To manage who has access to what information in a Tableau dashboard and Tableau data source, use row level security. There are two ways to view permissions and data visibility in Tableau.
- Which projects, workbooks, and dashboards the user can see. Only allowing the user to see what is important to them can improve the user experience.
- What information a dashboard user can see?
Row level permissions manage what a user sees when they launch a dashboard or establish a connection to a publicly accessible data source. Check out the Tableau online course to learn more.
Secure rows at the row level by utilising a computed field. Tableau functions are able to determine who is logged in and whether or not that person is associated with a Tableau Server group. The relevant Tableau functions are USERNAME() and ISMEMBEROF.
This information can control the rows of data a user is able to view.
Tableau Row Level Security Using ISMEMBEROF
The first type of security is row level security, which is simpler and uses Tableau Server groups and the Tableau ISMEMBEROF function.
ISMEMBEROF determines whether the user belongs to a particular Tableau Server group.
One segment might, for instance, be limited to seeing just furniture transactions. Make a group called “Furniture” on your Tableau Server / Online for users who have access to furniture sales.
Create a calculated field using ISMEMBEROF and utilise the Tableau Superstore dataset (found in your My Tableau Repository – Datasources) to manage who may view the Furniture category sales within the Category field:[Category]=”Furniture” AND ISMEMBEROF(“Furniture”)
This computed field is boolean; if the user is in the Furniture Tableau Server group AND the Category is Furniture, it will return True. If not, False is returned.
As a data source filter, use the calculated field and set its value to True. In Tableau, row level security is now enabled!
It should be noted that if you only want the calculated field to affect particular worksheets, you can use it as a regular filter and avoid using it as a data source filter.
I always publish the data source with row level security enabled when I operate in an environment where data sources are available for public access. Because of this, users can explore the data source and utilise the Edit feature without seeing information they aren’t allowed to see. It is not possible for the user to disable inbuilt security online. This is especially helpful if your users have access to any self-service analytics. (Disclaimer: They will be able to remove the security filter if they can get a publicly available data source.)
This not only secures data but also increases Tableau’s performance by lowering the quantity of data that needs to be processed for every user. Should the data source have one million records, but the user can only be allowed to see 100k, Tableau only has to render 10% of total records, which is far quicker.
Tableau Row Level Security Using Username()
The username of the user must be displayed next to the record in the data source so that it is possible to verify what the logged-in user is permitted to see. There are two approaches to this, although one works better than the other (albeit it has additional drawbacks).
Use a calculated field, but this time with the USERNAME() function rather than ISMEMBEROF. The Tableau username of the currently logged-in user is returned by the USERNAME function. The name that Tableau uses to identify someone is likely not their real name; it might be a code, a number, or their full name. If you have authorization, go to Tableau Server and look under Users to see the name Tableau is using in your settings.
- First off, the most effective method for implementing granular row level security is through relationships.
Tableau Relationships for row level security
This strategy was made feasible with the release of Tableau Relationships. With the aid of Tableau Relationships, numerous data sources may be combined. This entails linking a security table to a data table in the case of row level security.
- Next, make a calculated field to verify the user’s name who is logged in:
When it is added as a data source filter and set to True, the dashboard will only display those entries for the user to view.
All records in Orders that the user isn’t permitted to view are eliminated by the filter and join working together. In the given example, user “bsmith” will only view entries in the Furniture category; Tableau ignores the records in the other categories since their calculations yield False.
The dashboard load times are significantly faster with this strategy as opposed to the “permissions-string” method.
Blending data has a downside. One drawback of utilising relationship-built data sources for data blending is that they can only serve as the main source of data in a blend. It is not possible to use a relationship-built data source as a secondary source.
Using a string of usernames for row level security
This method has been used for a very long period. It was originally discussed on this blog in 2015, and it’s still useful, particularly if you’re using Tableau’s pre-relationships version (2020.1 or earlier).
This approach necessitates some ETL and database effort. A delimited string of other users who can access the record should include the Tableau usernames of all users who are allowed to view a certain row of data. It is advisable to delimit using a character that is rarely used in usernames or as a delimiter, like a dollar sign ($) or pipe (|).
The computed field that uses this string verifies whether the username of the logged-in user is present in the list. If so, True is returned; if not, False is returned.
Add this field as a data source filter and change its value to True in order to enable row level security.
Although this strategy does not perform as well as utilising Relationships, it does allow for customizable data blending.
Combining Tableau User Functions For Robust Row Level Security
The preceding description covers each row level security function separately. Real life is typically more complex.
To give more precise control, ISMEMBEROF and USERNAME() are frequently coupled. For instance, all Furniture data may be visible to members of a Tableau Server group called “Furniture Management” without any restrictions, while other users’ access is restricted based on their identity.
Every condition can be tested via a computed field:
(ISMEMBEROF(“Furniture Management”) AND [Category] = “Furniture”) OR USERNAME() = [NameField]
To secure your Tableau data sources, use Tableau server groups and user functions.
Conclusion Check our Tableau online training to learn more Row Level Security.