Please note that Portals for Tableau are now officially known as Curator by InterWorks. You can learn more at the official Curator website.
This blog post is Human-Centered Content: Written by humans for humans.
When you’re embedding Tableau Dashboards into your Curator for different teams, departments or clients, two things become critical:
- Making sure users only see the Dashboards they have access to.
- Making sure the data inside those Dashboards is filtered to what they’re allowed to see.
Rest assured that Curator is taking care of these tasks for you. If you want to understand the weeds keep on reading. We’ll explain how it works!
1. What Gets Shown in the Navigation, aka Menu Permissions
Think of your Curator portal’s menu as a living, personalized experience. Not every user should see every section, and Curator takes care of that automatically by default. However, if you’d like more granular controls, we’ve got you covered with the ability to specify access on a per-group basis for your users. Here’s what happens behind the scenes when a user logs in and the menu loads:
Curator runs through two permission checks before displaying the menu for every user:
- It checks if you have a group-based Restrict Access settings. If a user is denied access here, it short-circuits the rest of the permission checks. That can be a big performance boost for large menus! If the user is granted access, their permission checks will continue.
- For menu items that link to an integration (e.g. a Tableau Dashboard), Curator will query the source system (i.e. Tableau) to check if the user has access to that specific linked-item, and will grant/deny access. That means that you don’t have to manage permissions at all within Curator easing your maintenance burden. But you could.
Both checks need to pass. If either fails, the menu item simply won’t appear. And I mean that literally. In the extreme case, the menu will be completely empty. No tricks through the browser console to reveal anything hidden, nothing. It just won’t be there.
This behavior applies recursively, so if a parent item has no visible children, the entire branch is removed.
2. The Right Data Inside the Dashboard, aka Row-Level Security
Controlling which Dashboards users can open is one thing. But what about the data inside those Dashboards? If you have a single Tableau Dashboard shared across your whole organization, you probably don’t want the Sales team seeing Marketing numbers. Or worse, a client seeing data they haven’t subscribed to.
This is where Row-Level Security (RLS) comes in, and Curator handles it through a secure token system.
To create a seamless Tableau login experience, you should set up Connected Apps. You find full details here. When a user opens a Dashboard, Curator generates a short-lived token called a JWT (JSON Web Token) containing their username. Tableau verifies this token via the shared secret from your Connected App setup and immediately knows who is requesting the Dashboard. If you’ve set up Row-Level Security rules in Tableau like, for example, “only show rows where the subscription level matches the user’s plan,” Tableau enforces those rules automatically based on the username in the token.
If you need help setting RLS up, reach out to our friendly InterWorks folks!
All of this happens automatically once your Tableau connection is configured in Curator. The REST API check uses the PAT or Service Username that you setup. If not, take a look at our full integration setup guide.
And if you have questions about the above or just want to say hi, reach out too!
