If you want to implement RLS with a data source that uses a live connection, you can proceed with the steps below.
If you plan to implement RLS with an extract data source, there are some extra steps and considerations you should make before proceeding with the steps below. For more information see Requirements for RLS with extract data sources.
Note: For information on the alternatives you can use to implement row-level security in Tableau, see an Overview of Row-Level Security Options in Tableau(Link opens in a new window) in the Tableau Server Help.
The steps in this section describe the simplest way to incorporate user-based filtering to help secure your data source or workbook using RLS. This procedure can be sufficient if you have a small and fairly static set of users or groups to manage, and only a small number of workbooks that need user filters. Completing the steps is also a low-cost way to get more familiar with user filtering.
In Tableau Desktop, open the workbook, or create a new one, and set up the connection to the data you want to filter.
Navigate to the worksheet that you want to apply a filter to.
Select Server > Create User Filter. Then select the field you want to use for filtering the view. This example uses Region.
If prompted, sign in to your server or site. For information, see Sign in to Tableau Server or Tableau Cloud.
In the User Filter dialog box, type a name for the set of rules you are creating.
In this example, we’ll use Regional Managers.
In the list on the left, select a user or group. On the right, select the individual members of the field you selected earlier, that you want the selected users to be able to see.
For this example, selected user Andrew Allen is the manager of the Eastern region, so in the field member list, you would select East.
Repeat this process for each user or group, and click OK when you’re done mapping users to values.
After you create the user filter, it appears in the Sets area of the Data pane.
Drag the user filter to the Filters shelf.
The filter becomes a context filter, and the view adjusts to show data that you are allowed to see.
Do any of the following to test or fine-tune the filter:
If the view appears as a blank canvas, you need to allow yourself or a group you are a member of to see a region.
In the Sets area of the Data pane, open the drop-down menu on the user filter, and then select Edit Set.
To preview how the filter works in the published view, in the lower-right corner of the workbook, open the Filter as User menu, and select the user or group from the list.
Note: Previewing is not available if the workbook connects to a Tableau Server data source.
To return to viewing the workbook as yourself, in the top right corner of the Filter as User menu, select Reset.
To copy the mapping selections you set on one user or group to another (rather than manually mapping the same settings), see Copy selected field values from one user to another.
When you publish the workbook, you need to take additional steps to make sure users cannot edit the workbook and remove the filter. For information, see Secure user filters on published content.
The steps below are based on the following view, which shows annual sales performance for a list of regional managers.
As described in Restrict Access at the Data Row Level, if you want to take this approach, the database must include the field you want to use for filtering.
For this example, the data includes a reference table called People, which contains two columns: Region and Manager. Names in the Manager field match Tableau Server or Tableau Cloud usernames, and we’ll use this field for filtering.
You can follow along using the Superstore data that comes with Tableau Desktop, although the fields and values do not match exactly.
Connect to the data and set up the user filter
In Tableau Desktop, open the workbook you want to add user filtering to, or create a new one, connecting to the data you want to filter.
In this example, we use a table called Orders.
On the Data Source page, add the reference table, creating a left join. Here we add the People table and create a left join on the Region field.
Go to the worksheet, select Analysis > Create Calculated Field, and create the following field:
- Name: User is a manager
USERNAME() = [Manager]
This new true/false field appears in the Dimensions pane. The formula returns TRUE if the user name of the person signed in to the server exists in the manager column.
Add the User is a manager field to the Filters shelf.
In the Filter dialog box, select True, and then click OK.
This sets the filter so that only people who are managers can see the data in the view.
If you are not listed in the Manager field, your view might appear as a blank canvas.
See how the view looks to a particular person: in the lower-right, open the Filter as User menu, and select someone you know is a manager.
The following image shows how the view shown earlier would look if Andrew Allen were signed in.
As with a manual user filter, you need to take steps to Secure user filters on published content.
Rather than maintain user filters and special permissions on each published workbook, you can filter a data source, and then publish the data source to make it available as a shared, one-to-many resource for anyone who uses that data.
This procedure builds from the dynamic-filter approach described in this topic.
Complete the steps in Create a dynamic filter using a security field in the data.
In the lower-left area of Tableau Desktop, select the Data Source tab.
In the upper-right area of the Data Source page, under Filter, click Add.
In the Edit Data Source Filters dialog box, click Add, add the calculated field you created for the dynamic filter, and set the filter to True.
In our examples, this is the User is a manager field.
Click OK until you get back to the Data Source page.
Global filters and data source filters
When you create a data source filter, any global filters that use that data source are automatically displayed in the Edit Data Source Filters dialog box to make it easy for you to promote a global filter to a data source filter. To promote the global filter to a data source filter, click OK.
If you promote a global filter to a data source filter, that global filter will no longer be visible in worksheets of the workbook (because it becomes a data source filter).
Important: Be aware that you do not need to select a global filter in the Edit Data Source Filters dialog box to promote it. When you click OK, all global filters in the list will be promoted.
To prevent a global filter from being promoted to a data source filter, select the global filter in the Edit Data Source Filters dialog box and then click Remove.
When you publish a workbook or data source with user filters, you need to set permissions to make sure that users opening your workbook or connecting to your Tableau Server data source cannot remove the filter, thereby gaining access to all of the data.
Before publishing, we recommend that you consult with your Tableau administrator regarding any existing policies in your organisation, particularly for setting permissions. See also Set Permissions as You Publish a Data Source or Workbook.
This information applies to publishing data sources with live connections and extracts whose data is stored as multiple tables.
To secure user filters, the following capabilities must be set to Deny, either during publishing, or afterward on the server.
When you’re creating a user filter manually, after you map a user or group to data values (members), you might want to map another user or group in the same way. You can do this by copying and pasting the settings.
In the Data pane, under Sets, select a user filter. Click the drop-down arrow and select Edit Set.
In the User Filter dialog box, select the user or group on which you want to paste settings from another user or group.
Click Copy From, and select the user or group whose settings you want to copy.
Data Security with User Filters(Link opens in a new window), from the Tableau video learning library.
To watch the video, you need to sign in to Tableau.com (or create a free account).