Tableau Server and Database Logins
Tableau Server and Database Logins
Views published to the Tableau Server are dynamic in accessing the database to retrieve current data. Whenever a view is opened, if the data source for it is a database that requires a login (as opposed to something like an Excel or textfile) the Tableau Server needs to know what database username and password to connect as to retrieve the data. Tableau Server has several options and settings that work together to specify what database username and password will be used for accessing the data. The table below summarizes the alternatives. The column headings refer to the technique used when creating and publishing the view from Tableau Professional. It is important to keep the distinction clearbetween the Tableau Server login technique which is used to gain access to the Tableau Server itself, and the database login that may be required for each view that is published to your Tableau Server.
As noted in the table below, all user based filters defined in Tableau are independent of the database authentication type. User Filters are a Tableau Server feature that enable dynamic data filtering (cell level) based on the username or group of the current user. More details on User Filters can be found in the online help[1].
Summary of Authentication Options
Windows Integrated Security (NT Authentication) / Username & Password Prompt / Embedded Username & Password at PublishTableau Server logs into the database as: / “Run as” user of Tableau Server[2] / Each user is prompted for their database credentials, which they can choose to have saved. / The database credentials specified by the author when the view was originally published. The Tableau Server user is not prompted for any credentials.
Tableau Server provides per user data security via User Filters: / Yes / Yes / Yes
Tableau Server leverages the existing user based data security built into my database: / No. All users share the same database login. / Yes, the individual user identity is known to the database. / No. All users share the same database login.
Tableau Users can share caches: / Yes / A cache is created for each user/password combination / Yes
Details on Authentication Options
All discussions below are with respect to the database security itself and do not impact the ability to use ‘User Filters’ in Tableau Server. The options can be set per datasource – each view in Tableau can only have one datasource, but different views on a dashboard can come from different datasources.
Windows Authentication
The Tableau Server uses the ‘Run As User’ credentials to connect to the database. All users of the Tableau server will share this same connection information for the database. This does not use the credentials of the publisher or the credentials of the user logged in to Tableau Server. Using this option is only relevant when the database being used also supports Windows Integrated Security. The most common example is SQL Server or SQL Server Analysis Services. When the Tableau Server is configured to use the Network Authority user as the ‘run as user’, all requests to the database will result in a prompt to the end user, as by definition, this Network Authority account does not have rights to connect to a database.
User Name and Password (not embedded)
Each user of the Tableau Server will be prompted to log in to the database with their database specific user name and password. If you already have database security set up, this is a good option to make sure that security is honored by the Tableau Server. There is an optional setting to allow Tableau Server to remember this password so users only have to enter it once.
Embedded Credentials (not for use with Windows Authentication)
The Tableau Server uses the published credentials to connect to the database. All users of the Tableau server will share this same connection information for the database. The publisher embeds a set of credentials – username and password.
Common Questions
Q: Can I automatically pass the credentials of a Tableau Server user to the database?
A: No – with one exception. If the ‘Saved Passwords’ option is turned on in the Tableau Server Administration panel, then a user only needs to enter their credentials one time per datasource. These datasource credentials are then stored in the Tableau Server and re-used for that users next connection to the same datasource. Note that these credentials are separate from those used to log in to the Tableau Server.
Q: I’m using active directory for my Tableau Server authentication and my database authentication. Will the user’s credentials automatically be passed to the database?
A: No. Regardless of the Tableau Server authentication method, any datasource using NT authentication (Active Directory) will use the Tableau Server ‘Run As’ user to connect to the database. The exception is if the Tableau Server ‘Run As’ user does not have authority to connect to the database (as in the Network Authority account), in this case the end user is prompted to provide their own database credentials.
Q: You mention using the ’User Filters’ as a way to implement database security. What is meant by this?
A: One technique to implement data level security is to define rules in the database itself that enforce data value restrictions based on the identity of the user making the request. Generally this is implemented by creating database views which include a where clause element to set a restriction on values based on the username of the active database user. With Tableau Server using the Integrated Windows Security option or with views where the publisher specified a database username/password to use, the database will have the active user as one of these username, rather than the individual end-user identity. Tableau views can be constructed to include a special calculated column using a variety of variables based on the user name or group membership of the user that is logged in to the Tableau Server. Adding this column to the filter shelf in Tableau Professional ensures that the user only sees data that matches the condition of the filter.
[1]Online Help
[2] This is the ‘Server Account’ as defined in the Server Administrator Guide