Using Tableau Server groups for row level security

//

Tableau Groups are a very efficient way to manage security. User permissions managed in groups is far simpler to manage compared to managing each user individually.

In an earlier post I demonstrated options to implement row level security in Tableau.

Another, and complimentary, way to manage Tableau permissions is to use the Tableau Server groups and ISMEMBEROF function.

ISMEMBEROF to manage Tableau Permissions

ISMEMBEROF works well alongside the row-level permissions, as demonstrated below.

Also use Server groups to assign Tableau Project permissions.

ISMEMBEROF and Tableau Server Groups are very useful for role-based permissions.

ISMEMBEROF Syntax

Use ISMEMBEROF in calculated fields. It returns a boolean value – the user either is or isn’t a member of the group – so True or False.

The syntax is very straightforward

ISMEMBEROF("Group Name")

Use ISMEMBEROF for Role Based permissions

When you have a group of people doing the same role it’s likely they require the same permissions.

It’s much easier to manage permissions by simply assigning a user to a group and managing that one group, rather than managing the 30 individuals within that group.

For example you could have groups based on a user role, such as “Sales” or “Customer Service”.

Using Tableau Server groups for role based permissions

Create a different Tableau group for each different role. In Tableau Server you can manually add the users to their relevant group(s).

Alternatively, to reduce maintenance even further, synchronise with Active Directory (AD) groups.

This removes the maintenance overhead from the Tableau team, instead it picks up the groups from the central source of record.

The server groups would automatically update to add and remove users from groups as people move, arrive and leave an organisation. This creates an audit trail, which is necessary in some organisations.

An example using Tableau Server Groups for permissions

Using the “Sales” group example, perhaps within the data there are some records Sales can see and other records Sales should not see.

Within the data use a simple boolean field showing whether Sales are allowed to see the record. Perhaps this would be based on a business rule, but it should be a field (either calculated or source) in the data. True means they can see the field and False they can’t.

Call this field ‘SalesCanView’.

In Tableau create a calculated field using the ISMEMBEROF and the Tableau group. This field is for filtering, to apply the permissions. A formula such as follows works:

(ISMEMBEROF("Sales") AND [SalesCanView]) OR ISMEMBEROF("Customer Service")

Drag this field into the Filters area and set the value to True.

In plain English this formula says:

  • if the user is a member of the Sales permissions group and the data field SalesCanView is True the user can view the record
  • if the user is a member of the Customer Service group they can view the record
  • all other users can’t view the record.

Permissions can be a challenge within Tableau. In general a combination of row level permisssions and group based permissions are enough for an effective model.

Leave a Comment