Creating Role Level Security in Tableau

Row-Level Security(RLS) in Tableau is a security technique that can be created to restrict data access for specific group of users at the row level. It allows users to see data that is relevant to them based on established rules.

RLS is useful when different set of users need to access one dashboard or a data source but should only view a section of the data. For example creating Financial Reporting for departments(Marketing, Sales, Operations, IT) in an organization. Departmental heads should only access financial data of their own department.

There are various methods to implement Row-Level Security (RLS), but in this discussion, we will focus on two key approaches

1. Manual User Filter
2. Dynamic User Filter

Manual User Filter:
This is when you manually map users to specific values. For instance, referring to our previously mentioned example of Financial Reporting for a departmental managers, consider Manager John being mapped to the “Operations” department.

In this scenario: John will only see rows in the data source where the “Department” column is equal to “Operations”.

Although this technique is straightforward, it is highly maintenance-intensive due to the following requirements:

• Very high attention to security.
• The process has to be done for every workbook
• When the user base change, the filter has to be updated and the data source has to be republished.
• For this type of filter, it is crucial to ensure that users cannot save or download the workbook. This prevents them from altering the filter and gaining access to the full dataset

This option is useful when you are testing user filtering functionality, doing a proof of concept, or when you are creating a static workbook with an unchanging group of users and you understand the security risk.

Steps to implement Manual User Filter in Tableau

• Connect tableau Desktop to the data you would like to use. Create the view you would like to use the filter on(In this case Financial Reporting for Departmental Managers).
• Open a worksheet and create the chart you want to use the filter on.
• Go to the server tab and select create user filter. Select the field you want to use for filtering the view in our case it is the “Department” field.
• You might have to sign in to your server or site if prompted.
• Name the user filter “Departmental Managers”.
• Select a user or a group on the left, then indicate which value on the right they should be able to see. Repeat this process for each user or group, click OK when you are done mapping users to values.

After mapping a user or group to data values, if there is a need to repeat this same mapping for another group or user, you can do this by coping and pasting in the settings.

Just select the user you want to paste settings to and click on “copy from”, then click on the user you would like to copy settings from. All these can be done by editing the “user filter” field in the data pane.

Dynamic User Filter: This method requires creating a calculated field that automates the process of mapping users to data values. For example, in this case, you need the Calculated field, the USERNAME() or ISMEMBEROF() functions and the Manager column in the data source. The calculated field filters the data dynamically based on logged-in users. Here, the filter is defined at data level and automated using calculated fields

This method is relatively simple but also high maintenance and just like in manual filtering, the users must also be prevented from downloading the workbook so that they don’t change the filter and gain access to unfiltered data.

This option is useful when you don’t have a data management license, as well as when the data contains information you can use to filter it and you understand the risk of not setting the permissions correctly.

Steps to implement Dynamic User Filter in Tableau

• Connect tableau Desktop to the data you would like to use. Create the view you would like to use the filter on.

Please note that this approach requires the database to contain the field you want to use for filtering.

Using our running example, our data is expected to have a reference tables where this two columns must exist: “Department” and “Manager”. The names in the Manager Column must match usernames in Tableau cloud or Tableau Server and the Manager field is going to be our filter.

• Go to the worksheet where you have created the view you want to use the filter on, Go to the Analysis tab and select Create calculated field, and create the following field named “User is a Departmental Manager”. Search for the USERNAME() function and make it equal to the Manager field. Like this USERNAME() = [Manager]. The calculation would be true if the user name of the person signed in to the server exist as a manager in the Manager field.
• Add the “user is a Departmental Manager” field to the filter shelf, select TRUE and then click OK.

NB: Ensure that your username is listed as a manager for at least one department. Otherwise, your view during authoring might appear blank

• To see how the view looks to a particular manager, Go to the lower right of your worksheet, open the “filter as User” menu and select a Manager.

PLEASE NOTE: To secure user filter make sure to DENY the following:

1. Workbooks: WebEdit, Download or Save as a copy and Set Permissions.
2. Data sources: Save, Download and Set Permissions.

These can be done during publishing or afterwards on the server.

Thank you for reading.