Manage Dashboard and Viz Extensions in Tableau Server


Tableau Extensions are web applications that can help extend the analytics delivered in a Tableau workbook. Extensions integrate seamlessly to interact with the rest of the Tableau workbook, using the Tableau Extensions API(Link opens in a new window).

Dashboard extensions run in custom dashboard zones and can interact with the rest of the dashboard. Dashboard extensions give users the ability to interact with other applications directly in Tableau. Viz extensions run in worksheets and give users the ability to use custom viz types. Tableau users access dashboard extensions as dashboard objects and access viz extensions through the worksheet Marks card.

Note: Server administrators have the ability to enable dashboard and viz extensions on the server, or to block specific extensions from running. Administrators can add extensions to the safe list and to control the type of data the extensions can access. The server administrator can also configure whether users on the site see prompts when they add or view extensions. Server administrators additionally have the ability to block specific extensions from being used across all sites. For information about extension security and recommended deployment options, see Extension Security - Best Practices for Deployment(Link opens in a new window)

For information about using dashboard extensions in Tableau, see Use Dashboard Extensions.

For information about using viz extensions, see Add Viz Extensions to Your Worksheet.

Looking for Tableau Cloud? See Manage Dashboard Extensions in Tableau Cloud. (Link opens in a new window)

Before you run extensions on Tableau Server

Extensions are an open platform, but in general there are two standards to consider:

  • Tableau Trusted extensions, which are extensions that have been specifically reviewed and deployed on Tableau managed hosts. These extensions include solutions built and managed by Tableau; solutions built by Tableau Exchange Partners that deploy with Tableau review and host service, and solutions hosted in the protected environment of our legacy Sandboxed extensions.

  • Network-enabled extensions, which are extensions that are hosted on any third-party host. Network-enabled extensions can be useful when developers choose to manage the delivery of their extensions without the involvement of Tableau. This includes extensions that partners manage directly to provide better production support; extensions that are hosted and deployed within your own local network, or extensions that require communication with third-party services outside of Tableau. Network-enabled extensions have full access to the web.

Note: Tableau supports integration with Salesforce Einstein Discovery through the Einstein Discovery Dashboard extension. This is a special extension that has access to data in Salesforce.com and is allowed by default. It's not considered a Network-enabled extension or a Sandboxed extension. For more information on Einstein Discovery integration, see Tableau Server Release Notes(Link opens in a new window).

Tableau Trusted extensions

Starting in 2025.3, Tableau Trusted extensions represent the subset of extensions from Tableau Exchange that have been elevated for use. Trusted extensions are hosted on Tableau hosts and are required to limit communication between user clients and Tableau. These extensions have been tested for network communications and scanned for vulnerabilities before deployment. This extension standard is used to deliver a more governed access to extensions. This standard includes:

  • Sandboxed extensions are hosted by Tableau and employ W3C standards, such as Content Security Policy (CSP), to ensure the extension can’t make network calls outside of the Tableau Sandbox host. A Sandboxed extension can query data, but the sandbox environment explicitly blocks communicating that data elsewhere. Sandboxed Extensions are supported in Tableau 2019.4 and later. By default, Sandboxed extensions are allowed to run if extensions are enabled for the site.

  • Tableau-built extensions are solutions developed and actively maintained by the Tableau development team. Tableau-built extensions are explicitly designed to direct communications toward the user client, rather than to query user data out. By design, this limits the risk of data exfiltration and data retention. Tableau Built Extensions also undergo Salesforce Software Development Life Cycle (SDLC) standards. By default, Tableau-built extensions are allowed to run if extensions are enabled for the site.

  • Trusted partner-built extensions are solutions developed and actively maintained by accredited Tableau and Salesforce Partners that contribute to Tableau Exchange. Tableau developers validate these third-party solutions through manual testing before they are deployed as Tableau Trusted extensions. Tableau developers conduct functional and network communication testing, and automated code scans of the extensions before they are deployed to a dedicated Tableau host. Trusted partner-built extensions can be enabled for use by your Tableau administrator.

Network-enabled extensions

Network-enabled extensions are web applications and could be running on any computer set up as a web server. This includes local computers, computers in your domain, and third-party web services. Because Network-enabled extensions could be hosted on third-party servers and could have access to the data in the workbook, you want to only allow the extensions you trust. See Test Network-enabled extensions for security.

Default Extensions Settings

Administrators can use the settings for extensions on Tableau Server to control and limit the extensions that are allowed to run.

  • By default, extensions are enabled to run unless explicitly disabled. This is managed either by the Server Administrator across all sites, or can be disabled for any given site by the Site Administrator.

  • We recommend allowing the use of Tableau Trusted extensions. By default, Sandboxed extension and Tableau-built extensions are enabled to run if extensions are enabled for the site; Trusted partner-built extensions can be enabled by Administrator.

  • By default, no Network-enabled extensions are allowed unless they've been explicitly added to the safe list. Only extensions that use the HTTPS protocol are allowed, which guarantees an encrypted channel for sending and receiving data (the only exception is for http://localhost). Some extensions require full data permissions (access to the underlying data). These extensions can't run on Tableau Server unless you explicitly add the extension to the safe list and grant the extension access to full data.

Control extensions use

Server administrators can control a global setting to allow extensions for all sites on the server. Server administrators can also put extensions, including Sandboxed extensions, on a global block list to prevent them from running (see Block specific extensions). By default, all Sandboxed extensions are enabled on the server, but site administrators can choose to override the default and prohibit Sandboxed extensions for the site.

Change the global setting enabling extensions on the server

  1. To change this setting for the server, go to Manage All Sites > Settings > Extensions. If the server just has a single site, the global controls appear on the settings page for the site.

  2. Under Dashboard and Viz Extensions, select or clear the Allow extensions to run on this server checkbox. If this option is not selected, extensions are not allowed to run. This global setting overrides the Allow extensions to run on this site settings for each site.

Change the default settings for a site

Server administrators can control whether to enable extensions for the site and whether to allow Tableau-Trusted extensions on the site. That is, if extensions are enabled on the server, the default site settings allow the use of Sandboxed and Tableau-built extensions on the site, provided the extensions are not specifically blocked on the server. The default site settings allow Network-enabled extensions to run when registered on the safe list for the site. Any extension can be explicitly added to the safe list, which then enables that extension for use on the site.

  1. To change these settings for the site, go to Settings > Extensions.

  2. Under Dashboard and Viz Extensions, configure these options:

    • Allow extensions to run on this site
    • Allow Trusted extensions to run on this site

Server administrators can add or remove extensions from the safe list for a site. When you add an extension to the safe list, you can configure permissions that allow the extension to have access (if needed) to full data. See Add extensions to the safe list and configure the extension.

Using the safe list

Use the safe list to allow specific extensions to run on a site. The safe list is used primarily for Network-enabled extensions. Unlike Tableau-Trusted extensions, which are served from known Tableau hosts and allowed to run by default, Network-enabled extensions are not allowed unless they have been explicitly added to the safe list. The safe list also lets you control whether users are asked to grant permission to allow the extension to run and whether the extension has access to full data (underlying data) in the workbook.

By default, Tableau-Trusted extensions are allowed to run, which includes Sandboxed and Tableau-built extensions. You do not need to add them to the safe list unless the default settings have changed and they are no longer allowed. The same holds true for trusted partner-built extensions, if they are allowed you do not need to explicitly add them to the safe list.

 

Identifying the URL of an extension

As a web application, an extension is associated with a URL. You can use this URL to test and verify the extension. You also use the URL to add the extension to the safe list to allow full data access, or to the block list to prohibit any access.
To allow Network-enabled extensions or other extensions, you need to find the URL of the extension and then add the URL to the safe list. By adding the URL to the safe list you are approving communication with the web application. There are several ways to determine the URL of the extension.

From Tableau Exchange

When you use an extension that you've downloaded from the Tableau Exchange, you can find the URL for the extension on the Exchange listing page. Open the tile for the extension, under Tech Specifications, look for the URL under the heading, Hosted at.

A Tableau Exchange tile for an extension showing where to find the hosted at URL


From the manifest file

If you have the extension manifest file (.trex), an XML file that defines properties for the extension, you can find the URL from the <source-location> element. You can retrieve the manifest file if you download the extension from Tableau Exchange using your web browser. Open the manifest file in a text editor. 


<source-location>
    <url>https://www.example.com/myExtension.html</url>
</source-location>



Identifying a dashboard extension using the About dialog box

For dashboard extensions, you can find the URL from the extension properties found in the dashboard extension context menu. From the More Options menu, click About.

A context menu with options including About, Reload, Debug Options, Floating, Fix Width, Edit Width, Select Layout Container, Deselect, and Remove from Dashboard.

The About dialog box lists the name of the extension, the author, the web site of the author, and the URL of the extension.

A dialog box with details on the data source sample extension, such as its URL, version number, and instance ID.

Add extensions to the safe list and configure the extension

To allow users to access to Network-enabled extensions, add the extension to the safe list for the site. By default, when you add an extension to the safe list, the extension only has access to the summary (or aggregated) data. You can also control whether users see a prompt asking them to allow the extension access to data. You might want to add an extension to the safe list (for example, a Sandboxed extension) so that you can configure whether users see the prompts. When you hide the prompt from users, the extension can run immediately.

  1. Go to Settings > Extensions.

  2. Under Enable Specific Extensions, add the URL of the extension. See Identifying the URL of an extension.

    Tip: You can use a period and asterisk (.*) as a wildcard in the URL to allow all extensions in a certain domain or location. For example, to allow all extensions in the domain under example.com that use port 8080, you would add the URL: https://example.com:8080/.* . For more information, see Using regular expressions in the safe list URL.

  3. Choose to Allow or Deny the extension Full Data Access.

    Full data access is access to the underlying data in the view, not just the summary or aggregated data. Full data access also includes information about the data sources, such as the names of the connection, fields, and tables. Usually, if you are adding an extension you want to use to the safe list, you also want to allow the extension to have access to full data, if the extension requires it. Before adding extensions to the safe list, be sure to Test Network-enabled extensions for security.

  4. Choose to Show or Hide the User Prompts.

    Users see the prompts by default when they are adding a dashboard extension to a dashboard, or a viz extension to a worksheet, or when they are interacting with a view that has an extension. The prompt tells users details about the extension and whether the extension has access to full data. The prompt gives users the ability to allow or deny the extension from running. You can hide this prompt from users, allowing the extension to run immediately.

Block specific extensions

The default global policy allows the use of extensions in Tableau. By default, Sandboxed and Tableau-built extensions are allowed to run. Sites are allowed to enable Trusted Partner-built extensions and any Network-enabled extensions that appear on the safe list. Server administrators can prevent specific extensions from running by adding them to the block list for the server. If an extension is on the global block list it overrides any settings for the extension on the safe list for a site.

  1. To add an extension to the blocked list for the server, go to Manage All Sites > Settings > Extensions. On single-site installations, the block list is on the site Extensions settings page.

  2. Under Block Specific Extensions, add the URL of the extension. See Identifying the URL of an extension.

Using regular expressions in the safe list URL

In general, when you add an extension to the safe list, you should use the specific URL of the extension. However, there are times when you might want to allow multiple extensions that are hosted from the same domain and location. In this case, it's convenient to use a wildcard in the URL. The extension settings support the use of regular expressions.

Regular expression Description
. A period (.) is a wildcard you can use to match any character. If you need to specify a period (.) in the URL instead of a wildcard, you can escape the character with a backslash (\.).
* An asterisk (*) is a quantifier that specifies one or more instances of the previous character.

Use care if you use wildcards so that you don't make the safe list too permissive, and inadvertently allow access to extensions that shouldn't have access.

The following table shows some examples of using regular expressions in the URL. Note that these examples do not show the protocol and the full URL of the extension. Only extensions that use the HTTPS protocol are allowed (with the exception of http://localhost).

To specify... Example Specifies
Range of domains .*\.example.com All subdomains under example.com.
All ports example.com:.* Extensions are allowed access from all ports on example.com.
All extensions under domain, port, and path example.com:8080/xyz/.*

All extensions under the domain example.com that use port 8080 and are located in zyz, are allowed access.
All ports for a range of domains .*\.example.com:.* Allows access to extensions on all ports on all subdomains under example.com.
All extensions under a domain and path that match the pattern example.com/t.c/.* Allows access to extensions running on example.com under folders that match the pattern t.c. For example, tic, tac, toc.

Test Network-enabled extensions for security

Extensions are web applications that interact with data in Tableau using the Extensions API. If you choose to allow Network-enabled extensions that are not directly reviewed and managed by Tableau, users should be aware that these extensions could make network calls and have access to resources on the Internet. Tableau recommends testing and understanding Network-enabled extensions before they are rolled out for broad adoption.

Examine the source files

Extensions include various HTML, CSS, and JavaScript files, and an XML manifest file (*.trex) that defines the properties in the extension. When reviewing a network-enabled extension, we recommend contacting the extension developer directly for access and permission to review. Tableau does not distribute or provide access to other developer's source files.

If the code for an extension is publicly available on GitHub, it can be examined there or downloaded. In the manifest file (*.trex), you can find the source location, or URL indicating where the extension is hosted, the name of the author, and the web site of the author or company to contact for support. The <source-location> element specifies the URL, the <author> element, specifies the name of the organization and the web site to contact for support (website="SUPPORT_URL"). The web site is the Get Support link user see in the About dialog box for the dashboard extension.

Extensions reference external JavaScript libraries, such as the jQuery library or API libraries for third parties. Validate that the URL for external libraries points to a trusted location for the library. For example, if the extension references the jQuery library, make sure that the library is on a site that is considered standard and safe.

All extensions are required to use the HTTPS protocol (https://) for hosting their extensions. You should examine the source files for the extension to ensure that any reference to external libraries is also using HTTPS or is hosted on the same web site as the extension. The one exception to the requirement of HTTPS is if the extension is hosted on the same computer as Tableau (http://localhost).

To the extent possible, make sure you understand what the code is doing. In particular, try to understand how the code is constructing requests to external sites, and what information is being sent in the request. In particular, check if any user-supplied data is validated to prevent cross-site scripting.

Understand data access

Tableau extensions primarily work with the summary aggregated data presented in a worksheet or dashboard. However, the Tableau Extensions API provides methods that can access the underlying data when the extension declares it needs full data access. These methods can access the names of the active tables and fields in the data source, the summary descriptions of the data source connections, and the underlying data in a worksheet. If an extension uses any of these methods in a view, the extension developer must declare that the extension requires full data permission in the manifest file (.trex). The declaration looks like the following. 


<permissions>
   <permission>full data</permission>
</permissions>

Tableau uses this declaration to provide a prompt to users at run time that gives them the option of allowing this access. If the extension uses any one of these methods, without declaring full data permission in the manifest file, the extension loads but the method calls fail.

For information about how an extension accesses data from the dashboard, and the JavaScript methods used, see Accessing Underlying Data(Link opens in a new window) in the Tableau Extensions API. To get a better understanding about what the extension can find out about the data, you can use the DataSources(Link opens in a new window) sample dashboard extension (available from the Tableau Extensions API GitHub repository(Link opens in a new window)) to see what data is exposed when the getDataSourcesAsync() method is called.

Test the extension in an isolated environment

If possible, Tableau recommends testing the extension in an environment that is isolated from your production environment and from user computers. For example, add a dashboard or viz extension to a safe list on a test computer or virtual machine that's running a version of Tableau Server that is not used for production.

Monitor traffic created by the dashboard extension

To assess potential network calls used by a Network-enabled extension, use web debugging tools like Fiddler(Link opens in a new window), Charles HTTP proxy(Link opens in a new window), or Wireshark(Link opens in a new window) to examine the requests and responses that the extension makes. Make sure that you understand what content the extension is requesting. Examine the traffic to be sure that the extension is not reading data or code that is not directly related to the purpose of the extension.

Back to top
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!