The good: Dashboard extensions give you the ability to interact with data from third-party applications directly in Tableau. Capabilities like write-back to a database, custom actions, and deep integration with other apps are all at your fingertips.
The bad: Dashboard extensions also means potential data vulnerability when third-party extension used even on Desktop alone :
- Extension can access workbook’s summary data by default and full data with additional confirmations.
- Extension can access the user’s IP address, Tableau Desktop or browser versions, screen resolution, and device type.
How to adopt Dashboard Extensions at large enterprise?
- Extension for Desktop:
- Extension should be turned off by default on Desktop if your company controls user Desktop installation
- Some super technical Desktop users can turn extension on by themselves. Read here for details.
- Extension for Server : Tableau server should have the following policy enforced:
- Unknown extensions can’t run on Tableau server – this is the most important setting. Similar as guest account should be turned off by default, this enable unknown extension should be off by default.
- Unfortunately you will have to do this for every single site – even your default site turned this off, newly created site will still have this default checked. Please vote IDEA
- Every extension has to be
added to the safe list by server admins
- Hopefully server admins have policy to add only https://*.company.com/xxx URL can be in safe list. It means that third-party extension has to be hosted on-premise before it can be used.
- Extension Gallery :
- Some people may not agree with me here. For me, any third-party extensions is unsafe since they can change extension definition without your knowledge, includes those from Extension Gallery from official Tableau website
- The secure approach requires all extensions hosted in your company’s web server.
- From high level, extension is not safe if it is hosted outside your company. Extension is considered ‘safe enough’ if it is hosted within your company’s firewall.
- Large enterprise should consider to create your own extension gallery for your publishers to share their extensions within your firewall.
- Some people may not agree with me here. For me, any third-party extensions is unsafe since they can change extension definition without your knowledge, includes those from Extension Gallery from official Tableau website
Watch the webinar for the recommend settings and Tableau’s plan to make Extensions inherently secure – short term, mid-term and long term.