Bullet Proof: A Guide to Tableau Server Security PDF Guide Tableau Conference 2014 Bryan Naden & Ray Randall
Tableau Server Security Hands On To begin the exercise we are going to start off fresh by restoring from a Tableau backup file located in Security Hands On folder called SecurityBackup.tsbak. To restore a backup we will be using tabadmin command-line utility that comes with Tableau Server. When you initiate a recovery from a backup file, you must stop Tableau Server and run the restoration. When the restoration process is complete, Tableau Server is started automatically. To access tabadmin: On the server machine, open the Command Prompt as an administrator and change to the Tableau Server bin directory. cd C:\Program Files\Tableau\Tableau Server\8.2\bin tabadmin stop tabadmin restore SecurityBackup.tsbak For more information on how to restore a tsbak file visit: http://onlinehelp.tableausoftware.com/current/server/en-us/db_restore.htm Now that we successfully restored, let s explore the contents of our new server environment. Please open your laptops and open the web browser. In the address bar, type localhost to access your local instance of Tableau Server. Log in to Tableau Server with the following credentials. Username: Admin Pass: TC2014
As an administrator, you will have access to the Admin tab in the Tableau Server portal. This section of Tableau Server will allow you to execute a myriad of tasks, such as adding new users, creating sites, projects, and groups, assigning permissions, and more. Notice we already have Projects, Group, Workbooks, and Users. In the Server Admin session we learned how to create all of these, but for this session they are present and ready to apply permissions. Take a look at the Users tab and notice we have a handful of different users. Let s add some users to a group but first let s create a new group called Finance. Go back to the Users page and select both FinanceManager & FinanceUser and add them to the new Finance Group.
Now that we have a few Groups and Users let s look at our Projects. Notice we already have a Finance Project. Since financial data is a big security concern for our company we only want the Finance Group to have access to that Project. Let s edit the permissions by selecting the Finance Project and clicking on permissions and then edit. Set the Finance Group to interactor. This allows only the Finance users to be able to interact with the view. Notice you are also able to setup a few other roles from this permissions screen. One way to help manage the administration of your server is to appoint individuals as Project Leaders. The Project Leader is able to make all changes within a specific Project.
After submitting you ll notice two Groups (All Users & Finance). This is because each Project when created inherits the Permissions from the Default Project. In this case we don t want All Users to have access so we are going to delete the permissions. One of the most crucial steps in permissioning is to Assign Permissions to Contents. Click this button to ensure that your changes get passed to all content in the specific Project. Check that we have successfully hidden the Finance Project from the rest of the users by logging in as someone that is not in the Finance Group. You ll also notice this same permissioning is setup for the Sales Group and Sales Project as well to double check your work.
Now that we have some permissions in place let s publish some workbooks. Another level of security is the publishing rights. In our scenario we only want to allow certain people the ability to publish. In the case of the Sales users only Pat has the ability to publish. Let s give the user FinanceManager the ability to publish to as well. Go to the Default Project and download the CFO Business Segments (Finance) and the Regional Sales Dashboard (Sales). You must be logged in as Admin because the other users are defaulted to just viewers and thus do not have permission to download. Open each in Tableau Desktop and we will publish to their respected Projects using the Projects designated publisher. If you try to publish with a user who doesn t have publishing rights you will be denied. Also notice that if you are logged in as a user from the Sales Group you will not see the Finance Project on the list of Projects to publish to. As the publisher you are able to set permissions in the publishing window. For security best practices it is encouraged not to set any new permissions because once the workbook is published to a project the workbook will inherit the permissions set by that project. This way it is much easy to manage the permissions on a large scale and keeps things organized.
Tableau Server also allows for one more layer of security and that is the use of Sites. Sites are a way to completely section off all contents of a server. This includes projects, groups, users, and workbooks. A good example of this would be an HR department that wants to keep all their data separate from other users. In this case HR would create their own site that only HR users could see and use. Read more on how to create sites: http://onlinehelp.tableausoftware.com/v8.1/server/en-us/sites_add.htm Break Data Security Using the Regional Sales Dashboard we will create our first data security with user filters. First we ll start with the manually created user filters. Step 1
Log in to Tableau Server as an administrator. In this example, we are going to use our Sales Group of users:pat, Chris, Sam, Erin, and William. Pat is the national manager and the rest our regional managers. Step 2 In Tableau Desktop open the workbook which is using the Superstore - Orders data source. Step 3 Select the sheet called Map. Step 4 Select Server > Create User Filter > Region. Step 5 In the Tableau Server Login dialog box, log in to Tableau Server with these credentials: Username: Pat Password: 1234 Step 6 In the User Filter dialog box, do the following tasks:
In the Name text box, type Regional Managers. In the User/Group list, click Sam, and then in the Members list, select the South check box. Repeat this step for Chris in the Central, William in the West, Erin in the East, and Pat for all regions because he is the national manager. Step 7 When finished, click OK. User filters appear at the bottom of the Data window in the Sets pane. Step 8 Drag the new Regional Managers set to the Filters shelf. Step 9 When you add the user filter to the Filters shelf, the view should show data for all regions. To display the view for one of the regional managers, click the list arrow in the lower right area of the workbook window.
Step 10 You can display the name of the current user and region in the title to help the viewer understand that the view has been filtered. Select Worksheet > Show Title to display the region of the current user to help the person accessing the view understand that the view has been filtered. Step 11 To set up the title, double-click the Title shelf Step 12 In the Edit Title dialog box, do the following tasks: Select and delete the default tag title. Click the Insert drop-down arrow and select Region. Step 13 When finished, click OK. When you publish the view to Tableau Server, each user sees only their own data. Learn more about user filtering in the Desktop Online Help. Automatic User filters Instead of manually matching each user to data values, you can use a calculated field to automatically define the filter. To create this calculated field, your underlying data source must contain the security information you want to use for filtering. For example, if you want to filter the map view above so that only managers can see it, your data source must specify each user's role. Step 1 Open the same Regional Sales Dashboard in Tableau Desktop
Step 2 In this example, the security information is another table in the Sample - Superstore sales data source, called Users. The table has two columns: Region and Manager. All users who are managers are listed along with their respective regions. To join the Users table to the Orders table, select the data source in the Data menu, and select Edit Datasource. Step 3 Drag the Returns Table on the connection canvas. Tableau will automatically setup the join clause on Region. Step 4 Change the join type to a left join and click Go To Worksheet. Step 5 Select Analysis > Create Calculated Field. Step 6 In the Calculated Field dialog box, do the following tasks: In the Name text box, type User is a manager. In the Formula text box, type the formula below, and click OK. USERNAME()= [Manager]
This new true/false field appears in the Dimensions pane. This formula returns TRUE if the username of the person currently logged in exists in the manager table. Step 10 Select Server > Log On, and log on to Tableau Server using your administrator username and password. Step 11 At the bottom-left corner of the view, click the user drop-down arrow next to your username, and in the Filter As User list, select one of the regional managers.
Step 12 Drag the User is a manager calculation to the Filters shelf. Step 13 In the Filter dialog box, select True, which sets the filter so that only people who are managers can see the data in the view, and then click OK. The benefits of this method are the following:
You do not need to manually manage user access to the row level data. As new users are added, the filter will automatically update. Using a calculated field for row level security can increase performance as the number of users grows on Tableau Server Now taking this a step further we can also add user filters to the datasource itself. We can use Dataserver to further our data security model. Right click on the datasource and choose to edit data source filters. The Region filter will automatically be added when you select OK. Right click on the datasource again and we ll publish this datasource to Dataserver.
Make sure to change the Project to Sales so that the datasource gets published to the correct location and also inherits the correct permissions from the Sales Project. Now the datasource will live on the server so that users won t have to connect directly to a database but will just connect to Tableau Server instead. This also will save all the metadata changes, calculations, and joins created with the connection. Custom Admin Audit View In some cases you will want a view that is not preloaded. Open the command prompt. Navigate to the Tableau Server bin folder. CD C:\Program Files\Tableau\Tableau Server\8.2\bin Enable external access to Tableau Server s PostgreSQL server: tabadmin dbpass P@ssword Restart the Server: tabadmin restart In Tableau Desktop select Data > Connect to Data, then select PostgreSQL as the database to connect to.
In the PostgreSQL Connection dialog box, type the name or URL for Tableau Server: localhost Connect using the port you have set up for the pgsql.port, which is 8060 by default: 8060 Type workgroup as the database to connect to. Connect using the following username and password: Username: tableau Password: P@ssword Click Connect. Select one or more tables to connect to. The "tableau" user has access to all of the tables the start with an underscore and hist_. For example, you can connect to _background_tasks and _datasources. The tables that begin with historical_ point to hist_ tables. The hist_ tables include information about server users that isn't currently presented in the User Activity view. Let s build a view that shows all of our workbooks that have been accessed. Connect to hist_workbooks Drag out historical_events and join on workbook ID Drag out historical event types and join on event type ID
Click Go to Worksheet to connect. Add Name to Rows to see the names of workbooks that are tied to an event. You can then filter by the event (Action Type) and add the Actor User to view the users tied to the event. Try logging in to your Tableau Server and accessing a view. Afterwards, refresh the view in Tableau Desktop (press F5) to see the live connection update.