Welcome

Implementing Tableau Server Security

Implementing Tableau Server Security

# T C 1 8

Ciarán Flynn

Senior Product Consultant

Tableau EMEA

Chris Wilkins

Staff Software Engineer

Tableau USCA

Who Are We and Why Are We Here?

Coming from two different areas of the business

Chris, Product Security Software Engineer that helps teams build security into their features. Past teams include licensing and Tableau Server.

Ciarán, working day to day with customers demonstrating how our customers can get the most out of the platform and all Chris’ hard workPresented this session last year in Las Vegas and came away with lots of feedback to improve

We are passionate about Tableau and take security based topics very seriously

How to get the most out of this

Materials are available to you after the session.

Please hold your questions until the end.

Learn, learn, learn!

What we want you to take away today

How to Control Who Can See What Content

Authentication – who is this user?

Authorization – is this user allowed to do this?

Data Security – protect your data in multiple ways.

Authentication

Authentication

Local Authentication

Active Directory

LDAP Identity Store

Local Authentication

Users only exist in Tableau Server Identity store

Tableau Server is used exclusively to authenticate users coming from:

Web Browser

Tableau Desktop

TabCMD

API’s

Local Authentication

Populating your local authentication user list can be done in several ways:

GUI – One by one or with csv file

TabCMD CLI tool with csv file

RestAPI

CSV can contain (in order shown):

Username (required)

Password (required)

Display Name

Role

Administrator Level

Publisher (yes/no)

Email address

Active Directory

User

1. User Logs in

2. Credentials

passed to AD

3. Token Returned4. Content is

Displayed

According to

Roles/Permissions

Active Directory Sync

Sync Users

and Groups

Assign Roles and

Permissions

LDAP Identity Store

Tableau uses Binds to authenticate & establish a session with LDAP Servers

•LDAP - Simple Bind• Not encrypted and therefore poses a security risk

•LDAP over SSL• Using Signed SSL certs you can enable LDAPS to create a secure

bind protecting credentials

•LDAP with GSSAPI (Kerberos) bind• Use existing keytab files (if AD Domain link is already there)

• Tableau Server Service specific keytab files to be generated (recommended)

Other Authentication Options

Authentication Method Local Authentication Active Directory

SAML Yes Yes

Kerberos No Yes

Mutual SSL Yes Yes

OpenID Yes No

Trusted Authentication Yes Yes

Single Sign-On

Single Sign-On Options

SAML

Trusted Authentication (web portal integration)

Kerberos

OpenID

Integrated Windows Authentication

(Tableau Online w/Google)

(Tableau Online)

SAML

Use external IdP to authenticate users with Tableau Server

1

2

3

Identity Provider (IdP)

User

Tableau Server(Service Provider)

Trusted Authentication

Tableau Server

1

2

3

Web PortalClient Web Browser

Authorization

Understanding Site Roles

Site Role Role Type

Creator

Server Administrator

Site Administrator Creator

Creator

Explorer

Site Administrator (Explorer)

Explorer (can publish)

Explorer

Viewer Viewer

Unlicensed Unlicensed

Structure Within Tableau Server

Sites

Projects

Workbooks

Views

Groups

Users

Data Sources

ExampleOwner: Server Admin

• Creates Sites

• Defines Site Admins

Owner: Site Admins

• Manages users, groups, projects, and permissions

Owner: Publisher

• Manages permissions for their content (sometimes)

Tableau Server

HRSite

Projects

Workbooks Data

Sources

Views

Groups

Users

Sales TeamSites

Projects

Workbooks Data

Sources

Views

Groups

Users

Permissions

Permissions - Best Practice

Data Sources

Sites

Projects

Workbooks

Views

Groups

Users

Permissions

Access Permissions

Has the user been specifically

denied access?

Has the group been specifically

allowed the capability?

Has the group been specifically denied the

capability?

Has the user been specifically

allowed the capability/access?

Denied

Yes No

No

Denied

Yes

No

Yes

Denied

Allowed

Yes No

Allowed

Permissions Best Practices

1. Set permissions on Default project to “None” for “All Users” group

2. Add users to groups

3. Create projects

4. Assign permissions to Projects based on Groups

Scenarios

Scenario 1

Darth Vader has a Site Role of “Viewer”

A group he’s a member of implies that he can edit published content.

Do you think he will have the permission

to Edit?

The answer is no, he will not have access

Darth Vader is now leaving the business

I want to restrict him from downloading workbooks or underlying data before he leaves.

Can I achieve this by adding specific userpermissions while still having him as a member of the group driving the permissions?

Scenario 2

Scenario 3Obi Wan Kanobi has just started with our organization Has been assigned a site role of “Explorer” but not yet added to any groups

All the projects have a default permission setting of “None” for the default “All Users” group.

How and what can he do with these projects while he waits to be added to the correct group?

Data Security

Multiple Approaches to Data Security

Implement security on the database

Implement security solely in Tableau

Privileges on the Database role

Database Security—Login Account

Windows Authentication

Username and password

SSL Option

Database Security–Authentication Mode

Prompt user

Embedded password

Server run as accountWindows integrated security only

Viewer credentials/Publisher Credentials (Tableau Server only)

Kerberos-enabled Teradata, PostgreSQL, MS SQL Server, MSAS

SAP HANA and BW SSO

Impala SSO

Impersonation (via embedded account or Run As account)MS SQL Server only

DEMO

Session Re-cap

Authentication

Auth Options, LDAP, SSO

Authorization

Structure, Permissions, Scenarios, Decision Tree

Data Security

Native Tableau User Filters, Table Security Model, Database policies models

Tableau Server security in depth

S E S S I O N R E P E AT S

Thursday | 2:15 – 3:15 | MCCNO – L3 - 351

Big Easy data securityTuesday | 4:00 – 5:00 | MCCNO – L2 – 297

Wednesday | 10:15 – 11:15 | MCCNO – L2 – 204

Data level security with Tableau DesktopTuesday | 12:30 – 1:30 | MCCNO – L3 – 338

Wednesday | 1:45 – 2:45 | MCCNO – L2 – 211

Please complete the

session survey from the

Session Details screen

in your TC18 app

Thank you!

#TC18