Row-Level Security in the Database

If your organisation has already put effort into building out row-level security (RLS) in a database, you might be able to use one of the following techniques to take advantage of your existing RLS. In order to leverage the database’s security models, live connections are required. Additionally, these techniques are likely not available in Tableau Cloud; the Tableau username for Tableau Cloud is a unique email address that is not typically the user identity on the database side.

It is not necessarily easier or better to implement a built-in RLS model vs building it with Tableau in mind; these techniques are generally leveraged when an organisation has already invested in these technologies and they want to take advantage of the investment.

Note: For information on the alternatives you can use to implement row-level security in Tableau, see an Overview of Row-Level Security Options in Tableau.

Impersonation (Microsoft SQL Server)

Microsoft SQL Server (and a few related systems) can be configured so that users of the database only have access to views with RLS filters built in, either using Security Junction Tables or views built by the DBA. Tableau can take advantage of this using a concept called “impersonation”.

When publishing a Tableau data source containing an MS SQL Server connection to Tableau Server, there are two authentication options available to take advantage of impersonation. The menu you see will depend on whether you logged into the SQL Server using network authentication or by entering username/password credentials.

To enable RLS filtering for any user who can access the published data source in Tableau Server, either the AD Run-As Account or the embedded SQL server credentials must have permission to EXECUTE AS for all the Tableau users in the database that will be accessing the dashboard or data source. All Tableau users must exist in the database server as users, with SELECT rights for the Views you are trying to connect to (and have RLS applied to). See Impersonation Requirements for the comprehensive list of requirements.

Kerberos and constrained delegation

Constrained delegation within Tableau Server using Kerberos operates similarly to impersonation in that it allows Tableau Server to use the Kerberos credentials of the view of a workbook or view to execute a query on behalf of the viewer, so if RLS is set up on the database, the viewer of the workbook will see only their data.

To see the comprehensive list of databases where Kerberos delegation is supported, see Enable Kerberos Delegation. Active Directory is required; the computer where Tableau Server is installed must be joined to the Active Directory domain. The authentication method(Link opens in a new window) specified when publishing the data source must be viewer credentials.

Note that Kerberos can be leveraged for RLS when using Microsoft Analysis Services.

OLAP Cubes

OLAP Cube connections in Tableau do not have the equivalent of a data source filter, which is required for the entitlements table-based RLS method in Tableau, or access to the USERNAME() function. For these reasons, Kerberos and constrained delegation is a recommended approach to RLS with OLAP databases, which allows Tableau to leverage user filtering that has already been implemented on the OLAP Server side.

If the users viewing the dashboard will not be part of the domain, then the manual approach to creating user filters is possible. However, because the User Filter Set generated cannot be added as a data source filter, and will instead exist on the filters shelf, it is important that Web Editing and Download Workbook functionality is not permissible for any published views using this method.

SAML delegation and SAP HANA

If Tableau Server is configured to use Configure SAP HANA SSO to provide a single sign-on experience, the viewer credentials are used to execute the query as that user, which will operate within whatever security is applied on the user level. The authentication method(Link opens in a new window) specified when publishing the data source must be viewer credentials.

Initial SQL to force a user-specific session (Oracle VPD)

Initial SQL enables you to specify an SQL command that is run when the connection is made to the database for the purpose of setting up temporary tables to use during the session or to set up a custom data environment.

For Oracle VPD, you can set up a session specific to a user by running a particular stored procedure or function to set the context of the database connection to match the Tableau user’s username:

begin
DBMS_SESSION.SET_IDENTIFIER([TableauServerUser]);
end;

The same high-level requirements hold true for using this for RLS as with impersonation; the DBA must set up VPD and all of the associated users to exist on the database.

On MS SQL Server, you could force an EXECUTE as command (however, this is similar to what Tableau does with impersonation already) :

EXECUTE AS USER = [TableauServerUser] WITH NO REVERT;

Note: If the data source is embedded and a user has permissions to web edit or download the workbook, then the RLS is nonexistent since the initial SQL enforcing it can be easily removed. The data source should be published separately instead of being embedded in the workbook.

Comparison matrix for row-level security methods

MethodUseful whenProsCons
Entitlements table (Recommended)
  • There is an existing concept of entitlements in the database
  • The organisation is setting up Row Level Security for the first time
  • Easy to test, update, maintain and scale
  • Works for both live connections and extracts in version 2018.3+
  • Requires creating and maintaining entitlements table
  • Could require selecting and creating appropriate keys to optimise for performance
CONTAINS() with extracts
  • Implementing RLS in extracts prior to version 2018.3
  • Allows you to take advantage of extract efficiencies
  • Requires mapping all users to a single column
  • Difficult to switch back to live connections because of string calculation
Impersonation
  • Every user accessing the data will exist as a user in your SQL server (Usually, internal deployments)
  • Security is handled and maintained in one place – the database
  • Requires every person accessing the view to exist as a user within your SQL Server
  • Only works for Microsoft SQL Server
Kerberos
  • All necessary databases are set up for Kerberos delegation, and RLS is set up on the database (usually internal deployments)
  • The viewer’s name appears on the access logs for the database
  • Security is handled and maintained in the database
  • Tableau must be configured to use LDAP - Active Directory
  • Tableau Server must be joined to the AD domain
  • Every user must exist within your AD domain
Initial SQL
  • The database supports initial SQL, and RLS is set up on the database side
  • Allows the passing of Tableau parameters at load time
  • Dedicated connection that can’t be shared with other users
  • Users must exist within database to execute query as user
  • Not all databases support initial SQL
  • Potential performance implications because of restricted cache sharing
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!