![]() ![]() Initial SQL to force a user-specific session (Oracle VPD) ![]() The authentication method (Link opens in a new window) specified when publishing the data source must be viewer credentials. If Tableau Server is configured to use Configure SAP HANA SSO to provide a single sign-on experience, the viewer credentials are used to execute the query as that user, which will operate within whatever security is applied on the user level. However, because the User Filter Set generated cannot be added as a data source filter, and will instead exist on the filters shelf, it is important that Web Editing and Download Workbook functionality is not permissible for any published views using this method. If the users viewing the dashboard will not be part of the domain, then the manual approach to creating user filters is possible. For these reasons, Kerberos and constrained delegation is a recommended approach to RLS with OLAP databases, which allows Tableau to leverage user filtering that has already been implemented on the OLAP Server side. OLAP Cube connections in Tableau do not have the equivalent of a data source filter, which is required for the entitlements table-based RLS method in Tableau, or access to the USERNAME() function. Note that Kerberos can be leveraged for RLS when using Microsoft Analysis Services. Active Directory is required the computer where Tableau Server is installed must be joined to the Active Directory domain. To see the comprehensive list of databases where Kerberos delegation is supported, see Enable Kerberos Delegation. Kerberos and constrained delegationĬonstrained delegation within Tableau Server using Kerberos operates similarly to impersonation in that it allows Tableau Server to use the Kerberos credentials of the view of a workbook or view to execute a query on behalf of the viewer, so if RLS is set up on the database, the viewer of the workbook will see only their data. See Impersonation Requirements for the comprehensive list of requirements. All Tableau users must exist in the database server as users, with SELECT rights for the Views you are trying to connect to (and have RLS applied to). To enable RLS filtering for any user who can access the published data source in Tableau Server, either the AD Run-As Account or the embedded SQL server credentials must have permission to EXECUTE AS for all of the Tableau users in the database that will be accessing the dashboard or data source. The menu you see will depend on whether you logged into the SQL Server using network authentication or by entering username/password credentials. ![]() When publishing a Tableau data source containing an MS SQL Server connection to Tableau Server, there are two authentication options available to take advantage of impersonation. Tableau can take advantage of this using a concept called “impersonation.” Microsoft SQL Server (and a few related systems) can be configured so that users of the database only have access to views with RLS filters built in, either using Security Junction Tables or views built by the DBA. Note: For information on the alternatives you can use to implement row-level security in Tableau, see an Overview of Row-Level Security Options in Tableau. building it with Tableau in mind these techniques are generally leveraged when an organization has already invested in these technologies and they want to take advantage of the investment. It is not necessarily easier or better to implement a built-in RLS model vs. Additionally, these techniques are likely not available in Tableau Cloud the Tableau username for Tableau Cloud is a unique email address that is not typically the user identity on the database side. ![]() In order to leverage the database’s security models, live connections are required. If your organization has already put effort into building out row-level security (RLS) in a database, you might be able to use one of the following techniques to take advantage of your existing RLS. ![]()
0 Comments
Leave a Reply. |