Bullet Proof: A Guide to Tableau Server Security

PDF Guide

Tableau Conference 2014

Bryan Naden & Ray Randall

Tableau Server Security Hands On

To begin the exercise we are going to start off fresh by restoring from a Tableau backup file located in
Security Hands On folder called SecurityBackup.tsbak. To restore a backup we will be using tabadmin
command-line utility that comes with Tableau Server. When you initiate a recovery from a backup file,
you must stop Tableau Server and run the restoration. When the restoration process is complete,
Tableau Server is started automatically.

To access tabadmin:

On the server machine, open the Command Prompt as an administrator and change to the
Tableau Server bin directory.

cd C:\Program Files\Tableau\Tableau Server\8.2\bin

tabadmin stop

tabadmin restore SecurityBackup.tsbak

For more information on how to restore a tsbak file visit:

http://onlinehelp.tableausoftware.com/current/server/en-us/db_restore.htm

Now that we successfully restored, lets explore the contents of our new server environment.

Please open your laptops and open the web browser. In the address bar, type localhost to access your
local instance of Tableau Server.

Log in to Tableau Server with the following credentials.

Username: Admin
Pass: TC2014
As an administrator, you will have access to the Admin tab in the Tableau Server portal. This section of
Tableau Server will allow you to execute a myriad of tasks, such as adding new users, creating sites,
projects, and groups, assigning permissions, and more.

Notice we already have Projects, Group, Workbooks, and Users. In the Server Admin session we learned
how to create all of these, but for this session they are present and ready to apply permissions. Take a
look at the Users tab and notice we have a handful of different users. Lets add some users to a group
but first lets create a new group called Finance.

Go back to the Users page and select both FinanceManager & FinanceUser and add them to the new
Finance Group.
Now that we have a few Groups and Users lets look at our Projects. Notice we already have a Finance
Project. Since financial data is a big security concern for our company we only want the Finance Group
to have access to that Project. Lets edit the permissions by selecting the Finance Project and clicking on
permissions and then edit.

Set the Finance Group to interactor. This allows only the Finance users to be able to interact with the
view. Notice you are also able to setup a few other roles from this permissions screen. One way to help
manage the administration of your server is to appoint individuals as Project Leaders. The Project Leader
is able to make all changes within a specific Project.
After submitting youll notice two Groups (All Users & Finance). This is because each Project when
created inherits the Permissions from the Default Project. In this case we dont want All Users to have
access so we are going to delete the permissions.

One of the most crucial steps in permissioning is to Assign Permissions to Contents. Click this button to
ensure that your changes get passed to all content in the specific Project.

Check that we have successfully hidden the Finance Project from the rest of the users by logging in as
someone that is not in the Finance Group. Youll also notice this same permissioning is setup for the
Sales Group and Sales Project as well to double check your work.
Now that we have some permissions in place lets publish some workbooks. Another level of security is
the publishing rights. In our scenario we only want to allow certain people the ability to publish. In the
case of the Sales users only Pat has the ability to publish. Lets give the user FinanceManager the ability
to publish to as well.

Go to the Default Project and download the CFO Business Segments (Finance) and the Regional Sales
Dashboard (Sales). You must be logged in as Admin because the other users are defaulted to just
viewers and thus do not have permission to download.

Open each in Tableau Desktop and we will publish to their respected Projects using the Projects
designated publisher. If you try to publish with a user who doesnt have publishing rights you will be
denied. Also notice that if you are logged in as a user from the Sales Group you will not see the Finance
Project on the list of Projects to publish to.

As the publisher you are able to set permissions in the publishing window. For security best practices it
is encouraged not to set any new permissions because once the workbook is published to a project the
workbook will inherit the permissions set by that project. This way it is much easy to manage the
permissions on a large scale and keeps things organized.
Tableau Server also allows for one more layer of security and that is the use of Sites. Sites are a way to
completely section off all contents of a server. This includes projects, groups, users, and workbooks. A
good example of this would be an HR department that wants to keep all their data separate from other
users. In this case HR would create their own site that only HR users could see and use.

Read more on how to create sites:

http://onlinehelp.tableausoftware.com/v8.1/server/en-us/sites_add.htm

Break

Data Security

Using the Regional Sales Dashboard we will create our first data security with user filters. First well start
with the manually created user filters.

Step 1
Log in to Tableau Server as an administrator. In this example, we are going to use our Sales Group of
users:Pat, Chris, Sam, Erin, and William. Pat is the national manager and the rest our regional managers.

Step 2

In Tableau Desktop open the workbook which is using the Superstore - Orders data source.

Step 3

Select the sheet called Map.

Step 4

Select Server > Create User Filter > Region.

Step 5

In the Tableau Server Login dialog box, log in to Tableau Server with these credentials:

Username: Pat

Password: 1234

Step 6

In the User Filter dialog box, do the following tasks:

In the Name text box, type Regional Managers.

In the User/Group list, click Sam, and then in the Members list, select the South check box.

Repeat this step for Chris in the Central, William in the West, Erin in the East, and Pat for all regions
because he is the national manager.

Step 7

When finished, click OK. User filters appear at the bottom of the Data window in the Sets pane.

Step 8

Drag the new Regional Managers set to the Filters shelf.

Step 9

When you add the user filter to the Filters shelf, the view should show data for all regions. To display the
view for one of the regional managers, click the list arrow in the lower right area of the workbook
window.
Step 10

You can display the name of the current user and region in the title to help the viewer understand that
the view has been filtered. Select Worksheet > Show Title to display the region of the current user to
help the person accessing the view understand that the view has been filtered.

Step 11

To set up the title, double-click the Title shelf

Step 12

In the Edit Title dialog box, do the following tasks:

Select and delete the default tag title.

Click the Insert drop-down arrow and select Region.

Step 13

When finished, click OK. When you publish the view to Tableau Server, each user sees only their own
data. Learn more about user filtering in the Desktop Online Help.

Automatic User filters

Instead of manually matching each user to data values, you can use a calculated field to automatically
define the filter. To create this calculated field, your underlying data source must contain the security
information you want to use for filtering. For example, if you want to filter the map view above so that
only managers can see it, your data source must specify each user's role.

Step 1

Open the same Regional Sales Dashboard in Tableau Desktop

Step 2

In this example, the security information is another table in the Sample - Superstore sales data source,
called Users. The table has two columns: Region and Manager. All users who are managers are listed
along with their respective regions. To join the Users table to the Orders table, select the data source in
the Data menu, and select Edit Datasource.

Step 3

Drag the Returns Table on the connection canvas. Tableau will automatically setup the join clause on
Region.

Step 4

Change the join type to a left join and click Go To Worksheet.

Step 5

Select Analysis > Create Calculated Field.

Step 6

In the Calculated Field dialog box, do the following tasks:

In the Name text box, type User is a manager.

In the Formula text box, type the formula below, and click OK.

USERNAME()= [Manager]
This new true/false field appears in the Dimensions pane. This formula returns TRUE if the username of
the person currently logged in exists in the manager table.

Step 10

Select Server > Log On, and log on to Tableau Server using your administrator username and password.

Step 11

At the bottom-left corner of the view, click the user drop-down arrow next to your username, and in
the Filter As User list, select one of the regional managers.
Step 12

Drag the User is a manager calculation to the Filters shelf.

Step 13

In the Filter dialog box, select True, which sets the filter so that only people who are managers can see
the data in the view, and then click OK.

The benefits of this method are the following:

You do not need to manually manage user access to the row level data. As new users are added, the
filter will automatically update.

Using a calculated field for row level security can increase performance as the number of users grows on
Tableau Server

Now taking this a step further we can also add user filters to the datasource itself. We can use
Dataserver to further our data security model.

Right click on the datasource and choose to edit data source filters. The Region filter will automatically
be added when you select OK.

Right click on the datasource again and well publish this datasource to Dataserver.
Make sure to change the Project to Sales so that the datasource gets published to the correct location
and also inherits the correct permissions from the Sales Project. Now the datasource will live on the
server so that users wont have to connect directly to a database but will just connect to Tableau Server
instead. This also will save all the metadata changes, calculations, and joins created with the connection.

Custom Admin Audit View

In some cases you will want a view that is not preloaded.

Open the command prompt. Navigate to the Tableau Server bin folder.

CD C:\Program Files\Tableau\Tableau Server\8.2\bin

Enable external access to Tableau Servers PostgreSQL

server: tabadmin dbpass P@ssword
Restart the Server: tabadmin restart

In Tableau Desktop select Data > Connect to Data, then select PostgreSQL as the database to connect
to.
In the PostgreSQL Connection dialog box, type the name or URL for Tableau Server: localhost

Connect using the port you have set up for the pgsql.port, which is 8060 by default: 8060

Type workgroup as the database to connect to.

Connect using the following username and password:
Username: tableau
Password: P@ssword

Click Connect.

Select one or more tables to connect to.

The "tableau" user has access to all of the tables the start with an underscore and hist_. For example,
you can connect to _background_tasks and _datasources. The tables that begin with historical_ point
to hist_ tables. The hist_ tables include information about server users that isn't currently presented in
the User Activity view.

Lets build a view that shows all of our workbooks that have been accessed.
Connect to hist_workbooks
Drag out historical_events and join on workbook ID

Drag out historical event types and join on event type ID

Click Go to Worksheet to connect.

Add Name to Rows to see the names of workbooks that are tied to an event. You can then filter by the
event (Action Type) and add the Actor User to view the users tied to the event.

Try logging in to your Tableau Server and accessing a view. Afterwards, refresh the view in Tableau
Desktop (press F5) to see the live connection update.