Managing Row Level Security
Applies to Write-Back Server and Write-Back Cloud
Question
How to manage row level security with Write-Back?
When you share workbooks with others by publishing them to Tableau Server, by default, all users who have access to the workbooks can see all of the data shown in the views. You can change this behavior by applying a type of filter that allows you to specify which data “rows” any given person signed in to the server can see in the views. This is often referred to as Row-Level Security (RLS).
Typically, to implement RLS security in Tableau, the standard approach is to create a new table in the database to manage which users can access which rows. This new table is then joined with the dataset to analyze and combined with a data source filter based on the user name. A classic example is defining which Sales Representatives can access which regions and states.
This approach while working perfectly, places a few limitations, how can you manage the new access table? This is where Write-back can help. Users' access can be directly managed in a Tableau dashboard, using Write-Back to insert, edit and delete user's accesses visually, while writing information to database table in the background.
Answer
The attached workbook has the full solution implemented and is using Write-Back public demo environment, for more information on using it check our Public Demo instruction page.
Attachments & Related Links
Row Level Security on Tableau Write-Back Configuration Connecting to the Dataset Row Level Security.twbx
Step 1: Step 1: Create the Admin Dashboard
The first thing to do is to create a dashboard that only someone with administrative permissions can access. This is where you will manage user access.
To create such a panel, firstly you need to define the attribute by which this access management will be done. It can be a region or product category, for example.
After identifying the attribute, you must include this attribute in your view. Let's assume that the attribute is the region. You need to create a view that incorporates region - e.g. a map.
Step 2: Set Up Write-Back for Managing Permissions
The next step is to configure a Write-Back instance to submit / edit permissions. Permissions are directly related to a user, which means that you need to have a field to specify the user in question.
A particular feature of the RLS is the loss of privileges. At any time, it may be necessary to withdraw a given permission from a user. To perform this task with Write-Back, you must create a predefined field that identifies whether a given permission is active or inactive.
Add Write-Back to the dashboard and your configuration should look similar to this:
The Identifier Attribute in Source Fields, eg region.
A new Input Field called "User", type text
A new Input Field called "Status", type pre-definied with values "Active" and "Inactive"
Keep Write-Back in Form View
Step 3: Configure Permissions
To add a permission, the only thing you need to do is select a mark - e.g. a state; and in Write-Back enter the user name and select active in the status field.
You can add multiple entries for the same state allowing multiple users or select multiple states and add an entry allowing that user to have access to all states.
To withdraw a permission, click on the corresponding state and edit the record selecting inactive in the status field.
Step 4: Create a Visualization to Track User Permissions
A good practice is to keep an updated list on RLS management. This allows the administrator to manage each user's permissions more efficiently. In the case of an audit it is also easier to provide these kind of data.
For this you can simply create a Tableau data source on top of the Write-Back table. Don't forget to filter Write-Back table by IsActive set to True to ensure you only get the latest snapshot provided by the users for each record.
After that you can create a viz that relies on that data source.
Step 5: Create the End User Dashboard
The last step is to add the security relationship between the original data and the data related to the management of RLS on your dashboards. On the sample workbook we placed them together but this will be a different dashboard allowing to have different view access configurations on the Tableau Server, bear in mind the security management dashboard should be accessed by admins only.
To do this you need to blend both datasources and create a new calculated field that will function as a filter. This calculated field must include de username() function that dynamically retrieve the user name of the person who is logged on.
Thus, only the lines related to that user will be shown.