Row Level Security using Microsoft Analysis Services Cubes in an External- Facing Environment

Later versions of Microsoft Analysis Services (MSAS) allow you to configure user and role based data security within the cube itself. However, this functionality only works when that particular user is logged in directly to the cube. In Tableau, this can be accomplished via Kerberos.

What about when you are using MSAS cubes in an external facing solution, with users who are not in the local domain? Cube connections in Tableau don’t have the equivalent of a Data Source Filter the way relational database connections do, and there is no way to pass the USERNAME() function into a Calculated Member the way you can in a relational calculated field.

In this case, the manual “User Filter” functionality can achieve a reasonable solution.



Securely Passing Parameters into a Tableau Viz at Load Time

When embedding a Tableau viz into an application, we are very often asked about passing parameters in to the viz to filter down information. This post is about a few methods of implementing this behavior, and the security implications of each of them.

I’ll start by saying, to do any of this securely, you need EVERY resource you are working with to be using the HTTPS protocol (latest TLS version). If anything is not HTTPS, you could be passing important information in the clear.

There are three methods of setting a Tableau Parameter on a Tableau Server viz:

  1. Putting the Parameter value directly in the URL using a name value pair
  2. Setting the Parameter value using the JS API options object in the constructor method. This actually does the equivalent of #1 and puts the values in the URL
  3. Use changeParameterValueAsync() method of the JS API.

Each has its own benefits and downsides.


Tableau and Write-Back – Together At Last

Editor’s Note: Huge thanks to special contributor Gordon Rose for this blog post.

Tableau helps people see and understand their data – and guarantees that it in the process, it will never make any changes to that data. Tableau is a strictly read-only technology. However, many customers want the ability to modify the data that lies behind a Tableau visualization (Viz), and then, either see those changes immediately reflected in the Viz and/or make other applications aware of those changes. With a small amount of supporting technology, Tableau’s read-only behavior can easily be integrated into so-called “write-back” use cases.

In this blog article, we’ll explore a way to do exactly that – one in which the write-back components are external to the Viz. An alternative approach is one in which those components are more tightly integrated into the Viz itself – that’s for a later blog article to explore. Ideally you will find that you can use one of these two approaches as a launching point for the development of your own write-back use case.


Killing a Tableau Server Session

Within an embedded application, it can be difficult to make sure that sign-out is achieved in both the application and Tableau Server. Tableau Server supports SAML signout commands, but for all sorts of reasons, this might not always work.

Luckily, it is possible to use the REST API to kill any session programmatically, but you need the session identifier from the Tableau Repository. The question is, how do you know what session belongs to a user? There is a sessions view, but you need a little bit more to get filtering down to the username level:

system_users.name AS user_name,
FROM sessions
JOIN users ON sessions.user_id = users.id
JOIN system_users ON users.system_user_id = system_users.id
WHERE system_users.name = '{username}'

Once you have the session ID, you can send a REST API sign out command.

tableau_tools has both of these commands wrapped in a simple interface.

server = ''
username = ''
password = ''
readonly_user_password = ""
d = TableauRestApiConnection25(server, username, password)
tab_rep = TableauRepository(server, readonly_user_password)
uname = 'some_username'
sessions_cur = tab_rep.query_sessions(username=uname)
for row in sessions_cur:
    d.token = row[0]

The token property of the TableauRestApiConnection uses the REST API session token on when you do the signin() method, but you can replace the token with any session ID from the repository and then the signout() method will be sending the correct method to sign-out.

Using the JavaScript API without Embedding

Tamás Földi always has amazing stuff, but this one really blows my mind- Tableau JavaScript API without Embedding .

Using the Web Data Connector to publish arbitrary extra content to Tableau Server is pretty amazing when you think about it; it also works for embedding web edit in an iframe.

Update for more recent Tableau Server versions (2017-11-15):

We recently encountered a customer wanting to implement this functionality and they were having trouble accessing the getWorkbook() method of the Viz object. Apparently Tableau Server now makes the Viz object available prior to it being fully initialized, and any web content starts to load immediately. So if you want to use this technique, you should put in an interval check to keep trying until the workbook is actually available. It looks something like this:

var myInterval;
function start_timer(){
myInterval = setInterval(js_api_test, 200); //https://www.w3schools.com/jsref/met_win_setinterval.asp
function js_api_test() {
try {
var sheet = parent.parent.tableau.VizManager.getVizs()[0].getWorkbook().getActiveSheet(); //Error: "Unable to get property getWorkbook()"
clearInterval(myInterval); //https://www.w3schools.com/jsref/met_win_clearinterval.asp
console.log("Successfully retrieved Tableau sheet object");

// start doing anything else you'd like to do here

catch (err) {
console.log("No dice!");

You would place a call to the start_timer() function in the onload function of the body tag of your HTML page. Rather than jump directly into the code, you start a repeating interval timer that puts in a bit of delay, and will retry until it actually gets the workbook object. Once that object is found, the interval is cleared and you can start doing whatever you want relative to the viz the page is embedded within.


Using Trusted Tickets for SSO Login to the Tableau Server UI (VizPortal)

There are many situations where a customer wants to have an SSO integration with Tableau Server, but wants the end user to have full access to the Tableau Server UI (called VizPortal), as opposed to embedding Tableau views directly into the product (which only invokes VizSQLServer). This is not an issue when using SAML authentication, but Trusted Authentication requires that the trusted ticket be redeemed against a valid workbook.

By using the fact that the redemption of a Trusted Ticket creates a Tableau Server Session in the browser, the following technique will allow a smooth SSO process directly into the Tableau Server UI.


CSS magic tricks with Embedded Tableau Server views

Tableau 9.2 is right around the corner and one of the biggest changes on the Server side will be an updated toolbar. There is now an Undo and Redo button, and everything has been rearranged in a logical manner. The buttons that appear or disappear based on permissions are now on the right. And all of the export and download buttons are now combined together into a Download drop down menu.

9_2 toolbar

Also, it’s gray. The toolbar has been white for a long time but it’s 100% gray in Tableau 9.2

What isn’t changing? The Download/Save As permission is still one single permission, so if you are exposing Tableau to the outside world and want to allow Web Edit but not Downloading, you’ll still need to hide the toolbar and recreate all of the functionality you want to enable. But with a little ingenuity, we can pinpoint exactly what we’d like to hide and really control what we keep and what we hide.