TABLEAU SERVER AND CLOUD SECURITY (5/10): Explain Data & DatA story

My last post talked about Dashboard Extension security, in short, Sandboxed extensions are safe to use while network extensions are not safe to use. This blog focuses Explain Data and Data Story security concerns.

Is Explain Data safe to turn on for the server or site?

Yes

Explain Data Concerns: It may expose data in data sources used but not available in the dashboards. However Explain Data will not send data outside your Tableau server. Which is why Explain Data is safe to turn on for admins.

On the other side, Explain Data can be controlled at each workbook level (on or off with default ON). Even Explain Data is turned on at server and site level, for specific workbook, the workbook owner has option to turn Explain Data off.

One beatific thing about Explain Data is that it is available for all workbooks on the server/site, include those workbooks created before 2021.2 although Explain Data is released only as part of 2021.2 release.

Next, let’s look at Data Story.

Is Data Story safe to turn on for the server or site?

Yes

What is the Data Story’s risk from Data and Security perspective? The only risk for Data Story is that Hidden worksheet data can be used on Data Story.

Good thing about Data Story is that it will not send data outside Tableau server as Data Stories doesn’t use generative AI, large language models (LLMs), or machine learning to write insights and stories.

Summary: Both Explain Data and Data Story are safe to use. Default is ON for both features and the default is good.

TABLEAU SERVER AND CLOUD SECURITY (4/10): Extension

At high level, there are two types of Tableau extensions:

  1. Dashboard Extension: Do things you wish Tableau did easily but does not and those features are developed by 3rd parties:
    • Sandboxed: Tableau hosted, run in a protected environment without access to any other resources or services on the web (Safe to use)
    • Network: Anyone can host, dashboard data has to be sent to the hosted server (not safe to use)
    • Data Story (the implementation is the same as an extension)
  2. Analytics Extension
    • TabPy
    • RServer
    • Einstein Discovery (not very useful yet)
    • Analytics Extension API

From data security perspective, make sure you are fully aware of the followings:

I do recommend to make all Sandboxed extensions available on your server and site as those are safe to use.

Why Sandboxed extension is safe? By design, Sandboxed extension never sends dats out of your Cloud site or server.

Is Sandboxed extension free? Pretty much all free

This is my recommendation for Extension Config for your site.

Since Extension is also available on Desktop, the default Tableau Desktop setting is very good: It does not turn off Network Extension completely but does give pop-up warning before any Network Extension can be used.

TABLEAU SERVER AND CLOUD SECURITY (3/10): EXTERNAL Server

My previous post shared one recommended setup to segment all external users to one Limited Visibility site that is a great balance between security and on-going maintenance.

For some organizations that do not allow mixed internal and external users in one Tableau server at all, there is option to setup dedicated External Server:

Two separated Tableau servers: Internal and External

You can have both External Site and External Server solutions if your org has different type of external users.

My setup has the External Server sitting outside company firewall in DMZ zone. For additional security considerations, we even did not open any network connectivity from External Server to any internal database. The External Server is more like an island. Extracts and workbooks can only be pushed to External Server via API on behalf of publishers.

Here is how it works:

  1. Workbook is published to specific project on your internal Tableau server
  2. Extract refresh happens on your internal Tableau server only
  3. Updated workbook and/or extracts are published to External Server via API only
  4. There is no Creator or Explorer (can publish) site role on External Server site
  5. No extract refresh schedule either on External Server

Notes:

  • This setup has the maximum security and it comes with on-going extract works for content owners.
  • Since API is not good enough for users/groups and permissions, there are some admin work to set permission correctly on External Server

TABLEAU SERVER AND CLOUD SECURITY (2/10): external site

It is not uncommon to share your Tableau dashboards to your vendor users or partner users, like vendor performance KPI data. To avoid surprises, it is better for vendors to know exactly how your company evaluates their specific business process metrics, Tableau can be a perfect tool for it. All it needs is to grant external user your Tableau server workbook permissions.

There are many more data security questions when your Tableau platform has external users. Do you need a peer review process when new data is shared to external users? How to avoid vendor A to see vendor B data? How to avoid silly mistakes to share internal data to external users? etc. Some of those are business process controls. And the big question we are trying to answer here is HOW TO SEGMENT INTERNAL VS EXTERNAL FROM PLATFORM LEVEL?

This setup is what I have in production:

  • One External site for all vendors.
  • All external users can only be provisioned to this external site.
  • Site special config User Visibility as Limited.

Key benefits are :

  1. Avoid the mistake to share internal data to external since external users are NOT provisioned to any other places other than External site and only limited publishers.
  2. User Visibility = Limited prevents vendor A user to see vendor B user names. This is a great Tableau feature and it disables all the following automatically for Explorers and Viewers:
    • Sharing
    • Who has seen this view?
    • Ask Data usage analytics
    • Data-Driven Alerts
    • Comments
    • Public Custom Views
    • Request Access
  3. Avoid a lot potential on-going maintenances comparing with one site per vendor approach.
  4. This setup works for both Tableau server and Tableau Cloud

Check out next blog for alternative solution if your org can’t have mixed internal and external users on one server at all.