Welcome
Implementing Tableau Server Security
Implementing Tableau Server Security
# T C 1 8
Ciarán Flynn
Senior Product Consultant
Tableau EMEA
Chris Wilkins
Staff Software Engineer
Tableau USCA
Who Are We and Why Are We Here?
Coming from two different areas of the business
Chris, Product Security Software Engineer that helps teams build security into their features. Past teams include licensing and Tableau Server.
Ciarán, working day to day with customers demonstrating how our customers can get the most out of the platform and all Chris’ hard workPresented this session last year in Las Vegas and came away with lots of feedback to improve
We are passionate about Tableau and take security based topics very seriously
How to get the most out of this
Materials are available to you after the session.
Please hold your questions until the end.
Learn, learn, learn!
What we want you to take away today
How to Control Who Can See What Content
Authentication – who is this user?
Authorization – is this user allowed to do this?
Data Security – protect your data in multiple ways.
Authentication
Authentication
Local Authentication
Active Directory
LDAP Identity Store
Local Authentication
Users only exist in Tableau Server Identity store
Tableau Server is used exclusively to authenticate users coming from:
Web Browser
Tableau Desktop
TabCMD
API’s
Local Authentication
Populating your local authentication user list can be done in several ways:
GUI – One by one or with csv file
TabCMD CLI tool with csv file
RestAPI
CSV can contain (in order shown):
Username (required)
Password (required)
Display Name
Role
Administrator Level
Publisher (yes/no)
Email address
Active Directory
User
1. User Logs in
2. Credentials
passed to AD
3. Token Returned4. Content is
Displayed
According to
Roles/Permissions
Active Directory Sync
Sync Users
and Groups
Assign Roles and
Permissions
LDAP Identity Store
Tableau uses Binds to authenticate & establish a session with LDAP Servers
•LDAP - Simple Bind• Not encrypted and therefore poses a security risk
•LDAP over SSL• Using Signed SSL certs you can enable LDAPS to create a secure
bind protecting credentials
•LDAP with GSSAPI (Kerberos) bind• Use existing keytab files (if AD Domain link is already there)
• Tableau Server Service specific keytab files to be generated (recommended)
Other Authentication Options
Authentication Method Local Authentication Active Directory
SAML Yes Yes
Kerberos No Yes
Mutual SSL Yes Yes
OpenID Yes No
Trusted Authentication Yes Yes
Single Sign-On
Single Sign-On Options
SAML
Trusted Authentication (web portal integration)
Kerberos
OpenID
Integrated Windows Authentication
(Tableau Online w/Google)
(Tableau Online)
SAML
Use external IdP to authenticate users with Tableau Server
1
2
3
Identity Provider (IdP)
User
Tableau Server(Service Provider)
Trusted Authentication
Tableau Server
1
2
3
Web PortalClient Web Browser
Authorization
Understanding Site Roles
Site Role Role Type
Creator
Server Administrator
Site Administrator Creator
Creator
Explorer
Site Administrator (Explorer)
Explorer (can publish)
Explorer
Viewer Viewer
Unlicensed Unlicensed
Structure Within Tableau Server
Sites
Projects
Workbooks
Views
Groups
Users
Data Sources
ExampleOwner: Server Admin
• Creates Sites
• Defines Site Admins
Owner: Site Admins
• Manages users, groups, projects, and permissions
Owner: Publisher
• Manages permissions for their content (sometimes)
Tableau Server
HRSite
Projects
Workbooks Data
Sources
Views
Groups
Users
Sales TeamSites
Projects
Workbooks Data
Sources
Views
Groups
Users
Permissions
Permissions - Best Practice
Data Sources
Sites
Projects
Workbooks
Views
Groups
Users
Permissions
Access Permissions
Has the user been specifically
denied access?
Has the group been specifically
allowed the capability?
Has the group been specifically denied the
capability?
Has the user been specifically
allowed the capability/access?
Denied
Yes No
No
Denied
Yes
No
Yes
Denied
Allowed
Yes No
Allowed
Permissions Best Practices
1. Set permissions on Default project to “None” for “All Users” group
2. Add users to groups
3. Create projects
4. Assign permissions to Projects based on Groups
Scenarios
Scenario 1
Darth Vader has a Site Role of “Viewer”
A group he’s a member of implies that he can edit published content.
Do you think he will have the permission
to Edit?
The answer is no, he will not have access
Darth Vader is now leaving the business
I want to restrict him from downloading workbooks or underlying data before he leaves.
Can I achieve this by adding specific userpermissions while still having him as a member of the group driving the permissions?
Scenario 2
Scenario 3Obi Wan Kanobi has just started with our organization Has been assigned a site role of “Explorer” but not yet added to any groups
All the projects have a default permission setting of “None” for the default “All Users” group.
How and what can he do with these projects while he waits to be added to the correct group?
Data Security
Multiple Approaches to Data Security
Implement security on the database
Implement security solely in Tableau
Privileges on the Database role
Database Security—Login Account
Windows Authentication
Username and password
SSL Option
Database Security–Authentication Mode
Prompt user
Embedded password
Server run as accountWindows integrated security only
Viewer credentials/Publisher Credentials (Tableau Server only)
Kerberos-enabled Teradata, PostgreSQL, MS SQL Server, MSAS
SAP HANA and BW SSO
Impala SSO
Impersonation (via embedded account or Run As account)MS SQL Server only
DEMO
Session Re-cap
Authentication
Auth Options, LDAP, SSO
Authorization
Structure, Permissions, Scenarios, Decision Tree
Data Security
Native Tableau User Filters, Table Security Model, Database policies models
Tableau Server security in depth
S E S S I O N R E P E AT S
Thursday | 2:15 – 3:15 | MCCNO – L3 - 351
Big Easy data securityTuesday | 4:00 – 5:00 | MCCNO – L2 – 297
Wednesday | 10:15 – 11:15 | MCCNO – L2 – 204
Data level security with Tableau DesktopTuesday | 12:30 – 1:30 | MCCNO – L3 – 338
Wednesday | 1:45 – 2:45 | MCCNO – L2 – 211
Please complete the
session survey from the
Session Details screen
in your TC18 app
Thank you!
#TC18