Extension Security - Best Practices for Deployment
The following information is for IT officers and administrators, Tableau server and site administrators, and anyone who is interested in managing dashboard extensions and the security of their data and business. The suggestions for deployment are intended for companies that have a mix of users who are on Tableau Desktop and Tableau Server or Tableau Online.
Security for extensions in Tableau
Extensions are web applications that could be hosted inside your network, or outside on a third-party server, or in a secure sandboxed environment hosted by Tableau. Extensions can interact with other components in the dashboard and potentially have access to the visible and underlying data in the workbook (through a well-defined API). Tableau supports two types of extensions:
Network-enabled extensions are hosted on web servers that are located inside or outside of your local network and have full access to the web. Network-enabled extensions can connect with other applications and services, offering new capabilities to Tableau inside the dashboard, such as custom data visualizations, natural language generation, and write-back to data source scenarios. Network-enabled extensions have full access to the web, which means that while they can offer rich features and experiences by being able to connect to outside resources, they should be carefully evaluated before deploying or adopting.
Sandboxed extensions run in a protected environment without access to any other resource or service on the web. Sandboxed extensions are hosted by Tableau and provide the most security and eliminate the risk of data exfiltration. To safeguard against cyber-attacks, the Sandboxed extensions environment and hosting service has undergone extensive penetration testing by a 3rd-party consultant.
You can use Sandboxed and Network-enabled extensions in Tableau Desktop, Tableau Server, and Tableau Online. Tableau Server and Tableau Online provide the most control over the extensions your users can run.
Potential security risks with Network-enabled extensions
Because extensions are web applications there is the potential that a Network-enabled extension could be vulnerable to certain types of malicious attacks, which in turn could present a risk to your computer or data. The Open Web Application Security Project (OWASP) annually identifies the most critical web application security risks. These risks include the following:
- SQL injection
- Cross-site scripting (XSS)
- Sensitive data exposure
These risks could compromise the extension if the developers of the extension do not properly validate and handle user inputs, or if they generate dynamic queries to access sensitive databases. As you evaluate the extensions that you want to allow in Tableau, be sure to consider how they manage authentication, data access, or user input, and how they mitigate security risks.
Mitigating the security threats with Network-enabled extensions
Tableau provides security measures and security requirements for extensions. These are enabled for Tableau Desktop, Tableau Server, and Tableau Online.
- All extensions must use the HTTP Secure (HTTPS) protocol.
- By default, anyone using a dashboard with a Network-enabled extension will be prompted and asked to allow or deny the extension permission to run. The extension must request permission if it will access underlying data.
- To run on Tableau Server or Tableau Online, the URL of the Network-enabled extension must be added to a safe list. The server administrator manages this list for Tableau Server; the site administrator manages this list for Tableau Online.
- On Tableau Server and Tableau Online, the server or site administrator (respectively) can control whether the prompt appears for each Network-enabled extension.
For more information, see Manage Dashboard Extensions in Tableau Server.
Manage extensions using Tableau
Extensions provide a way to add unique features to dashboards. You can use extensions to directly integrate the dashboard with applications outside of Tableau. While extensions open up a world of possibilities, there are instances where you need or want to maintain control of how extensions are deployed in your company or enterprise. In this respect, extensions are no different from any other software that you intend to use. Before you deploy software applications in your company you should thoroughly test and verify that the software works as expected and is secure. The same is true for extensions.
After you determine what level of access your users should have, and identify the extensions you want to use (or conversely, the extensions you don’t want used), you can use the controls and features within Tableau to restrict and curate the dashboard extensions users have access to.
- Do you need to restrict who can add or use extensions in Tableau Desktop? See Recommendations for Tableau Desktop
- Do you need to restrict or control the extensions your users have access to? See Recommendations for Tableau Server and Tableau Online.
You have a range of options for deploying Tableau Desktop in your company. You can allow unrestricted access to Sandboxed and Network-enabled extensions, or you can put limits and restrictions on who has access to extensions and under what circumstances.
By default, Tableau Desktop users have unrestricted access to Sandboxed and Network-enabled extensions. You can use two options during installation to change the default settings.
- Turn off all extensions (
- Turn off Network-enabled extensions (
Note: You can change these settings after Tableau Desktop installation by editing the Registry (Windows) or running a script (Mac) on each Desktop. See Turn off dashboard extensions.
Using the installation settings, you can deploy Tableau Desktop in several ways.
Allow all extensions - In this deployment scenario, you choose to trust Tableau dashboard authors to select the Sandboxed and Network-enabled extensions they want to use. If you want to empower your Tableau Desktop users with the greatest flexibility, use the default installation settings. Using the default settings, Tableau Desktop users have unrestricted access to Sandboxed and Network-enabled extensions. The default settings are:
DISABLENETWORKEXTENSIONS=0. See Install Tableau Desktop from the Command Line.
Only allow Sandboxed extensions - In this scenario, you know that Sandboxed extensions are safe and you want to allow them, but you aren't sure about Network-enabled extensions and want to prevent their use. To turn off support for Network-enabled extensions, set the
DISABLENETWORKEXTENSIONS=1). Keep the default setting for enabling extensions (
DISABLEEXTENSIONS=0). See Install Tableau Desktop from the Command Line.
No extensions allowed - In this scenario, you don't want to allow users to use extensions of either type, Network-enabled or Sandboxed. In this case, turn support for all extensions off by using the
DISABLEEXTENSIONS=1). See Install Tableau Desktop from the Command Line .
Use a combination of settings You might have some users who need and should have unrestricted access to all extensions, and others for whom access to Sandboxed extensions is sufficient, and then finally a set of users who need no access to extensions at all. Because the extension options are set per desktop, you can configure your deployment for specific users and their use cases.
Web authoring - If Tableau Server or Tableau Online are available for your users, they can use web authoring to access extensions. In web authoring, the server or site settings for extensions apply. In this scenario, the server and site administrators can determine which extensions to allow users access to. Administrators can use the server and site settings to restrict access to Sandboxed extensions only, or to restrict access to Sandboxed extensions and the Network-enabled extensions that have been added to a safe list.
If your users have access to Tableau Server or Tableau Online, you can use the built-in security controls to put limits and restrictions on the extensions that can be used and under what circumstances. If you have turned off extensions on Tableau Desktop, you can still allow users to add extensions in web authoring, but you can limit the number of extensions that can be used to just ones you approve of.
Trust Sandboxed extensions and the Network-enabled extensions on the safe list
Starting with Tableau 2019.4, only Sandboxed extensions are allowed to run by default. Network-enabled extensions are not allowed unless they have been added to the safe list. Administrators can add Network-enabled extensions to the settings page for the site (Settings > Extensions > Enable specific Extensions).
Note To make the safe list the default behavior for extensions in Tableau 2018.2 and Tableau 2018.3, you need to change the settings for the site. On the Extensions settings page, under Default behavior for Extensions, clear the Enable unknown extensions... option. In Tableau Server 2019.1, Tableau 2019.2, and Tableau 2019.3, by default, no extensions are allowed to run unless they have been added to the safe list.
Checklist for the safe list:
- Does the extension come from a source that you know and trust?
- Check the URL of the extension. Does the URL look suspicious or contain dubious domain names?
- Does the extension require access to full (underlying data) or summary data? See Understand data access.
- Test the extensions before allowing broad use. See Test extensions for security. See Test Network-enabled extensions for security.
Add extensions to the safe list:
Block specific extensions from running on Tableau Server
On Tableau Server, you can block specific extensions by adding their URL to the block list. This is useful if you have multiple sites that are configured differently for extensions. For example, if you have a test site where you want to be able to test internal or third-party extensions, you might have enabled the default behavior for extensions, where unlisted extensions are allowed to run provided they do not access the underlying data in the workbook. Adding an extension to the block list will prevent it from inadvertently being used on the test site.
- Add the URL of the extensions that you do not want to allow to the blocked list. This option is only available on Tableau Server. See Block specific extensions.
Turn off extensions for a site
By default, extensions are enabled on Tableau Server and Tableau Online. On Tableau Server, the server administrator can turn off extensions for a site. On Tableau Online, the site administrator can turn off extensions for the site. On Tableau Server, the server administrator can turn off extensions completely, which overrides the site settings. You should not have to change this setting on the server or for the site, as you can control the Network-enabled extensions that you want to allow on the safe list, and you can control the settings for Sandboxed extensions, which are allowed by default.
- To disable extensions on a site (Tableau Server, Tableau Online), change the site settings that enables users to run extensions on the site. See Control dashboard extensions and access to data.
Show or hide user prompts to run Network-enabled extensions
When you add a Network-enabled extension to the safe list, you can configure whether users see prompts by default when they are adding the extension to a dashboard, or when they are interacting with a view that has the extension. The prompt tells users details about the Network-enabled extension and whether the extension has access to full data. The prompt gives users the ability to allow or deny the extension from running. You can hide this prompt from users, allowing the extension to run immediately. When enabled for a site, Sandboxed extensions are allowed by default and do not prompt users.
Turn off Sandboxed extensions
Starting in Tableau 2019.4, Sandboxed extensions are enabled for Tableau Server and Tableau Online by default. Sandboxed extensions run in a protected environment and are hosted by Tableau. Administrators can control whether to let users run Sandboxed extensions on a site. Sandboxed extensions don't need to be added to the safe list. When Sandboxed extensions are allowed, users are able to freely add Sandboxed extensions to dashboards and are able to open and use dashboards that contain Sandboxed-extensions. If you need to block a Sandboxed extension, a server administrator can add the Sandboxed extension to a global block list. If you need to turn off Sandboxed extensions completely, you can change the default setting for the site. If you change the default setting for Sandboxed extensions, only the extensions (including Sandboxed extensions) that are on the safe list will be allowed to run.