The Tableau Data Management Add-on provides a useful set of tools to help manage content and data assets on Tableau Server. The newly released version, 2021.4, introduces new ways to manage data connections and security that promise to simplify managing access credentials and permissions. The two new features that have been added are:

• Virtual Connections that centralise data management and allow you to limit widespread distribution of sensitive database connection credentials and ensure data is always refreshed as needed
• Data Policies that allow you to centrally create and test security settings so that users can share data freely without putting security at risk

Virtual Connections in Tableau Server

When Tableau Server needs data to render a visualisation or refresh an extract, it will generally need to log on to a database. For this, it will need access to a user account on that database. To provide a smooth user experience, it is common practice to use a single-user account on the database and embed the login credentials in each published data source. As the number of data sources grows over time, so does the effort to maintain these connections.

Virtual connections are a new type of content concerned purely with the task of accessing data. A single virtual connection contains the user login credentials to access the database in a common managed connection that can be used by multiple data sources. This is shown in the image below (taken from the Tableau online user guide):

Virtual connections differ from data sources in that they specify the database tables and views that are made available, but they leave the job of defining relationships of joins between tables to the individual data sources that are published. In this way, the database access can be managed at a central point, while individual data sources provide individual user groups with the info they need in a structure that makes sense for each purpose.

Data Policies

Having established a connection to data, another common requirement is to govern access so that each user only receives the information to which they are entitled. This is done by filtering individual rows of data for the specific user accessing it. This is known as row-level security.

It is common to see row-level security built into data sources, but the people that know an organization’s data best are not always familiar with building security models and can find it challenging to master. Virtual connections can help with this by providing an intuitive user interface where data specialists can build and test data policies, which can then be coupled with the centralized data connection for use across multiple data sources.

In this blog post, we will look at an example, starting with a simple virtual connection and adding a data policy to control user access. Finally, we will see how this can be used to build data sources.

Creating a Virtual Data Connection

Virtual data connections are created directly on Tableau Server. From the menu on the New button, selecting a Virtual Connection opens up a new window. Select the database type and enter the login credentials on the next screen. These can be username and password or OAuth credential types.

With the database connection made, it is now possible to select the tables to be made available. In this example, we will be adding an entitlement table that will be used later to create a data policy. However, this table will not be useful to users and therefore will not be made visible in the connection:

We now have the option to simply publish this virtual connection. This would provide access to all data in the tables for all users since no restrictions have been applied yet.

Adding a Data Policy

The Data Policies tab at the top of the screen gives access to a list of available policies:

From here, we can now go ahead and create our first policy. In this example, we will control access to customer order data so that each salesperson will only have access to orders from customers in their own region. In addition, there are two managers who are allowed to see data from all regions.

Since all users must be authenticated to view content on Tableau Server, we can use one of several built-in functions to identify who is currently accessing the data. If our Orders table includes the name of the salesperson, we can directly build a policy (which, in effect, is a filter) using this table. More commonly, though, we will need to make use of an intermediate table that maps individual users or groups to the data. These tables, known as entitlement tables, can take many forms.

In our case, the entitlement table contains two columns that link each individual customer to the responsible salesperson. We will bring this onto the Entitlement pane and then add further tables that contain customer numbers to which we can apply the policy:

We then define the relationship between each of these tables and the entitlement table. In our example, this is the customer number. Finally, we can write the policy condition we wish to apply. This is a calculation that returns a true or false value that will be used to filter individual rows of data:

In this example, we are filtering the entitlement table. If the current user is a member of the Managers group, the expression is true and all rows in the dataset are passed. Otherwise, only data rows will be passed where the MANAGER column in the entitlement table matches the full name of the logged-in user. This policy restriction is then passed through to the Orders table and Customer table so that only those customers belonging to the logged-in user will be made visible.

At the bottom of the screen, you can test the policy by selecting individual users to simulate how the data will appear to that person. This can be done prior to publication so that users will only ever be granted access after the policy has been tested.

Using Virtual Connections

Now that we have built our first virtual connection, we can use this to make data available to our users in the form of published data sources that will be meaningful for their use cases. In the example below, we use the new virtual connection to build a data source that contains five tables where the data is controlled by the central user policy:

The finished data source looks like this:

I am very excited to see this new feature in Tableau Server because data security comes up as a central theme in almost all engagements I consult in today. Users often struggle to get this right and keep everything up-to-date. If you need to manage access to your data, this is going to make your task a whole lot easier and help you ensure the data is only going where it should.

For more information, check out the very comprehensive description provided by Tableau in their user guide. You can also reach out to us here at InterWorks. We’d love to help you find the right solution for your needs.