Data security has been the top concern for Tableau deployment. This is summary of Row Level Security webinar by Zen Master, Mark Wu: What is Tableau Row Level Security (RLS)? What are the implementation options? How to decide which option to use? How to test RLS? How to improve RLS workbook performance?

• Download presentation slides here
• Watch Webinar recording here

Tableau handles data security by permission and row level security.

• Permission controls what workbooks/views that users can access and can do.
• Row level security controls what data sets the users can see. For example APAC users see APAC sales, EMEA users see EMEA sales only while both APAC and EMEA users have the same permission to the same workbook.
  

There are mainly 3 options to implement row level security. Sometimes all of those will be used in the same workbook/data source:

1. ISMEMBEROF: The most popular option – use server groups to control row level security
2. USERNAME(): Use separate entitlement table to control. Use Multiple Table extract will make performance a lot better for most cases
3. CONTRAINS(): Concatenate all allowed usernames in one comma-delimited field in your data.

ISMEMBEROF implementation steps:

• Create or Sync server groups
• Create calculated field : ISMEMBEROF(‘Group-AMER’) AND [Order_Region] = ‘AMER’ ….
• Add the calculated field to data source filter (strongly recommended) or workbook filter and select ‘true’
• Publish data source but do not give end user ‘Connect’ permissions at all to the published data source. Only give ‘View’ and ‘Connect’ to the content creators in your team
• Publish workbook and embed password in Authentication (embed password is absolutely necessary)
• Set workbook permission to all the groups used
  • Make sure Web Editing as No, download as No if use workbook filter used

USERNAME() implementation steps:

• Create calculated field: USERNAME() = [Username]  (note: [Username] is the server logon user’s name not Display name. Ask your server admin to confirm what is the server’s username on your server. Some implementations use email address, others may use employee_id, etc.)
• Add the calculated field to data source filter  (recommended) or workbook filter and select ‘true’
• Can make extracts after joining
  • Join Option 1: Cross-DB traditional left join if you can
  • Join Option 2: Relationship Join
  • Join Option 3: Blend (be aware of limitations)
• Publish data source but do not give end user ‘Connect’ permission at all
• Publish workbook and embed password for Authentication
  • Set workbook permission to all the groups above
  • Make sure Web Editing as No, download as No if use workbook filter used
• Pls use multiple table extract for better performance!!!!

Multiple Table extracts will have better performance for most use cases.

CONTAINS([User strings], USERNAME())

• Concatenate all allowed usernames in one comma-delimited field in your data, and then use  CONTAINS([user strings], USERNAME())
• Although it is string comparison but Tableau somehow handles string comparison much faster than most of databases.

Which option to go? The driving factors are performance, data preparation efforts and ongoing maintenance of the data/entitlement table. Often combine to use in the same datasource or workbook

Recap:

1. Get https://github.com/tableau/community-tableau-server-insights and make it available to all your publishers using Row Level Security
2. Tech your publishers to use Row Level Security design
3. Multi Table extract for better performance