My experience navigating Tableau security as a novice…
I recently upgraded a Tableau 10.1 estate to Tableau 2018.1. I used the opportunity to completely rework the security from the ground up.
When starting out, much of the guidance I found on the net was focused on the many individual components that make up a Tableau estate.
While I’m certainly not claiming what I have done is best practice, I hope it will trigger some ideas and serve as a starting point for your own implementations.
This guide doesn’t cover licensing although that is something which is definitely worth understanding if you are implementing a Tableau security model. If you need to learn about Tableau licensing then this article does a great job of explaining both the old and new models.
A few resources to start…
This image is a bit out of date as you can now have nested projects but is a really good way to understand how content is structured on Tableau Server.
This image is actually from an interactive Viz that explains each object type and can be found here.
This reference guide here gives the official explanation of a lot of the terms you will find when administrating tableau security and is worth reading.
This article, also from the Tableau help, explains site roles and how they interrelate to licenses and tableau content.
Finally, this blog post gives you the step by step instructions to open up access to the Tableau Postgres database. To query the Postgres database you can use pgAdmin which is a free, browser based development/administration tool.
Before we begin, a few notes on Tableau security…
- Tableau site roles (set at user level) define the maximum level of access that user can potentially have over the content. Lower permissions at content (i.e. project, workbook) level will take precedence.
- In Tableau the default project is the template project, much like the model database in SQL Server. We removed all access to this project so…
- Users will not see it
- No content will get deployed there
- I recommend deleting the ‘Tableau Samples’ project on UAT & production environments.
A bit of background and the approach we took…
- By default, all reports will be viewable by all tableau users.
- Each department within the business will have their own departmental folder which they will be able to manage themselves in the development environment.
- Where possible, native Tableau security roles were to be used.
- Tableau administrators are set by using the site role, Site Administrator.
- We decided on 3 environments on 3 separate servers.
- We didn’t have any multi-site environments.
- Access to the Postgres database would be configured on all environments.
- It was an audit requirement that UAT and Production have the same permissions as each other and fall under change control.
- I used TABCMD to setup the users, groups, group membership and top level projects. TABCMD can’t work with sub-projects although I believe the REST API can.
All security to be locked to project…
Tableau allows content to be managed at workbook level. This means that if you have 50 workbooks you could potentially be managing 50 different security configurations.
Tableau also allows security to be locked to the project – this means that all the workbooks within a project derive their security from the project and cannot not be overridden. I opted for all permissions to be locked to the project; this makes the model simple to understand and predictable in how it operates.
The Security Model…
When applying permissions to Tableau projects or workbooks, this is the screen you will see.
In the top right corner you can lock permissions to the project as explained above.
The settings are split into Project, Workbooks and Data Sources. If you click the double arrows (>>) they expand. The models below match exactly the settings you will see in Tableau.
The below image shows how I configured the Development environment where users can manage and deploy content to their own departmental folders. All Users, Departmental and EDW-BI Team are all groups setup inside Tableau.
The site administrators who manage the access and content across the site do not need to belong to any of these groups.
Then below we have our UAT and Production environments which fall under a standard ITIL change-management process: