My previous blog talked about how to detect and delete PII data on Tableau server. In additional to Personally Identifiable Information (PII) data (like SSN, DoB, Payment Card, etc), some organizations may have other types of classified data like R&D data, Attorney-client Privileged Information, Controlled Unclassified Information, Export Controlled Information, Student Loan Application Information, etc.
Likely organizations have existing policy to govern those classified data. The fundamental of the governance process is to control who can access what data. The situation is that the collaboration software like Dropbox, Box, Quip, Slack, Tableau created a lot new challenges to existing data protect / data governance process. Those collaboration tools make one user to share data with another user just too easy.
For example, John’s Tableau workbook, with classified information, is shared to a server group. John reviewed the group members and confirmed all members had disclosure to access the classified information – it is all good when John grants permission. The problem happens later on : Many Tableau server deployment syncs Tableau groups from Active Directory (AD). The AD group may be added more members without John’s knowledge at all. The new members may not have disclosure so that the John’s classified information is out of control now….
How to resolve this Tableau permission ‘cascading’ issue?
The above process will send notification to content owner (can add Project Leader as well) automatically when following conditions met:
- an user has access to a Tableau classified object
- and this user is NOT in the disclosure
Four step to implement this process:
- Create organization’s classified data disclosure repository : who is disclosed to what classified data
- Content owner to tag datasource or workbooks on Tableau server : the tag is the classification code
- Enable Tableau Lineage Tables (if not done yet) : run ‘tsm maintenance metadata-services enable’. The Tableau lineage tables will be populated with lineage data without Data Management Add-on model. The tables can be accessed by Postgre ‘Readonly’ users although not available to any Tableau server users w/o Data Management Add-on model.
- Create workbook to compare Tableau permission with using classified data disclosure repository : Identify discrepancies and take actions (alert or deletion)
RE-CAP: Protect classified data on Tableau server needs content owner and Tableau server platform team’s involvement. It does provide a peace of mind solution for those who commit to data security and data protection.
It is still strongly encouraged to use following design patterns when deal with classified or sensitive dataset:
- Row level security design – still need to ensure right group used and group member controlled if ISMEMBEROF() used
- Live connection only (no extract) and use Prompt User when publish workbook – control data access in the data source outside Tableau server