as account
- Using SQL server impersonation (available for SQL server only)
By default, views connected to live data require users to log in to the data source with a database user name and password. However, you can configure Tableau Server to embed these database credentials, so that your users can pass through the login process and go directly to their views. This is called embedding credentials, and you can only do it if you are the workbook publisher, and your Tableau Server administrator has turned the option on in the Server Settings page.
Tableau also offers administrators an option to permit users to save their data source credentials across multiple visits and browsers. This is enabled through the embedded credential settings option in the administrative maintenance screen in tableau server. Figure 10.8 shows the menu with the appropriate selection checked, you also have the option to embed the connection username and password for the database from within tableau desktop.
Figure 10.8 Enabling embedded credentials
By using this option, all users that utilize the connection will have the same level of access as the publisher of the workbook. This is a convenient feature for users that saves them from having to log in a second time. However, enabling embedded credentials removes the ability to manage data-level access on a per-user basis.
Server run as account using windows active directory
Tableau server runs in windows server environments. Therefore, tableau server installations utilize an active directory service account to run. A beneficial consequence of this fact is that windows active directory (AD) can be used to eliminate unnecessary logins for tableau server users.
When a report is viewed on tableau server using a data connection employing this method, the server run as the account will be used to authenticate against the database. Your database administrator will need to ensure that the server run as the account has the proper access to connect to and query the tables and views used in your connection. Use tableau server’s inline manual and search for run as user to view the setup details for this feature.
SQL server impersonation
As an option this is only available when connecting to a SQL server database. Impersonation is another way of eliminating the need for users to log in twice while still preserving the ability to manage data level access on a per user basis. This also allows the SQL server database administrator to control security policy from the database and propagate those policies to tableau server.
To use SQL server impersonation, each tableau server user will need individual accounts on SQL server with credentials matching those on tableau server. For instance, if you have chosen to use active directory to manage your tableau server users, you must grant the same active directory accounts access to SQL server. The user will either need to be the server run as account or have their credentials embedded in the workbook during the publishing step by selecting the impersonate via an embedded password option in the authentication menu.
When a user views a workbook that has implemented SQL server impersonation, they act as authentication using the server run as account or via embedded SQL server credentials. This account then impersonates the user connecting and accesses the database with their defined permissions search tableau server’s online manual for SQL server impersonation regarding setup and configuration.
Tableau server provides a variety of ways to manage security. In the next section you’ll find out how tableau server provides more flexibility and efficiency through the data server.
Improve efficiency with the data server
The tableau data server provides a way to manage data sources that have been published to tableau server. These published sources can include direct connections to a database, or tableau data extract files. Authorized staff can set permissions associated with the connections and also set refresh schedules for data extract files. The metadata associated with these published sources becomes available to any workbook that uses the data source metadata including:
- Custom calculated fields
- Ad hoc groupings
- Ad hoc hierarchies
- Field name aliases
- Custom fonts and colors
The data server is efficient because it provides a flexible way to spread heavy workloads by enabling tableau server to absorb some of the demand normally handled by the primary database server.
While using data extract files, they frequently perform better than the host database. The data server also saves time-enabling the work of a single individual to be shared by many. Data sources published to the server can be accessed by authorized tableau desktop users to create new analysis.
Next, you’ll learn how to publish a data source to tableau server and then use the data server to centrally host and share files, schedule automatic updates, and leverage incremental extract refreshing for near real-time data.
Publishing a data source
Publishing a data source file to the data server is done from tableau desktop by opening the workbook containing the data source you wish to make available for others to use. From the workbook, access the menu for publishing the data source by right-clicking on the data window containing the data source in the upper left section of the worksheet as seen in figure 10.9
Figure 10.9 Publishing to the data server
After right-clicking and selecting publish to the server, a server login dialog box appears. You will be required to enter the server URL, your username, and password to access the server. If you have a multiple site deployment you’ll also need to enter the site you want to publish as well. Once the server login is completed, a dialog box will appear as you see in figure 10.10.
Figure 10.10 Dialog box for publishing a data source
Define the parameters for publishing the data source by selecting the project, the data source name, the authentication method, tags, how and when you want the server to refresh the extract, and finally what permissions you wish to assign to the extract. Most of these topics have already been covered in “installing tableau server” post or in earlier sections of this post. In the next two sections you will learn more about the options for updating data source files and how to use incremental updates.
Manual vs. automatic updates
One potential benefit of using an extract-a portable copy of your original data set-can also be a drawback. The extract may not reflect the latest changes occurring in the data source until the extract is refreshed. Tableau provides two different methods for updating extract files – manual and automatic updates.
Manual updates using tableau desktop
Manually updating data extracts can be done via the data menu or by right-clicking on the data menu. Follow these steps to refresh the data source file:
- Start tableau desktop if it is not already running.
- Open the workbook containing the extract you wish to refresh.
- Select the data menu and refresh all extracts (or add data from a file to append new data).
- A dialog box will appear displaying the extracts that are available to update.
- Click on the refresh button to update the extract files.
If your workbook contains multiple extract files, they will all be updated using this method. You can also update individual extract files in the workbook by pointing at the data source in the data window, right-clicking, and then selecting extract, then refresh.
This manual process is one way you can append data from a separate source file or database-assuming the separate source contains the same fields as the original data source. To do so, follow the same steps as above, but in the last step choose add data from the file instead of refresh. In post “automating server with tableau’s command line tools” post you’ll see how tableau server’s command line tools can be used to automate manual processes.
Automatic updates using tableau server
If you have many different data sources and workbooks using data source files published to the server, manually updating large numbers of files would be impractical. Tableau server comes with a pre-defined update schedule and allows you to create your own custom update schedules.
To schedule updates you’ll need to first publish your extract to tableau server directly by using data server or indirectly by publishing the workbook that uses an extract as its data source. During the publishing process, you have the option to select a refresh schedule to have tableau server automatically update the extract.
Tableau server includes predefined schedules or your server administrator can define a custom schedule set to recur on a monthly, weekly, daily, or hourly time interval. The schedule can also be defined to allow jobs to run concurrently or sequentially, with an option to change the priority of the schedule relative to others that may occur at the same time. Figure 10.10 presented earlier, shows the schedule option in the refresh extract section. The drop-down box next to full contains the available options. You can see in the example that the extract will be refreshed during weekdays at 4:00 AM.
Defining a custom refresh schedule
For those users who are granted with administrative rights, creating custom refresh schedules is done from the tableau server admin menu. You can see these schedules in figure 10.11.
Accessing the admin/schedules menu provides a list of what is available schedules-what are their type, scope, the number of run times , how they run, as well as the next scheduled run time. To define a new custom schedule, you must select the new menu option as you can see above the check boxes in figure 10.11. Selecting that exposes to the custom schedule dialog box and can see below, in figure 10.12.
Figure 10.11 Admins schedule menu
Figure 10.12 Creating a custom schedule
Give the schedule a clearly descriptive name and fill in the highlighted blanks. Then, click the create schedule button. This makes the schedule available for use. As you can see, there is plenty of flexibility for controlling the data extracts that are being refreshed.
What if you have a particularly large or very active data source? Very large source files take more time to update. You can reduce the time required for extracting data by employing incremental updates. Typically, when refreshing extracts, the current rows are truncated and completely replaced by a new copy of the data set. In contrast, incremental refreshers allow you to specify a date, date-time, or an integer value field contained in your data, to specifically identify new records in a data source.
Figure 10.13 Enabling incremental updates
When an incremental refresh is used, tableau will check for the maximum value of the field in your extract and compare that value to each row in the original data source-importing only the rows with a later or higher value. This approach will reduce the time required to update your extract. The larger the source file, the more significant will be your potential time savings.
You define this option in tableau desktop when you build the extract definition by selecting the incremental refresh option, then selecting the field that you want to use to identify the new data. The field options you see in figure 10.13 include the order date or ship date fields.
If you choose to use incremental refreshes, you are not excluding the option for a full refresh. On the contrary, you are only allowed for the additional choice of an incremental refresh by either performing a manual or automatic update. It is advisable to run full refreshes of the data on a regular basis because the incremental refresh may not capture all of the changes in the source data set.
Securing Reports in Tableau are part of the Tableau training curriculum.