When you publish a workbook to Tableau Cloud or Tableau Server, you can publish the data source it connects to as part of the workbook (embedded into the workbook), or as a separate, standalone data source. In addition, if the data source you’re publishing requires authentication, you can customize how credentials are obtained.

The type of authentication to your data source is independent of how people sign in to your Tableau Cloud or Tableau Server site. For example, to give people direct access to the data in a workbook, you would embed a database user’s credentials into the data source’s connection. But anyone viewing the workbook would still need to be able to sign in to the site on Tableau Cloud or Tableau Server to open your workbook.

This topic describes how to set authentication on data connections as part of the publishing process.

Note: This topic doesn’t apply to connections to that don’t require authentication, such as text files or Excel files.

Set the authentication type

For many types of connection you can embed a database user’s name and password, or use single sign-on (SSO). Specific exceptions are described later in this topic.

The following steps describe how to set authentication as part of publishing a data source or workbook. You can do this for each connection in the data source.

  1. In the Publish Workbook dialog box, go to the Data Sources area, which lists the workbook’s connections, and select Edit.

  2. In the Manage Data Sources popup, after you decide whether to publish the data source separately or as part of the workbook, select an authentication type for each connection in the data source.

    The available authentication types depend on the connection type, and they can include one or more of the following:

    • Prompt user: Users must enter their own database credentials to access the published data when the view or workbook loads.

    • Embedded password: The credentials you used to connect to the data will be saved with the connection and used by everyone who accesses the data source or workbook you publish.

    • Server run as account: A single Kerberos service account is used to authenticate the user. On Windows this is the account that Tableau Server runs as. On Linux it can be any Kerberos account.

    • Viewer credentials: The viewer’s credentials are passed through to the database using SSO (usually Kerberos).

    • Impersonate with embedded account or Impersonate with server Run As service account: Impersonation using embedded credentials connects with the embedded credentials and then switches to the viewer’s identity (only for databases that support this). Impersonation using the Run As service account is similar but first, connects with the Kerberos service account before switching to the viewer’s identity.

    • Refresh not enabled or Allow refresh access: These options appear when you publish an extract of cloud data such as from Salesforce, and database credentials are needed to access the underlying data. Allow refresh access embeds the credentials in the connection, so that you can set up refreshes of that extract on a regular schedule. Setting Refresh not enabled prompts users when they open the workbook.

      Important: How you want to keep extracted data fresh is also a factor:

      • If you want to set up an automatic refresh schedule, you must embed the password in the connection.
      • If you’re publishing a cloud data connection to Tableau Cloud, the publishing steps alert you if you must add Tableau Cloud to the data provider’s authorized list.
      • You can’t publish an extract that’s created from a Kerberos-delegated, row-level-secure data source.

Dropbox, OneDrive connections

For Dropbox and OneDrive, when you publish a data source or workbook and select Embedded password, Tableau creates a saved credential and embeds it in the data source or workbook.

Workbook connections to Tableau data sources

When you publish a workbook that connects to a Tableau Cloud or Tableau Server data source, rather than setting the credentials to access the underlying data, you set whether the workbook can access the published data source it connects to. Regardless of the original data type, the choice for server data sources is always Embedded password or Prompt users.

If you select to prompt users, a user who opens the workbook must have View and Connect permissions on the data source to see the data. If you select embed password, users can see the information in the workbook even if they don’t have View or Connect permissions.

Virtual connections

As of and only in Tableau Cloud and Tableau Server 2022.3 and later, when you publish Tableau content like a data source or workbook that uses a virtual connection and select Embed password or Embed credentials, the viewer of the content will have your permissions to connect to and query the virtual connection. However, any data policies associated with the virtual connection are always evaluated using the viewer’s identity–not yours.

For example, you publish a workbook that uses a virtual connection. To let viewers of the workbook connect to and query data by way of the virtual connection, you embed your permissions to connect to and query the virtual connection. Then, any data policies associated with the virtual connection prevent the viewers of the workbook from accessing any sensitive data.

When evaluating whether the tables in a virtual connection can be viewed and accessed, the identity of the content creator is used. However, when evaluating any data policies associated with the tables in a virtual connection, the viewer’s identity is used. And the content creator can only ever embed connect permissions to the virtual connection–not edit permissions.

If you choose not to embed permissions, then only users with permissions to access the workbook or data source and with connect permissions to the virtual connection can access the workbook or data source.

The embed password and embed credentials options for virtual connections don’t work in Tableau Cloud and Tableau Server 2022.2 and before. If you select these options before you upgrade to 2022.3, the options will work as expected after you upgrade. Then, you’re able to embed your permissions for querying a virtual connection.

See also

Thanks for your feedback!