Transcription
WelcomeImplementing Tableau Server Security
#TC18Implementing Tableau Server SecurityCiarán FlynnChris WilkinsSenior Product ConsultantStaff Software EngineerTableau EMEATableau USCA
Who Are We and Why Are We Here?Coming from two different areas of the businessChris, Product Security Software Engineer that helps teams build security intotheir features. Past teams include licensing and Tableau Server.Ciarán, working day to day with customers demonstrating how our customers canget the most out of the platform and all Chris’ hard workPresented this session last year in Las Vegas and came away with lots of feedback to improveWe are passionate about Tableau and take security based topics very seriously
How to get the most out of thisMaterials are available to you after the session.Please hold your questions until the end.Learn, learn, learn!
What we want you to take away today
How to Control Who Can See What ContentAuthentication – who is this user?Authorization – is this user allowed to do this?Data Security – protect your data in multiple ways.
Authentication
AuthenticationLocal AuthenticationActive DirectoryLDAP Identity Store
Local AuthenticationUsers only exist in Tableau Server Identity storeTableau Server is used exclusively to authenticate users coming from:Web BrowserTableau DesktopTabCMDAPI’s
Local AuthenticationPopulating your local authentication user list can be done inseveral ways:GUI – One by one or with csv fileTabCMD CLI tool with csv fileRestAPICSV can contain (in order shown):Username (required)Password (required)Display NameRoleAdministrator LevelPublisher (yes/no)Email address
Active Directory1. User Logs inUser4. Content isDisplayedAccording toRoles/Permissions2. Credentialspassed to AD3. Token Returned
Active Directory SyncSync Usersand GroupsAssign Roles andPermissions
LDAP Identity StoreTableau uses Binds to authenticate & establish a session withLDAP Servers LDAP - Simple Bind Not encrypted and therefore poses a security risk LDAP over SSL Using Signed SSL certs you can enable LDAPS to create a securebind protecting credentials LDAP with GSSAPI (Kerberos) bind Use existing keytab files (if AD Domain link is already there) Tableau Server Service specific keytab files to be generated (recommended)
Other Authentication OptionsAuthentication MethodLocal AuthenticationActive DirectorySAMLYesYesKerberosNoYesMutual SSLYesYesOpenIDYesNoTrusted AuthenticationYesYes
Single Sign-On
Single Sign-On OptionsSAML (Tableau Online)Trusted Authentication (web portal integration)KerberosOpenID(Tableau Online w/Google)Integrated Windows Authentication
SAMLUse external IdP to authenticate users with Tableau Server13UserTableau Server(Service Provider)2Identity Provider(IdP)
Trusted Authentication3Tableau Server21Client Web BrowserWeb Portal
Authorization
Understanding Site RolesSite RoleCreatorExplorerViewerUnlicensedRole TypeServer AdministratorSite Administrator CreatorCreatorSite Administrator (Explorer)Explorer (can publish)ExplorerViewerUnlicensed
Structure Within Tableau urces
ExampleOwner: Server Admin Creates Sites Defines Site AdminsTableauServerOwner: Site Admins Manages users, groups,projects, and permissionsProjectsOwner: Publisher Manages permissions fortheir content sUsersViews
Permissions
Permissions - Best rsViewsDataSources
Access PermissionsHas the user been specificallydenied access?NoYesHas the user been specificallyallowed the capability/access?NoYesDeniedHas the group been specifically denied thecapability?AllowedNoHas the group been specificallyallowed the capability?YesDeniedYesNoAllowedDenied
Permissions Best Practices1. Set permissions on Default project to “None” for“All Users” group2. Add users to groups3. Create projects4. Assign permissions to Projects based on Groups
Scenarios
Scenario 1Darth Vader has a Site Role of “Viewer”A group he’s a member of implies that he can editpublished content.Do you think he will have the permissionto Edit?
The answer is no, he willnot have access
Scenario 2Darth Vader is now leaving the businessI want to restrict him from downloading workbooks orunderlying data before he leaves.Can I achieve this by adding specific userpermissions while still having him as a memberof the group driving the permissions?
Scenario 3Obi Wan Kanobi has just started with our organizationHas been assigned a site role of “Explorer” but not yetadded to any groupsAll the projects have a default permission setting of“None” for the default “All Users” group.How and what can he do with these projectswhile he waits to be added to the correct group?
Data Security
Multiple Approaches to Data SecurityImplement security on the databaseImplement security solely in TableauPrivileges on the Database role
Database Security—Login AccountWindows AuthenticationUsername and passwordSSL Option
Database Security–Authentication ModePrompt userEmbedded passwordServer run as accountWindows integrated security onlyViewer credentials/Publisher Credentials(Tableau Server only)Kerberos-enabled Teradata, PostgreSQL, MS SQL Server, MSASSAP HANA and BW SSOImpala SSOImpersonation (via embedded account or Run As account)MS SQL Server only
DEMO
Session Re-capAuthenticationAuth Options, LDAP, SSOAuthorizationStructure, Permissions, Scenarios, Decision TreeData SecurityNative Tableau User Filters, Table Security Model, Database policies models
S E S S I O N R E P E AT STableau Server security in depthThursday 2:15 – 3:15 MCCNO – L3 - 351Big Easy data securityTuesday 4:00 – 5:00 MCCNO – L2 – 297Wednesday 10:15 – 11:15 MCCNO – L2 – 204Data level security with Tableau DesktopTuesday 12:30 – 1:30 MCCNO – L3 – 338Wednesday 1:45 – 2:45 MCCNO – L2 – 211
Please complete thesession survey from theSession Details screenin your TC18 app
#TC18Thank you!
Server run as account Windows integrated security only Viewer credentials/Publisher Credentials (Tableau Server only) Kerberos-enabled Teradata, PostgreSQL, MS SQL Server, MSAS SAP HANA and BW SSO Impala SSO Impersonation (via embedded ac