About Virtual Connections and Data Policies
Virtual connections are a Tableau content type, along with data sources, workbooks, metrics, and flows, to help you see and understand your data. Virtual connections provide a central access point to data. Another key feature introduced with virtual connections is data policies, which support row-level security at the connection level, rather than the workbook or data source level. Row-level security data policies are applied to any workbook, data source, or flow that uses the virtual connection.
A virtual connection can access multiple tables across several databases. Virtual connections let you manage extracting the data and the security in one place, at the connection level.
For information about row-level security options, see an Overview of Row-Level Security Options in Tableau.
Not every virtual connection has an associated data policy. You can also use a virtual connection simply as a central place to manage connection credentials.
- Virtual connection. A sharable resource that provides a central access point to data.
- Connection. The server name, database, and credentials you use to access data. A virtual connection has one or more connections. Each connection accesses one database or file.
- Virtual connection table. A table in a virtual connection.
- Data policy. A policy that's applied to one or more tables in a virtual connection to filter data for users. For example, use a data policy to apply row-level security to tables in a virtual connection.
- Policy table. A fact or data table in a data policy that is filtered.
- Policy column. A column that's used to filter the data in the policy tables. A policy column can be in a policy table or in an entitlement table.
- Entitlement table. A table that includes both a policy column you can use to filter policy tables and another column you can relate (map) to a column in a policy table.
- Policy condition. An expression or calculation that is evaluated for every row at query time. If the policy condition is TRUE, then the row is shown in the query.
License virtual connections and data policies
Virtual connections and data policies are licensed through Data Management. For information about how Data Management licensing works, see License Data Management.
Enable virtual connections and data policies
Virtual connections and data policies are automatically enabled on Tableau Server and Tableau Cloud with Data Management.
Permissions for virtual connections work much like the permissions for other Tableau content. After you publish a virtual connection, anyone can view the connection. However, only the connection creator and administrators can access data using the connection, until the connection creator explicitly grants more permissions.
When you create a virtual connection, you must set the permissions for the Connect capability to enable other users to connect to data using the virtual connection. The Connect capability allows you to share a virtual connection and allows users to query it. With connect permissions, a user can view the tables in a virtual connection and create content using the tables. For more information, see Set permissions on a virtual connection.
Permissions vs. data policies
Permissions define what a person can or can't do with a piece of content in Tableau. Permissions are made up of capabilities—the ability to do things like view content, web edit, download data sources, or delete content. Permission rules define which capabilities are allowed or denied for a user or group on a piece of content. The interplay between license level, site role, and potentially multiple permission rules factor into the final determination of what a person can or can’t do—their effective permissions. See Permissions for details.
Data policies filter the data in a virtual connection, making sure that people see only the data they're supposed to see. A data policy is applied and filters the data when it's viewed in the Tableau content (for example, a workbook or flow). The policy condition in a data policy is a calculation or expression that defines access to the data. User functions are often used to limit access to users or groups. Access can be based on the user name, the group a user belongs to, or a region value. See Create a Data Policy for Row-Level Security for details.
Both permissions and data policies govern access. Simply put, permissions determine which content you can see, access, use, or create; data policies determine which data you can see.
How permissions and data policies work together
Tableau permissions are applied to Tableau content first. People can only do the things they have the capabilities to do with Tableau content—data policies don't override Tableau permissions. After permissions are evaluated, the data policy is applied to determine which data in the virtual connection the person can see based on the policy condition.
The following example describes the effects of permissions and data policies on a virtual connection that contains salary data:
- The virtual connection is in the HR project, which is restricted to Tableau users in the HR group. Anyone outside the HR group can't see content in the HR project, which means they can't browse to, connect to, or view the virtual connection.
- The virtual connection has Connect permissions granted only to members of the HR Business Partners group. All others in the HR group can see that the virtual connection exists, but they can’t view the data it contains. When they view a workbook that uses that virtual connection, they can't see any data.
- The virtual connection also contains a data policy that filters the salary data based on the individual user, so HR Business Partners can see only rows that pertain to employees in their business unit. When they view a workbook that uses that virtual connection, they see data only for their business unit.
Features and functionality
For the manager of data, virtual connections provide:
- Securely managed service accounts. If you use a ‘service account’ model, now instead of having to share that service account information with any user who wants to access that data, you can give the service account credentials to the few analysts who are empowered to create virtual connections.
- Agile physical database management. You must make database changes (for example, a field is added or table name is changed) only one time in the virtual connection, rather than in every piece of content where the data is used.
- Reduced data proliferation. By centrally managing extract refresh schedules, refreshes are scheduled once, ensuring that anyone who accesses the data from that virtual connection is seeing fresh data.
- Centralized row-level security. You can create data policies that apply row-level security to both Tableau extracts and live queries at the connection level. The data policies are applied to any workbook, data source, or flow that uses the virtual connection.
Note: Data policies are valid for flow input data, but not for flow output data. Users with access to flow output data will see all of the data, and not only a subset of it that pertains only to them.
As the user of data, you benefit from virtual connections knowing that you have:
- Appropriate access to only the data you should see, because row-level security is already applied to the data.
- Flexibility to use data that's been curated and secured. The virtual connection stores and shares the connection information. All you have to do is create a data source with a data model specific to your needs.
- Trust that data is fresh because the extract refresh schedule has already been set.
- The ability to share content freely, assured that you won’t put security at risk because data policies are always enforced.
Virtual connection editor workflow
The virtual connection editor enables you to create:
- Virtual connections, which are a Tableau content type that provides a sharable central access point to data.
- Data policies that support row-level security at the connection level.
After you create a virtual connection and its associated data policies, you can publish it and set the permissions to share with other users. You can also schedule extract refreshes so that all content that uses the virtual connection is accessing fresh data.
The following diagram shows the workflow to create a virtual connection. At any time during the process, you can publish or save a draft of your connection, but the connection must be published before you can schedule extract refreshes or use (or edit) a virtual connection. You must also set permissions before others can use the connection.
Click a step in the process to go to that help topic.
The first step is to Create a Virtual Connection.