Tableau Row-Level Security: Against the Grain

Scaling Insights
Written By Evan Lu

One of Tableau’s weak points through the years has always been its lack of enterprise readiness. Tableau knows this, and in the past few years post-acquisition, if you have followed their development roadmap, it’s clear this is becoming one of their focus areas in order to become a more attractive cross-sell to their existing CRM customers.

One of these features has been Row-Level Security. Provisioning access to workbooks and data sources has always been fairly straightforward in Tableau, but to enable security at the data source level has always required methods that feel more like workarounds than out-of-the-box solutions. 

Recently, Tableau has implemented their new Virtual Connections feature, which allows the setup of a formalized connection to access and control multiple data sources through a single connection, rather than maintaining an individual connection per data source. The setup of this is similar to the old established best practice from the popular blog ‘Tableau and Behold!’, when data is joined to an entitlements table and access is ultimately controlled by a filter.

https://tableauandbehold.com/row-level-security/

This solution works pretty well in most cases as long as you have all of the moving parts figured out in your organization (who owns the entitlements? what level are the entitlements stored at? who maintains the entitlements? how do developers utilize the entitlements?), but lately, I have found that when dealing with a large data set and/or number of users, this method is very taxing on Tableau Server and contributes significantly to the load time. Due to this, we now sometimes revert back and recommend the legacy RLS method, described below.

Solution

The legacy Tableau RLS method uses a calculated field just like the more modern entitlements method, but instead of relying on an entitlements join, the access is provisioned directly in the calculated field itself via Username() and Ismemberof() functions. 

Example:

if username() = evanlu then true
elseif username() = davidweddell and [Function] = ‘Product’ then true
elseif ismemberof(‘Global Ops’) then true
end

This calculated field can get messy very quickly, so there are a few important considerations when this is applied in practice.

  1. Maintain your master formula(s) somewhere else outside of Tableau, and if possible, utilize some programmatic way to add, remove, and group the lines of code within the calculated field. I like to use an excel/google sheet to generate the lines in the calculated field for me instead of exposing myself to errors when typing it out manually.

  2. Establish a practice for developers to only use the RLS formula(s) from the repository, instead of making incremental changes here and there in various RLS calc fields across different dashboards as different people require access over time. The latter method will very quickly spiral out of control and you’ll end up with a plethora of unique formulas across a similar number of workbooks, and detangling and recreating the controlled environment is a not-so-fun exercise.

  3. Clean these fields up over time! Just as users will get added as usage of a particular workbook increases, there will be users and groups that no longer need access. In the interest of your own (or some other developer down the line’s) sanity, keeping these fields clean is a huge efficiency multiplier in the long run.

  4. Utilize groups! It’s very easy and convenient to flip a switch and add an individual user, but this will very quickly lead to the universe where hair is being pulled and profane language is being muttered. Your future self will thank you.

If you’ve just implemented RLS with entitlements and are running into a performance issue, give the old tried and true method a try. There’s unfortunately not a quantifiable method in which you can look at a data source and entitlements table and mathematically determine that it’s going to be slow. Just like the definition of slow itself, it’s best subjected to the eyeball test, so you’ll just have to try it. Let us know if you are undergoing this strategy, we’d love to hear how it works out. Hopefully this method helps sometime and leads to happier users and admins.

Looking to enable Row-Level Security in your environment and have questions? Let’s have a chat and see how we can help.

Read more about Tableau’s new Virtual Connections (v-cons) here: at Tableau.com.

Evan Lu
Next

Where to Start: Analytics for your team