Overview of Row-Level Security Options in Tableau
Sometimes you want to filter data based on the user that is requesting it. For example:
- You want regional salespeople to see sales figures only for their region.
- You want sales managers to see statistics only for salespeople that report to them.
- You want students to see visualizations based only on their own test scores.
An approach to filtering data this way is called row-level security (RLS). There are multiple methods to accomplish row-level security both inside and outside of Tableau, each with its own pros and cons.
Create a user filter and map users to values manually
The simplest way to achieve row-level security in Tableau is through a user filter where you manually map users to values. For example, you could manually map a user named “Alice” to the value “East” so that she only sees rows in the data source where the “Region” column is “East”.
This method is convenient but high maintenance, and attention must be paid to security. It must be done per-workbook, and you must update the filter and republish the data source as your user base changes. When you publish an asset with this type of user filter, you need to set permissions so that users cannot save or download it and remove the filter, thereby gaining access to all of the data.
For more information, see Create a user filter and map users to values manually(Link opens in a new window) in the Tableau Desktop and Web Authoring help.
Create a dynamic user filter using a security field in the data
Using this method, you create a calculated field that automates the process of mapping users to data values. This method requires that the underlying data include the security information you want to use for filtering. For example, using a calculated field, the USERNAME() function, and a “Manager” column in the data source, you could determine if the user requesting the view is a manager and adjust the data in the view accordingly.
Because filtering is defined at the data level and automated by the calculated field, this method is less error prone than mapping users to data values manually. When you publish an asset with this type of user filter, you need to set permissions so that users cannot save or download it and remove the filter, thereby gaining access to all of the data.
For more information, see Create a dynamic filter using a security field in the data(Link opens in a new window) in the Tableau Desktop and Web Authoring help.
Use a data policy
Starting in Tableau 2021.4, when Data Management is enabled in Tableau Server or Tableau Cloud, users with a Creator license can implement row-level security through data policies on virtual connections. Because virtual connections are centralized and reusable, you can manage row-level security for each connection in one place, safely and securely, across all content that uses that connection.
Unlike the above solutions for row-level security in Tableau, this method doesn't carry the same risk of exposing information if an author neglects to properly secure permissions on the workbook or data source, because the policy is enforced on the server for every query.
Row-level security through virtual connection data policies was developed to address shortcomings of other row-level security solutions. We recommend this solution in most situations where it's an option.
For more information on row-level security using data policies on virtual connections, see About Virtual Connections and Data Policies.
Use existing RLS in the database
Many data sources have mechanisms for RLS built in. If your organization has already put effort into building row-level security in a data source, you may be able to take advantage of your existing RLS.
It is not necessarily easier or better to implement a built-in RLS model vs. building it with Tableau in mind; these techniques are generally leveraged when an organization has already invested in these technologies and they want to take advantage of that investment, or when they need to apply the same security policies to other database clients in addition to Tableau.
The main benefit of using built-in RLS is that administrators can implement and control their data security policy in one place: their databases.
Pass user attributes
You can pass user attributes included in a JSON Web Token (JWT) to customize and control access to data in Tableau Cloud embedding workflows. For more information, see Embedding v3 API(Link opens in a new window) Help.
Row-level security option comparison
RLS option | Useful when | Pros | Cons |
---|---|---|---|
Manual user filter |
|
|
|
Dynamic user filter |
|
|
|
Data policy |
|
|
|
RLS in the database |
|
|
|
User attributes |
|
|
|