Tableau is a popular visualization tool that many BI and AI analytics users employ to transform data into intuitive interactive visual formats, enabling them to identify patterns, trends, and insights easily. Tableau users connect to a wide range of data sources and data stores to create dynamic dashboards that facilitate real-time analysis and collaborative data exploration.
Many users prefer to run Tableau’s data extract to maximize its flexibility and real-time analysis through queries across multiple stores. Data extract is a subset of the original dataset saved separately. Using data extract is more responsive because users can run queries on already cached data instead of going to the database to run a query.
One issue with using data extract, is that it is difficult and time consuming to control access to sensitive information, particularly using row level security (RLS). In this blog post we describe how Satori provides RLS and dynamic security policies for Tableau’s data extract, enabling data to move faster across users and reducing the burden on data teams.
Tableau and Data Access Controls
Tableau is a very versatile and popular visualization tool that integrates with many different data stores. Users require access to this data quickly to provide real-time analytics and decision making. The main issue is that to take advantage of greater flexibility users make use of Tableau’s data extract, data teams cannot easily implement individual row level security.
Typical data teams would either need to do one of two things to get row level security. The first is to create a manual or dynamic user filter, which is easy at a smaller scale. But as data scales, it is very high maintenance and requires updates and republishes as the user base changes, along with replicating the work across workbooks. The second is to use RLS in the database which means that data teams cannot use the data extract and would have to rely on live queries which can greatly increase the time it takes the report to run. Both of these options come with compromises, slow down the flow of data and limit the ability of the data team to conduct quick real-time analysis and slowing the data’s time-to-value.
To alleviate this burden and enhance security, Satori provides RLS (a generated imported file of security entitlements) with proper end user identification on cached data in Tableau.
How Satori Automates RLS in Tableau
Satori provides the best of both worlds. It allows Tableau users to work in data extract, using the cached data, while also implementing automated RLS for the end user. This significantly reduces the burden on data teams.
They no longer have to run individual queries on the database, which reduces their backlog and allows them to write individual security policies. Implementing RLS allows companies to apply more granular rules and policies around how users access data—even in BI tools like Tableau.
Satori uses a security entitlement file that contains predefined security policies and permissions. Including this file enables data teams to implement and enforce security policies across all data stores automatically.
An Example
In this example we show how to implement RLS on a Tableau workbook using Data Extract.
1. Connect to the data
You can import the security entitlements using various methods, such as CSV and parquet files on AWS S3 and Microsoft ADLS Gen2.
For this example, we import a file from Amazon S3 that already has Satori security entitlements, allowing us to enforce security policies.
2. Create a Workbook/Dashboard
The Data tab contains two connections: Amazon S3 and Azure SQL Direct Without Satori. The Amazon S3 bucket contains a CSV file with Satori’s security entitlements, and the Tableau dashboard developer pulls the data for the report from Azure.
3. Only Tableau Now
Once the CSV or parquet file is created, Satori is no longer involved in the data flow—all the security entitlements needed for this report are in the file.
4. Build an Entitlement Filter
The Tableau designer can now build an elegant calculated field in “Entitlements Example” and run a Tableau Extraction on all our data.
In sheet two, we see different users and their “User Filters,” which define their access policies. For example, Yoav Cohen (yoav@satoricyber.com) can only see the data for the State “MA.”
Since Yoav Cohen is logged in (yoav@satoricyber.com), the User Filter, RLS, will return a “True” value for that row of data. Yoav is only able to view the data when the State is MA.
5. Across Data-Source Filter
A final additional value from this integration is adding a cross-data-source filter to your entitlements. This is a supported feature in Tableau, i.e., you can “link” fields without formally joining them in SQL.
In this case, we added “Azure SQL Direct Without Satori” so now we have both sources of data
- Amazon S3
- Azure SQL Direct Without Satori
The User Filter defines the user’s access level. This is still “True” for Yoav Cohen since this user is only entitled to see the data of “MA” residents.
Conclusion
Tableau is a popular and versatile BI tool that enables users to provide visualization and analytics from data across multiple data stores. One limitation of Tableau is that it is time consuming to implement security policies for different end users across these data stores.
Satori’s RLS for Tableau provides data security while enabling users to gain quick access to data. Implementing RLS in Tableau significantly reduces the burden on data teams and allows data to move quickly, enhancing the time-to-value from data.
To learn more about RLS and Satori’s RLS on Tableau, book a demo with one of our experts.