Set up Tableau Row Level Security with virtual connections

With the release of Tableau 2021.4, we have presented the greatest improvements of the new update in our blog. One of the newly introduced features particularly caught our interest: Virtual Connections.  With Virtual Connections, Tableau is adding a new content type to its Data Management Add-On that allows users to centrally manage their data connections and user access to the data.

The main advantages and disadvantages at a glance

Advantages:

• Single point of access for your source systems
• Centralized row-level security
• Easier management of connection information
• No database users for live data connections needed

Disadvantages:

• Only available in the Data Management Add-On
• Security concepts in the backend cannot be used
• Restricted connectivity

In this blog article, we'll show you how to set up virtual connections and control data access using data policies.

By default, users who can access published workbooks can view all data. Using Tableau Row Level Security, you can restrict the rows of data for individual users or groups of users, ensuring that your employees can only access data that is relevant to them. This enables different users to see different data in the same dashboard without having to create a separate dashboard for each user group. 

Previously, the implementation of row-level security in Tableau was done through user filters or dynamic filters. User-based filters are a feature that allows the creator to assign individual dimension elements to specific users at the workbook level. Once a user opens the workbook, the data is restricted according to the assignment in the user filter. However, user-based filtering concepts are static and involve a lot of administrative effort because they cannot be reused across multiple workbooks. Shifting responsibilities between employees would therefore require manually adjusting the user filters in all workbooks.

For this reason, it has been best practice - and it still is for users without the Data Management Add-On - to restrict data access by filtering dynamically at data source level. This is done by creating a calculated field that matches the user logged on to Tableau with a field in the source data and using this new field as a data source filter. Filtering the data at the level of the Tableau data source is particularly useful because the filter is automatically applied to all downstream objects and any possible changes only have to be made once. However, this approach requires the existence of a corresponding field for matching the user in the database. If multiple Tableau data sources access the same tables, data access to the same tables must still be restricted multiple times.

With Virtual Connections, Tableau now goes one step further and enables users to set up a central access point for their source systems and to control data access at the connection level. Users no longer need to create a new connection to the source system each time they create data sources or workflows, but can create them based on a pre-defined connection. Once set up, the defined security policies are automatically applied to all downstream elements. Access to the virtual connection itself can be controlled via permissions, as can access to data sources and workbooks.

Self-Service Analytics with Tableau - Download the whitepaper now!

When a virtual connection is created, the stored connection information is embedded in it. So whenever a user wants to use the connection later on, neither connection nor logon information is required. Your report recipients therefore do not even need their own database user. Storing this information centrally significantly reduces administrative overhead. Whereas previously, changed connection information had to be adjusted manually or with the help of a script in all data sources that use this connection, now a one-time update of the virtual connection is sufficient. However, embedding the login information also means that the access control implemented in the backend can no longer be used, as all queries to the database are performed by the same database user. Therefore, +it is necessary to ensure that the stored user has proper authorizations.

After establishing the connection to the source system, you can include the desired tables in the virtual connection and define the connection type used. By selecting a table, you can also display metadata or a preview of the data.

Data access in virtual connections is controlled via data policies. A data policy includes specific tables, a mapping and a filter condition. When creating a data policy, a distinction is made between policy tables and entitlement tables. 

Policy tables contain the data for which you want to restrict access and are subject to the actual data policy. You start defining a data policy by adding them using drag and drop. We recommend that you add all those tables that are to be restricted via the same field to the same data policy. Each table of a virtual connection can only be assigned to one data policy.

You then add a new column to the data policy, which will be used to map the fields. Using the mapping column, you can unify the fields that are to be used to restrict the data under a common name that is later used to reference the fields in the filter condition. When defining the filter condition, the usual formula editor is available to the user. At the moment, however, the range of functions of the editor is limited. Finally, the data policy can be applied to a sample of the data to check whether the stored filter condition leads to the desired result. To do this, you can view the data that is displayed to a specific user.

The table to be restricted does not always have a field that can be used to filter the data. In our example, we will look at a table that contains transaction data on orders from an online shop. The data does not contain any information about responsible employees, so we do not get any information that can be matched with the user data available to Tableau. However, the virtual connection contains another table that assigns responsible managers to the different regions. Instead of adding a mapping column as in the previous example, this time we use this reference table. To do this, we add it to the data policy as an entitlement table and map the region fields contained in the two tables.  Finally, when defining the filter condition, we can use the information from the reference table to filter the transaction data table as desired. To apply your changes, you need to republish the virtual connection. Saving only saves a draft, without the changes affecting connections that have already been published.

Virtual connections are a real game changer for data management in Tableau. Unfortunately, however, the new feature is only available to those users who have licensed the Data Management Add-On. If virtual connections are to remain hidden behind a paywall, Tableau needs to  provide additional features. For example, we would like to see a data policy that allows users to implement security at the column level, so that it is possible to control which users are allowed to display which measures and dimensions. Also, more complex logic could be implemented if multiple data policies could be applied to a single table. At this point, the list of available source systems is still relatively short. During our test, however, we noticed that the developer is listed behind all connectors. This could be a sign that Tableau will allow third-party connectors for virtual connections in the future. We are very curious to see what improvements Tableau will come up with in the future and will keep you up to date!

Do you have questions about this or other topics? Then feel free to contact us! As Tableau partner, we are happy to advise you on all aspects of deployment, administration and best practices for effective Tableau Dashboards.