Welcome [tc18. ] 2020-01-06¢  Data Security...

download Welcome [tc18. ] 2020-01-06¢  Data Security ¢â‚¬â€œprotect your data in multiple ways. Authentication. Authentication

of 45

  • date post

    08-Aug-2020
  • Category

    Documents

  • view

    0
  • download

    0

Embed Size (px)

Transcript of Welcome [tc18. ] 2020-01-06¢  Data Security...

  • Welcome

    Implementing Tableau Server Security

  • Implementing Tableau Server Security

    # T C 1 8

    Ciarán Flynn

    Senior Product Consultant

    Tableau EMEA

    Chris Wilkins

    Staff Software Engineer

    Tableau USCA

  • Who Are We and Why Are We Here?

    Coming from two different areas of the business

    Chris, Product Security Software Engineer that helps teams build security into their features. Past teams include licensing and Tableau Server.

    Ciarán, working day to day with customers demonstrating how our customers can get the most out of the platform and all Chris’ hard work Presented this session last year in Las Vegas and came away with lots of feedback to improve

    We are passionate about Tableau and take security based topics very seriously

  • How to get the most out of this

    Materials are available to you after the session.

    Please hold your questions until the end.

    Learn, learn, learn!

  • What we want you to take away today

  • How to Control Who Can See What Content

    Authentication – who is this user?

    Authorization – is this user allowed to do this?

    Data Security – protect your data in multiple ways.

  • Authentication

  • Authentication

    Local Authentication

    Active Directory

    LDAP Identity Store

  • Local Authentication

    Users only exist in Tableau Server Identity store

    Tableau Server is used exclusively to authenticate users coming from:

    Web Browser

    Tableau Desktop

    TabCMD

    API’s

  • Local Authentication

    Populating your local authentication user list can be done in several ways:

    GUI – One by one or with csv file

    TabCMD CLI tool with csv file

    RestAPI

    CSV can contain (in order shown):

    Username (required)

    Password (required)

    Display Name

    Role

    Administrator Level

    Publisher (yes/no)

    Email address

  • Active Directory

    User

    1. User Logs in

    2. Credentials

    passed to AD

    3. Token Returned4. Content is

    Displayed

    According to

    Roles/Permissions

  • Active Directory Sync

    Sync Users

    and Groups

    Assign Roles and

    Permissions

  • LDAP Identity Store

    Tableau uses Binds to authenticate & establish a session with LDAP Servers

    •LDAP - Simple Bind • Not encrypted and therefore poses a security risk

    •LDAP over SSL • Using Signed SSL certs you can enable LDAPS to create a secure

    bind protecting credentials

    •LDAP with GSSAPI (Kerberos) bind • Use existing keytab files (if AD Domain link is already there)

    • Tableau Server Service specific keytab files to be generated (recommended)

  • Other Authentication Options

    Authentication Method Local Authentication Active Directory

    SAML Yes Yes

    Kerberos No Yes

    Mutual SSL Yes Yes

    OpenID Yes No

    Trusted Authentication Yes Yes

  • Single Sign-On

  • Single Sign-On Options

    SAML

    Trusted Authentication (web portal integration)

    Kerberos

    OpenID

    Integrated Windows Authentication

    (Tableau Online w/Google)

    (Tableau Online)

  • SAML

    Use external IdP to authenticate users with Tableau Server

    1

    2

    3

    Identity Provider (IdP)

    User

    Tableau Server (Service Provider)

  • Trusted Authentication

    Tableau Server

    1

    2

    3

    Web Portal Client Web Browser

  • Authorization

  • Understanding Site Roles

    Site Role Role Type

    Creator

    Server Administrator

    Site Administrator Creator

    Creator

    Explorer

    Site Administrator (Explorer)

    Explorer (can publish)

    Explorer

    Viewer Viewer

    Unlicensed Unlicensed

  • Structure Within Tableau Server

    Sites

    Projects

    Workbooks

    Views

    Groups

    Users

    Data Sources

  • Example Owner: Server Admin

    • Creates Sites

    • Defines Site Admins

    Owner: Site Admins

    • Manages users, groups, projects, and permissions

    Owner: Publisher

    • Manages permissions for their content (sometimes)

    Tableau Server

    HR Site

    Projects

    Workbooks Data

    Sources

    Views

    Groups

    Users

    Sales Team Sites

    Projects

    Workbooks Data

    Sources

    Views

    Groups

    Users

  • Permissions

  • Permissions - Best Practice

    Data Sources

    Sites

    Projects

    Workbooks

    Views

    Groups

    Users

    Permissions

  • Access Permissions

    Has the user been specifically

    denied access?

    Has the group been specifically

    allowed the capability?

    Has the group been specifically denied the

    capability?

    Has the user been specifically

    allowed the capability/access?

    Denied

    Yes No

    No

    Denied

    Yes

    No

    Yes

    Denied

    Allowed

    Yes No

    Allowed

  • Permissions Best Practices

    1. Set permissions on Default project to “None” for “All Users” group

    2. Add users to groups

    3. Create projects

    4. Assign permissions to Projects based on Groups

  • Scenarios

  • Scenario 1

    Darth Vader has a Site Role of “Viewer”

    A group he’s a member of implies that he can edit published content.

    Do you think he will have the permission

    to Edit?

  • The answer is no, he will not have access

  • Darth Vader is now leaving the business

    I want to restrict him from downloading workbooks or underlying data before he leaves.

    Can I achieve this by adding specific user permissions while still having him as a member of the group driving the permissions?

    Scenario 2

  • Scenario 3 Obi Wan Kanobi has just started with our organization Has been assigned a site role of “Explorer” but not yet added to any groups

    All the projects have a default permission setting of “None” for the default “All Users” group.

    How and what can he do with these projects while he waits to be added to the correct group?

  • Data Security

  • Multiple Approaches to Data Security

    Implement security on the database

    Implement security solely in Tableau

    Privileges on the Database role

  • Database Security—Login Account

    Windows Authentication

    Username and password

    SSL Option

  • Database Security–Authentication Mode

    Prompt user

    Embedded password

    Server run as account Windows integrated security only

    Viewer credentials/Publisher Credentials (Tableau Server only)

    Kerberos-enabled Teradata, PostgreSQL, MS SQL Server, MSAS

    SAP HANA and BW SSO

    Impala SSO

    Impersonation (via embedded account or Run As account) MS SQL Server only

  • DEMO

  • Session Re-cap

    Authentication

    Auth Options, LDAP, SSO

    Authorization

    Structure, Permissions, Scenarios, Decision Tree

    Data Security

    Native Tableau User Filters, Table Security Model, Database policies models

  • Tableau Server security in depth

    S E S S I O N R E P E AT S

    Thursday | 2:15 – 3:15 | MCCNO – L3 - 351

    Big Easy data security Tuesday | 4:00 – 5:00 | MCCNO – L2 – 297

    Wednesday | 10:15 – 11:15 | MCCNO – L2 – 204

    Data level security with Tableau Desktop Tuesday | 12:30 – 1:30 | MCCNO – L3 – 338

    Wednesday | 1:45 – 2:45 | MCCNO – L2 – 211

  • Please complete the

    session survey from the

    Session Details screen

    in your TC18 app

  • Thank you!

    #TC18