Customize and Control Data Access Using User Attributes


If you’re authenticating and authorizing access to embedded content using Tableau connected apps (Tableau Cloud only), you can control and customize the user experience based on users’ contexts. This customization is enabled by a combination of including user attributes in a JSON Web Token (JWT) and applying user attribute functions in embedded content, such as workbooks. By including user attributes in your embedding workflow, you can manage data access policies in the same place you manage other policies and personalize the experience for users so they only see the information that is relevant to them.

In this section


What are user attributes?

User attributes are user metadata defined by your organization. User attributes can be used to determine access in a typical attribute-based access control (ABAC) authorization model. User attributes can be any aspect of the user profile, including job roles, departmental membership, management level, etc. They might also be associated with run-time user contexts like where the user is signed in or their language preference.

By including user attributes in your embedding workflow, you can control and customize the user experience through data access and personalization.

Enable user attributes

Summary of steps to pass user attributes

The process of enabling user attributes is summarized in the following steps.

  1. Enable the user attributes site setting
  2. Configure a connected app
  3. Include user attributes in the JWT
  4. Ensure the content author includes user attribute functions
  5. Embed the content in your external application

1. Enable the user attributes site setting

For security purposes, user attributes are only validated in an authentication workflow if the respective site setting is enabled by a site admin.

  1. Sign in to Tableau Cloud and click Settings > Authentication.
  2. Under Control User Access in Authentication Workflows heading, select the Enable capture of user attributes in authentication workflows checkbox.

For more information about site settings, see Site Settings Reference topic in the Tableau Cloud Help.

2. Configure a connected app

As a site admin, configure a connected app using direct trust or OAuth 2.0 trust. You can skip to the next step if you’ve already created one or more connected apps on your site.

3. Include user attributes in the JWT

Make sure the JWT contains the user attributes.

Example

Suppose you have an employee, Fred Suzuki, who is a manager located in the South region. You want to ensure that, when Fred reviews reports, he is only able to see data for the South region. In a scenario like this, you might include the Region user attribute in your JWT like in the Python example below.

import jwt
token = jwt.encode(
	{
		"iss": connectedAppClientId,
		"exp": datetime.datetime.utcnow() + datetime.timedelta(minutes=5),
		"jti": str(uuid.uuid4()),
		"aud": "tableau",
		"sub": user,
		"scp": ["tableau:views:embed", "tableau:metrics:embed"],]
		"Region":["South"],
	},
		connectedAppSecretKey,
		algorithm = "HS256",
		headers = {
		'kid': connectedAppSecretId,
		'iss': connectedAppClientId
        }
  )

4. Ensure the content author includes user attribute functions

Ensure the content author includes the user attribute functions and related filters to control what data can display in the embedded content. To ensure the user attributes from the JWT are passed to Tableau, the content must contain one of the following userattribute functions:

The function that the content author uses depends on whether the user attributes are expected to return a single value or multiple values. For more information about these functions and examples of each, see User Functions in the Tableau Help.

Note: Preview of the content with these functions are not available when authoring in Tableau Desktop or in Tableau Cloud. The function will return NULL or FALSE. To ensure the user functions work as expected, we recommend the author review the functions after embedding the content in an external application.

Example

Continuing the example introduced in Step 3. Include user attributes in the JWT above, to pass the “Region” user attribute from the JWT to a workbook, the author can include USERATTRIBUTEINCLUDES. For example, USERATTRIBUTEINCLUDES('Region', [Region]), where ‘Region’ is the user attribute and [Region] is a column in the data. Using the new calculation, the author can create a table with Manager and Sales data. When the calculation is added, the workbook returns “False” values as expected.

User attribute calculation and workbook

To show only the data associated with the South region in the embedded workbook, the author can create a filter and customize it to show values when the South region is “True.” When the filter is applied, the workbook becomes blank as expected because the function is returning “False” values and the filter is customized to show “True” values only.

Custom filter and workbook

5. Embed the content in your external application

Use the Tableau Embedding API to embed the content in your external application and ensure that you include the JWT in the <tableau-viz> web component or TableauViz object.

Example

To conclude the example from Step 4: Ensure the content author includes user attribute functions above, after you embed the view in an external application, the Sales data in the view is customized to Fred Suzuki because his user context is the South region.

Region matches South for Fred Suzuki

Managers from the regions represented in the workbook should see the value associated with their region. For example, Sawdie Pawthorne from the West region sees data specific to her region.

Region matches West for Sawdie Pawthorne

Managers whose regions are not represented in the workbook see a blank workbook.


Known issues

Blank images using the Tableau REST API

Tableau REST API requests Query Preview Image, Query Workbook Image, and Get Custom View Image produce blank images.

User attributes not available in published data sources

Support for published data sources that contain user attribute functions is not available today. As a temporary workaround, consider creating an embedded data source. An embedded data source allows the workbook to be published along with the data source instead of connecting to the published data source directly.