Tableau Security Made Easy

When I joined Tableau last year, I was found that the security model presented in training classes was a model that was counter to what I considered a best practice, based on nearly twenty years working in the Business Intelligence (BI) space. The model presented was what I would consider a legacy security model. It requires the creation of three groups for each Project on Tableau Server.

As you can see, this organization has five groups, each with their own Project in Tableau Server. For each Project, three groups are created: Viewers, Explorers, and Creators. Users of any given Project would be put into the appropriate group for that Project. The problem is that we end with too many groups to maintain. Imagine an organization that has fifty groups, each with their own Project. They would end up with 150 groups to maintain in Tableau. This is simply too many groups, and creates a maintenance nightmare. The same results can be accomplished with a fraction of the groups.

My experience is that it’s much easier to maintain a modern security model:

The idea here is that any user who is an Explorer or Creator would simply be added to the Explorers or Creators group, but not both. In the example above, Mary is a member of the Sales group, which grants her the rights to see the Sales Project. She is also a member of the Creators group, which grants her the right to create and edit workbooks. This dual membership accomplishes the same thing as the single group membership in the legacy security example, but results in far fewer groups to maintain.

My first thought was that, perhaps Tableau isn’t capable of this type of security model. So I built a Tableau server and tried it out. I was delighted to find that I could make it work, and it was pretty simple. And, as I started sharing this with people inside Tableau, it generated quite a bit of enthusiasm. So here’s how it is accomplished:

Step 1: Create your groups. You can create them in Tableau, or in your identity store (e.g. Active Directory). Create one group for each Project, as well as a group for Explorers, and a group for Creators.

Step 2: Move your users into the appropriate groups. In the example above, Dave has a Viewer license, so he only needs to be a member of the Operations group. Mary, on the other hand, is a Creator, so she is added to the Sales group, as well as the Creators group.

Step 3: Set permission for groups on each project. The Marketing group will be added to the Marketing Project, and given only Viewer rights. The Creators group will also be added to the Marketing Project, and will be given all rights except View and Project Leader (Project Leaders get View rights). In the same way, the Explorers group would be added to the Marketing Project, and given all Explorer rights, except View and Project Leader.

Although the Creators group has lots of permissions on the Marketing Project, it doesn’t have view rights. So members of the Creators group cannot see the Marketing Project, unless they are also a member of the Marketing group. And since rights are cumulative, a member of both Marketing and Creators will receive all the rights they need to create content within the Marketing Project.

As you can see, this is a very simple and efficient way to manage your groups within Tableau.

How do you model your security in your Tableau environment? Have you used a method like this? Let me know in the comments what your thoughts are on this approach.

4 Responses to Tableau Security Made Easy

  1. Zima, Tomasz says:

    Hi Michael,

    Great post! As always.

    This is how I was teaching to setup security within SAP BOBJ, and it makes sense. I am happy that our “competition” can do it as well. It makes sense. It is good for our customers whether they use BOBJ or Tableau.

    Thank you for sharing,
    Tomasz, SAP BI Consultant (longtime corporate trainer before joining consulting organization)

  2. Alex says:

    Please advice how to accomplish that user A suppose to have read-only (viewer rights) access to project A, same user A to have the s Explorer rights on project B and Creater on Project C and same user A have own project and act as Project Owner.
    I know how to accomplish this in BO, but prpviddd security model by Tableau is different.

    Project A has user group A
    Project B has user group B
    Project C has user group C
    Let’s assume we also have groups: Creater , Explorer and Viewer.
    And also project owner of Project B wish that Memebers of viewer group can download data set, but viewers on other projects should not have rights to download data.
    Thank you in advance

    • Hi, Alex. That’s an interesting question. I don’t think there’s a way to do that currently, other than to give the user 2 different user names. But that’s not a good idea, as it consumes 2 licenses. I’ll keep my eye out for a solution, and update you if I find anything.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: