Configuring tableau server for the first time
The Tableau Server Configuration utility opens during a Tableau Server installation. You can set configuration options at this time, as part of the installation, before the server starts. The server is started at the end of the installation process.
There are two things to keep in mind about the settings you specify in the Configuration dialog box:
While installing tableau server, there are many configuration options to evaluate. Most of these options can be adjusted after the installation, but some of these options cannot be changed without reinstalling the software. It is therefore important to place careful consideration on the configuration options below.
General: server run as user
If you are operating in an environment where a majority of your data sources are authenticated in the context of Active Directory (Windows NT integrated security) then you will need to configure the Run As User to use a domain account, not the local account (Network Service) which is by default.
There are two steps:
Server run as user refers to the windows username that the tableau server service (tabsvc) will run under. By default, this can be changed to either a local machine account or a domain account. If you are choosing a domain account, specify the domain with the username. One reason to use a domain account is to provide access to data sources that require Windows NT authentication without prompting users for credentials. In this case, the account specified here log into the data sources.
General: user authentication and active directory
Instead of using the TABLEAU SERVER built-in user management system, referred to as local authentication, you can configure a newly installed instance of Tableau Server to authenticate users through Active Directory (AD). You must have administrative privileges to add users to Tableau Server.
Tableau server can be configured to authenticate users in one of two ways:
It is very important that you choose the authentication method carefully, because this cannot be changed once the server is installed. In the local authentication option users are added to the server by configuring a username and a password. In the active directory authentication option, users who are added to the tableau server should already be a part of active directory. Active directory manages the user’s password. Choosing active directory authentication allows clients to reuse their existing security structure.
Be sure to enter the domain name and nickname when choosing to authenticate with active directory. This domain name must be a fully qualified domain name. Using the (ADA) method allows an additional option-enable automatic log-on, this option enables users to automatically log into the tableau server with the currently logged in windows account credentials via the Microsoft Security Support Provider Interface (SSPI). Additionally, automatic log-on cannot be enabled if the guest account is enabled or if trusted ticket authentication is used.
General: port number
By default, tableau server accepts requests on port 80. If this needs to be changed for networking reasons, reset the port number using this option.
General: open port in windows firewall
This opens the above port number in the windows firewall to ensure that requests can be received on the specified port. This setting normally shouldn’t need to be edited unless you have changed from the default port 80.
Data connection caching
Use the options on the Data Connections tab to configure caching and specify how you want to handle initial SQL statements from data sources.
The caching options within tableau server dictate how often cached data will be reused and how frequently data will be queried from the data sources. Below are those caching options:
Caching option selections can significantly affect performance. Reading from the cache is much quicker than querying the data source directly. In most cases, leaving this option set to refresh less often will provide the best performance. The main reason to change to balanced or refresh more often, is to prevent old data from being reported when you have a rapidly changing data source.
Views published to Tableau Server are interactive and sometimes have a live connection to a database. As users interact with the views in a web browser, the data that is queried gets stored in a cache. Subsequent visits will pull the data from this cache if it is available. The Data Connections tab is where you configure aspects of caching that will apply to all data connections:
To configure caching, select from one of the following options: :
Data connections: initial SQL
When connecting to some databases, you can specify an initial SQL command to run when you open the workbook, refresh an extract, sign in to Tableau Server, or publish to Tableau Server. This initial SQL is different than a custom SQL connection, which defines a relation (table) to issue queries against.
You can use this command to:
You have the option to add an initial SQL command in the Server Connection dialog box or on the Data Source page.
For security reasons, some administrators may want to disable the initial SQL setting. Selecting the “ignore initial SQL statements for all data sources” setting will cause the workbooks created using the initial SQL statement to open, but the initial SQL command will not be sent.
Server: number of processes per server
The server tab of the configuration dialog box allows the user to configure the machines in the tableau server cluster and the number of each type of process per server. These are the default configurations for an 8-core instance:
Use the edit dialog box to adjust the numbers of processes needed. You should plan on at least one CPU core and one gigabyte of memory per process at a minimum. These settings are made in the configuration dialog box after installation. Cluster configurations will be covered in the high availability section later in this chapter.
E-mail alerts for administrators
To have an e-mail notification sent to a specified administrator when the server detects problems, enable send e-mail alerts. Add the e-mail address of the person to be notified. This setting is useful, but needs some refining as it doesn’t seem possible to be able to send emails to different audiences depending on the workbook.
Use the enable E-mail subscription option to allow users to subscribe to workbooks on tableau server so that they receive e-mail notification when the workbook is updated. This subscription will send the most recent version of a workbook to users at scheduled intervals.
To enable email subscriptions
If either of e-mail notification is enabled (for problem alerts to the administrator or for subscriptions) the relevant SMTP server information must be provided.
Secure sockets layer (SSL)
Select the use SSL for server communication settings to enable tableau server to use SSL to secure communications. It is divided into external SSL and internal SSL servers. If this setting is enabled, the required certificate files must be provided. Tableau server currently uses SSL only over port 443. For more information about the requirements of the SSL certificate files, check the configuring SSL reference in the tableau server administrator’s guide.
To adjust these settings after installation, select the configure tableau server shortcut under the tableau server folder in all programs.
Setting-up security rights
Tableau server has a robust system for managing security. To fully grasp it, you must understand the hierarchy of objects that contain reports and data within tableau’s environment.
The workbook object represents the tableau workbook file published from tableau desktop. It contains dashboards and worksheets, which in terms of tableau server are all known as views. Permissions can be applied to specific views within a workbook and views can belong to projects and must be published to a site.
The user object represents a named-user who has access to the tableau server. Users must be granted a licensing level of interactor or viewer to log in to the server. It’s possible to leave a user account on the server in an effectively disabled state by setting its licensed level to unlicensed. This can be useful for audit purposes. Users can be granted access to view, workbooks, project, and sites. They can also be arranged in groups. Also note that unlicensed tableau server users (that have been given publishing rights) can publish workbooks to the server even if they cannot view the published results on the server.
The project is an object used to organize and manage access to workbooks. Workbooks are placed into projects within a site. This can be used as an organizing tool by placing workbooks with similar content into a single project. It can be used as an access restriction tool by granting access to a project to a user or group and then publishing workbooks into that project.
The group is an object used to organize users in sites on the tableau server. Users can be placed into groups and these groups can in turn be given permission to objects on the server. Groups can be created locally on the tableau server or, if active directory authentication is in use, they can be imported from an active directory group. Groups make managing user permissions within tableau server much easier.
The site is the top level of the security hierarchy sites which are essentially behave complete separate tableau server instances from the user perspective. Users cannot log in to, or view, any information about sites to which they do not have access. The base tableau server site is known as the default site. Users that belong to more than one site must choose which site they want to see when they log in. Additional tableau server sites are accessed with the help of a name extension string appended to the URL using this format:
Sites define separate work environments in tableau server, whereas permissions define what users or groups are permitted to do within a site. Tableau server comes with several standard permission roles that can be assigned to users or groups.
The interactor role represents the common user who can access the use of objects but cannot edit them. The publisher role allows users to publish reports from the tableau desktop to the server. The editor role allows the user to make changes to workbooks. Users can also be granted several more specialized roles. Additionally, there are two administrative permissions that can be granted on the site and instance level, they are-system administrator and site administrator. These last two permission types allow high-level control of the particular instance.
When the standard roles aren’t enough, it is possible to add very specific permissions to groups or users. More details about specific permissions that are available, can be found in the tableau server administrator’s guide.
Using groups and projects to manage access is much easier than assigning user permissions to workbooks individually. Depending on the sensitivity of data contained in workbooks on the server, some organizations choose to make heavier use of individual sites rather than projects. It is important to understand that moving content between projects is very easy, but moving content between sites requires republishing the workbook which makes it complicated. A common example of this is having separate sites configured for departments such as human resources. Another common usage of sites is using the default instance, as production and creating an alternate rest site for development and testing on the server.
Enabling row-level security via filters
Database Servers often support row-level security that is applied at the session level.
Row-level security is the ability to restrict access to specific data elements within a data source to specified users. It is enabled by employing user filters. Using the superstore sample data you will see an example that restricts access to records using the region dimension. Figure 9.1 shows a map visualization of superstore that uses color to define regions.
Figure 9.1 Map visualization colored by region
Start by creating a user filter in tableau desktop by selecting server create a user filter region from the main menu. Users created for this example includes the east region, west region, and the all the region groups. East and west can see only their regions. The all region users will be able to view everything in the data set. Clicking the OK button defines the filter. You can see the members selected from the all region option in figure 9.2.
Figure 9.2 Tableau desktop user filter dialog box
Once the user filter is created, it will appear on the set shelf at the bottom left of the desktop. Dragging the set to the filter shelf applies the filter. You can simulate the results of the filter for other users by using the toggle at the bottom right of the tableau desktop interface by selecting other users. This will change the view to simulate how it will appear to each user you select, so that you can verify that the filter produces the desired result. Figure 9.3 shows the region filter set placed on the filter shelf. Notice that the all region users is being simulated using the drop-down filter at the bottom right.
When a user filter is placed on a worksheet, the publish workbook to tableau server dialog box changes to include a new generate thumbnail as a user option. You can see it in the lower right of figure 9.4, this option allows you to select what thumbnail will display for each user in tableau server-ensuring that sensitive data isn’t seen by unauthorized users. The view permissions dialog box can contain many users with different view filters.
Figure 9.3 Filter shelf with region filter added
Figure 9.4 Thumbnail filtering
In figure 9.5, you see how the thumbnail in tableau server appears to a west region user.
Figure 9.5 Thumbnail generated for a west region user
Logging into the tableau server as an east region user result in the thumbnail view being restricted from access to the eastern states in that territory. When the user selects the view, the actual map view will look like figure 9.6, and include only the states that comprise that region.
An all region user logging in will see every state as shown in figure 9.7.
User filters are an effective and simple method for implementing row-level security within tableau server. However, if the users are allowed to download the workbook from tableau server-and open it in tableau desktop-they can remove the filter and expose the unfiltered report. Keep this in mind to prevent unrestricted data access. Also remember that users with publisher access can republish reports after removing the filter and provide unrestricted access to the report. Ensure that individuals with publishing rights on server are trained to prevent unauthorized distribution of sensitive data. Using data source, user filters can also be helpful for limiting the quantity and scope of data being exposed.
Figure 9.6 Map visualization restricted by the user filter
Figure 9.7 Map filter for an all region user
There are other more complex methods of implementing row-level security. Be conscious about the fact that unless the data is secured at the data source level, it isn’t possible to prevent unrestricted access if the users are allowed to download the workbook, and they have access to tableau desktop. Implementing row-level filtering requires diligent user permission management to ensure no unexpected data access occurs.
Get Updates on Tech posts, Interview & Certification questions and training schedules