When you publish a workbook to Tableau Online or Tableau Server, you can publish the data source it connects to as part of the workbook (embedded into the workbook) or as a separate, standalone data source. In addition, if the data source you’re publishing requires authentication, you can customise how credentials are obtained.
The type of authentication to your data source is independent of how people sign in to your Tableau Online or Tableau Server site. For example, to give people direct access to the data in a workbook, you would embed a database user’s credentials into the data source’s connection. But anyone viewing the workbook would still need to be able to sign in to the site on Tableau Online or Tableau Server to open your workbook.
This topic describes how to set authentication on data connections as part of the publishing process.
Note: This topic does not apply to connections to that do not require authentication, such as text files or Excel files.
For many types of connection you can embed a database user’s name and password, or use single sign on (SSO). Specific exceptions are described later in this topic.
The following steps describe how to set authentication as part of publishing a data source or workbook. You can do this for each connection in the data source.
In the Publish Workbook dialog box, go to the Data Sources area, which lists the workbook’s connections, and select Edit.
- In the Manage Data Sources popup, after you decide whether to publish the data source separately or as part of the workbook, select an authentication type for each connection in the data source.
The available authentication types depend on the connection type, and they can include one or more of the following:
Prompt user: Users must enter their own database credentials to access the published data when the view or workbook loads.
Embedded password: The credentials you used to connect to the data will be saved with the connection and used by everyone who accesses the data source or workbook you publish.
Server run as account: A single Kerberos service account will be used to authenticate the user. On Windows this is the account that Tableau Server runs as. On Linux it can be any Kerberos account.
Viewer credentials: The viewer’s credentials are passed through to the database using SSO (usually Kerberos).
Impersonate with embedded account or Impersonate with server Run As service account: Impersonation using embedded credentials connects with the embedded credentials and then switches to the viewer’s identity (only for databases that support this). Impersonation using the Run As service account is similar but first, connects with the Kerberos service account before switching to the viewer’s identity.
Refresh not enabled or Allow refresh access: These options appear when you publish an extract of cloud data such as from Salesforce, and database credentials are needed to access the underlying data. Allow refresh access embeds the credentials in the connection, so that you can set up refreshes of that extract on a regular schedule. Setting Refresh not enabled prompts users when they open the workbook.
Important: How you want to keep extracted data fresh is also a factor:
- If you want to set up an automatic refresh schedule, you must embed the password in the connection.
- If you’re publishing a cloud data connection to Tableau Online, the publishing steps will alert you if you need to add Tableau Online to the data provider’s authorised list.
- You can’t publish an extract that’s created from a Kerberos-delegated, row-level-secure data source.
For Dropbox and OneDrive, when you publish a data source or workbook and select Embedded password, Tableau creates a saved credential and embeds it in the data source or workbook.
When you publish a workbook that connects to a Tableau Online or Tableau Server data source, rather than setting the credentials to access the underlying data, you set whether the workbook can access the published data source it connects to. Regardless of the original data type, the choice for server data sources is always Embedded password or Prompt users.
If you select to prompt users, a user who opens the workbook must have View and Connect permissions on the data source to see the data. If you select embed password, users can see the information in the workbook even if they don’t have View or Connect permissions.
If you publish to Tableau Server, see Edit Connections(Link opens in a new window) in the Tableau Server Help.
If you publish to Tableau Online and the workbook connects to Salesforce, Google Analytics, Google Sheets, Google BigQuery, OneDrive, Dropbox and QuickBooks Online data, see Refresh Data Using Saved Credentials (Link opens in a new window)in the Tableau Online Help.
If you are a Tableau Server administrator looking for more information about authentication, see the Tableau Server help topics, "Authentication" (Windows | Linux(Link opens in a new window)) and "Data Connection Authentication" (Windows(Link opens in a new window) | Linux(Link opens in a new window)).