How to Setup Row Level Security (RLS) in Tableau?

BI Connector Team |

Tableau Row Level Security RLS

When setting up reporting of any kind with your company’s often sensitive data, one of the critical questions to answer is – How can we effectively secure the data?

Row Level Security (RLS) is a hot topic in the Tableau world. While it is possible to set up in Tableau Desktop it currently requires a lot of setup and maintenance. The complexity of the RLS setup varies depending on the number of dimensions you want to secure. In this article, we’ll keep it simple to help you easily learn how it works!

[Tableau Hacks] How to Improve Interactiveness With Parameter Actions? >>

We’ll just create an entitlements table that lists out each of the users by username and assign them a role. Then, we’ll assign the roles to specific dimension members for restricting the data.

In an actual case, the usernames would correspond with the tableau usernames belonging to each of your licensed tableau users. For now, we’ll just use the Harry Potter names to illustrate how this works.

The table must be secure enough that only the security manager and/or their delegates have access to it. However, keep in mind that when it is updated it will need to interface with the posted tableau reports where the RLS needs to be utilized. You may use whatever file medium works for you to manage these tables (csv, google sheets, txt file, etc).

The first table, for instance, lists out all of the users by Username and assigns them a Role and Role_id. The Role column contains a description mainly for clarity purposes to make managing the user list easier. It would look something like this: 

Users and Roles table

[Tableau Hacks] How to Save Dashboard Space With Hidden Containers? >>

Roles mapped to access

The second table will contain a list of all the members of the secured dimension (in this case ‘Area’) and a row pertaining to each Role_id that is granted access to an Area. See below:

Notice how user: Dumbeldore has access to all the listed Areas. Since he is the headmaster this is expected. The other roles have much more limited access. For instance, Role_id #5 (Hufflepuff) has access to just two Areas.

Supercharge OBIEE (and OAC/OAS) With Tableau [eBook] >>

Now that we have the Areas assigned to our Roles and our roles assigned to our Users we are ready to filter our dataset. A simplified table that looks something like this:

Table Details
Users and Roles Access
Edit Relationship Tableau
Roles Edit Relationship

Loading the tables into Tableau, we set the table relationships up like this:

Now that our tables are set up we need to create a calculated field. This field will compare the Username field from the Users table with the username of the person using the report.

Username

[Tableau Tips] How to Deliver a Decision-aiding Story? >>

To test this out we can try it out on a table visual. I built something that looks like this:

Test Tableau visual

Notice that the “Metaclorions” values are duplicated for the different Areas under the different Roles. This is okay because the filter will be applied and remove all duplicates from the data load when we are done setting it up.

When I am logged in as ‘Cedrick’ apply the filter and set the name to TRUE it looks like this:

User impersonation Tableau

It works! 

We are now only seeing the Areas that apply to Cedrick’s Hufflepuff Role.

Finally, we will employ the filter on the Data Source tab. 

We do this by clicking on the ‘Add’ link in the top right corner under the word  “Filter”.

Apply Filter Tableau

We can then set up an expression to use the calculated field to limit the data pulled into the report. 

Tableau vs OBIEE – H2H Comparison [eBook] >>

The Filter Condition will look like this:

Filter condition

Once this is done click ‘OK’. Your dataset is now filtered by the name of the user that is logged into the report.