“Do I need row-level security (RLS) in Tableau?” This question, or a version of it, is brought to us often. RLS can seem abstruse if you have not touched it before. In this blog series, we will approach the question above, as well as introduce basic concepts around RLS and a couple of implementation options with examples, all in a way that is hopefully approachable for everyone!
The main issue that drives the need for RLS is trying to customize data based upon a user or a group of users. This is a familiar need of our clients, but if they are not fully aware of RLS options, they can find other creative solutions that might scale poorly or cause headaches in the long run. An example of an alternative solution that signals a need for RLS is users trying to maintain multiple copies of the same extract or workbook from a single database. So, if you think you need RLS based on the scenario described above or something else, let’s take a look at row-level security from a high level to see if it is appropriate for your situation.
What Does RLS Do and How Does It Work?
RLS provides the ability to have one object (a dashboard, workbook or data source) provide different data to different audiences. We can avoid creating similar versions of the same object (e.g., a South Region Sales Dashboard and a North Region Sales Dashboard).
An RLS solution in Tableau will reference an attribute of the logged-in user, usually their Username or one of their Group memberships, and then filter the data down to what that user or group should see based on logic the developer has implemented. Sometimes, a table with attributes about your users is joined to your data to help support this logic; this is called an Entitlements table, and we will talk about this in the next post.
Consider the Big Picture
If we zoom out a bit, we can think about three levels of security in Tableau:
- Access to a Tableau Server Site
- Anyone on the site gets the full experience of a dashboard, workbook or data source.
- Object-Level Security Using Projects
- Applied to Projects, Workbooks or Data sources on Tableau Server/Online
- Anyone in permissioned group(s) or specifically permissioned individuals gets the experience described by the permissions. They will see all the data in a data source or workbook.
- Can depend on how content is organized into Projects
- Row-Level Security (RLS)
- Each user or group of users can get a different dashboard experience.
- Different users will see different portions of the data.
- Applied within a data source (best-practice) or workbook
- Will still want to consider and use object-level security, most likely
- Each user or group of users can get a different dashboard experience.
The last point is critical: A good RLS solution will consider both row-level and object-level security. A lot of the time, this is as simple as a specific workbook or data source only being relevant for one area of the business, thus denying permissions for all other areas, but it can get more complex. Added complexity usually comes from large scale user bases and different levels of permissions being included.
If you think you might just need object-level security, check out Igor’s blog, Tableau Server Permissions: A Complete Guide.
If it is sounding like you need some guidance around row-level security, go ahead and keep reading the two following blog posts where we walk through the core building blocks of RLS solutions and basic implementation patterns.
Tableau’s Centralized Row-Level Security
Tableau 2021.4 includes Centralized Security, only through Tableau Data Management. This will allow RLS policies to be implemented on the Server in a single location. All he components we will mention in this blog series should retain their relevance, but the process to implement and maintain these solutions should be even easier! Keep a lookout for another blog when we get our hands on it.
A Quick Note on Other Security Options
If you are considering providing different column access (column-level security) in a data source to different users, note that Tableau does not support this functionality. We recommend handling this functionality in the database itself.
If there are requirements to keep the data separate in the database, bringing the data together in Tableau and using RLS to manage access may not be appropriate.
Trusted Advice from Tableau Experts
And if you find yourself with more RLS questions or are not quite sure what considerations to weigh, reach out! We’re ready to guide you through this decision-making process, help you navigate your current implementation and explore and understand the best options are for your situation. Let us know how we can help, and check back soon for the next installment in this blog series!