30 Mar 2021 A New Way to Apply Row Level Security in Tableau
Sometimes Tableau workbooks require applying security at row level. There are some methods which are frequently used to apply this security, but in this article an alternative will be presented.
Apart from explaining how this alternative method must be implemented, we will compare it with other methods to see the pros and cons of each one.
1. Row Level Security
In Tableau, Row Level Security (RLS) consists of restricting some data in the workbook to certain users. This is different from Tableau permissions, which are used to give or deny access to content. Permissions can control who can edit a workbook or only view it. Row Level Security allows users that have the same permissions to see different data. For example, one user will see data from Asia and another user will see data from Europe.
By default, all users who have access to the workbooks can see all the data in the views. By applying RLS, you can specify which data rows can be viewed by each person signed into the server. This approach applies to data sources with live connections and extract data sources whose tables are stored as multiple tables.
Imagine that you have a report showing the sales during different years for some countries:
Figure 1: Sales by year and country without security filter
You want each country manager to have access to their respective country, but not to the sales number of the other countries. The user filter will restrict access to the data based on each user’s characteristics. This data restriction is what we know as Row Level Security, and Tableau allows different ways to implement this.
2. RLS Options Offered by Tableau
2.1. User filter with manual mapping
This method allows the option to give different restrictions to each user. You can create a User Filter and then map each user manually with the countries that they will be able to view.
Figure 2: Mapping between users and country dimension
Figure 3: Sales by year and country with RLS filter
This is a good method if there is a small number of users, but if there are a lot of users, you will waste time in doing the mapping. Another negative point is that when a new user is introduced into the Tableau Server, it will be necessary to edit the workbooks to include the new mapping.
2.2. Dynamic filter using security field
This method consists of joining the data source with a security table that must be created. In this table, each user’s username and the country that they will have access to will be defined. Here is a simplified example of a few users and their countries.
Figure 4: Example of a simplified security table
This table must be joined with your data in the Tableau connection. In this example, we will join the table Orders from Sample- EU Superstore with the table Users that we created.
Figure 5: Join between original data source table and the security table
If we add the username field to the view, we will see each username followed by the countries’ names that this user will have access to, along with the sales of each of these countries.
Figure 6: Username with associated countries and sales for each country
Now it’s time to apply the security filter. In this case, a simple calculated field must be created. The formula is as follows:
Figure 7: Security field
The USERNAME() is the name of the user who is signed into Tableau.
The last step is adding the security field to the filters shelf and allowing only the TRUE results, thus completing the application of RLS.
Figure 8: Security field filter applied
The Security table is very useful if you know that new users and groups will be added to the data source, because manual mappings are not needed. On the other hand, the performance of this method is worse than the User Filter, because the security table must be joined to the original data source.
3. Alternative Solution: Security Group
The objective of this article is to present an alternative to these two methods, which consists of using security groups to implement RLS. Tableau Server offers the possibility to create groups and add users to them. The idea is to create one group for each country and then map the groups with the countries like we did in the first method.
The groups can be created manually from the Groups tab in Tableau Server.
Figure 9: Groups in Tableau Server
To add users to the group, change the tab to Users. Here, you will find the list of all users. There is an ellipsis button next to each username, which you can click on to manage group membership.
Figure 10: Group membership
Following the same example applied to the previous methods, add the user to ‘Spain’ group so that it will be mapped to the country ‘Spain’ in the workbook.
After managing the membership of each country, the next step is to open the workbook and create a User Filter. The steps that must be followed to create this filter are:
- Click on the Server tab
- Select Create User Filter
- Choose the dimension that will be mapped to each group. In this example, the dimension is Country/Region from the ‘Sample – Us Superstore’ dataset.
Figure 11: Create User Filter
In the first method, the mapping was done between each user and countries. In this case, the mapping is between the entire group (Spain) and ‘Spain’ from Country/Region field. This step must be performed for each existing country group.
Figure 12: Mapping between groups and dimension
Once the mapping is done, a set of users is created. This set can be copied into other workbooks that have a Country dimension, so it will not be necessary to repeat the mapping another time.
Adding the users set to the filters shelf applies the Row Level Security.
Figure 13: RLS with security groups applied
This method can be very similar to the first one, but it is very useful if some new users are added. Instead of editing all the workbooks that have the RLS applied, the only thing that must be done is to add the users to the groups in Tableau Server. As the group is already mapped to one country, the RLS will be applied automatically, without needing to edit all the workbooks one by one.
Compared to the second method mentioned before (the security table), there is another positive point: the performance. When adding the security table to the workbook, a join between the data source and the table must be done. This gives us a worse performance compared to the group security, because the latter method uses a “where” clause for each group, which is faster.
3.1 Multiple groups
When there is a large set of groups, it can be tiresome to create all of them manually from Tableau Server. We can create all the groups at the same time using tabcmd, a command line provided by Tableau which can be used to automate site administration tasks on Tableau Server.
The command to create one group is as follows:
Tabcmd creategroup -nameOfGroup -s ServerName -u username -p password
If you want to automate the process to create all groups at the same time, you can create a script and execute it.
4. Pros and Cons
In the following table, we summarise the advantages and disadvantages of each method.
Pros | Cons | |
|---|---|---|
User mapping | • Good performance as no joining is needed. • Flexibility for the dashboard developer. | • If new users are added, all workbooks must be edited to add the new mappings. • If there are multiple users, the mapping for all users will take more time. |
Security table | • If a new group is added, there is no need to edit the workbooks. The only thing that must be done is inserting the information in the security table. | • Bad performance due to the joining between the data source and the security table. • The table must be created and the data must be added to the table. |
Security Group | • No need to edit the workbooks if a new user is added. • Good performance as no joining is needed.
| • If a new group is added, the workbooks must be edited to map the new group. • If there are multiple groups, it will take time to create and map all of them. |
Conclusion
Tableau provides the possibility to apply security at row level. It also offers two options to implement this security, but for some applications they may have some negative points. There might be issues when having a lot of users, adding new users when the security is applied and the workbooks are published, and with general performance.
This is the reason why we have presented an alternative method which consists of creating groups in Tableau Server and using them as security groups, mapping each group to the dimension like it would be done with users.
The security group method is a good alternative when having a lot of users because instead of mapping each of them to the dimension, you only need to map the group that can contain multiple users with the dimension. It also allows a way to add new users without editing all the workbooks with the new mappings. Moreover, the performance of the security group is better than the security table.
Our team of expert consultants has a wide range of experience in building custom solutions for Tableau. Contact us at info@clearpeaks.com if you’d like to know more!
