Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways....
Transcript of Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways....
![Page 1: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/1.jpg)
![Page 2: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/2.jpg)
Welcome
Implementing Tableau Server Security
![Page 3: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/3.jpg)
Implementing Tableau Server Security
# T C 1 8
Ciarán Flynn
Senior Product Consultant
Tableau EMEA
Chris Wilkins
Staff Software Engineer
Tableau USCA
![Page 4: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/4.jpg)
![Page 5: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/5.jpg)
![Page 6: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/6.jpg)
Who Are We and Why Are We Here?
Coming from two different areas of the business
Chris, Product Security Software Engineer that helps teams build security into their features. Past teams include licensing and Tableau Server.
Ciarán, working day to day with customers demonstrating how our customers can get the most out of the platform and all Chris’ hard workPresented this session last year in Las Vegas and came away with lots of feedback to improve
We are passionate about Tableau and take security based topics very seriously
![Page 7: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/7.jpg)
How to get the most out of this
Materials are available to you after the session.
Please hold your questions until the end.
Learn, learn, learn!
![Page 8: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/8.jpg)
What we want you to take away today
![Page 9: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/9.jpg)
How to Control Who Can See What Content
Authentication – who is this user?
Authorization – is this user allowed to do this?
Data Security – protect your data in multiple ways.
![Page 10: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/10.jpg)
Authentication
![Page 11: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/11.jpg)
Authentication
Local Authentication
Active Directory
LDAP Identity Store
![Page 12: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/12.jpg)
Local Authentication
Users only exist in Tableau Server Identity store
Tableau Server is used exclusively to authenticate users coming from:
Web Browser
Tableau Desktop
TabCMD
API’s
![Page 13: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/13.jpg)
Local Authentication
Populating your local authentication user list can be done in several ways:
GUI – One by one or with csv file
TabCMD CLI tool with csv file
RestAPI
CSV can contain (in order shown):
Username (required)
Password (required)
Display Name
Role
Administrator Level
Publisher (yes/no)
Email address
![Page 14: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/14.jpg)
Active Directory
User
1. User Logs in
2. Credentials
passed to AD
3. Token Returned4. Content is
Displayed
According to
Roles/Permissions
![Page 15: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/15.jpg)
Active Directory Sync
Sync Users
and Groups
Assign Roles and
Permissions
![Page 16: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/16.jpg)
LDAP Identity Store
Tableau uses Binds to authenticate & establish a session with LDAP Servers
•LDAP - Simple Bind• Not encrypted and therefore poses a security risk
•LDAP over SSL• Using Signed SSL certs you can enable LDAPS to create a secure
bind protecting credentials
•LDAP with GSSAPI (Kerberos) bind• Use existing keytab files (if AD Domain link is already there)
• Tableau Server Service specific keytab files to be generated (recommended)
![Page 17: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/17.jpg)
Other Authentication Options
Authentication Method Local Authentication Active Directory
SAML Yes Yes
Kerberos No Yes
Mutual SSL Yes Yes
OpenID Yes No
Trusted Authentication Yes Yes
![Page 18: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/18.jpg)
Single Sign-On
![Page 19: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/19.jpg)
Single Sign-On Options
SAML
Trusted Authentication (web portal integration)
Kerberos
OpenID
Integrated Windows Authentication
(Tableau Online w/Google)
(Tableau Online)
![Page 20: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/20.jpg)
SAML
Use external IdP to authenticate users with Tableau Server
1
2
3
Identity Provider (IdP)
User
Tableau Server(Service Provider)
![Page 21: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/21.jpg)
Trusted Authentication
Tableau Server
1
2
3
Web PortalClient Web Browser
![Page 22: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/22.jpg)
Authorization
![Page 23: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/23.jpg)
Understanding Site Roles
Site Role Role Type
Creator
Server Administrator
Site Administrator Creator
Creator
Explorer
Site Administrator (Explorer)
Explorer (can publish)
Explorer
Viewer Viewer
Unlicensed Unlicensed
![Page 24: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/24.jpg)
Structure Within Tableau Server
Sites
Projects
Workbooks
Views
Groups
Users
Data Sources
![Page 25: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/25.jpg)
ExampleOwner: Server Admin
• Creates Sites
• Defines Site Admins
Owner: Site Admins
• Manages users, groups, projects, and permissions
Owner: Publisher
• Manages permissions for their content (sometimes)
Tableau Server
HRSite
Projects
Workbooks Data
Sources
Views
Groups
Users
Sales TeamSites
Projects
Workbooks Data
Sources
Views
Groups
Users
![Page 26: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/26.jpg)
Permissions
![Page 27: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/27.jpg)
Permissions - Best Practice
Data Sources
Sites
Projects
Workbooks
Views
Groups
Users
Permissions
![Page 28: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/28.jpg)
Access Permissions
Has the user been specifically
denied access?
Has the group been specifically
allowed the capability?
Has the group been specifically denied the
capability?
Has the user been specifically
allowed the capability/access?
Denied
Yes No
No
Denied
Yes
No
Yes
Denied
Allowed
Yes No
Allowed
![Page 29: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/29.jpg)
Permissions Best Practices
1. Set permissions on Default project to “None” for “All Users” group
2. Add users to groups
3. Create projects
4. Assign permissions to Projects based on Groups
![Page 30: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/30.jpg)
Scenarios
![Page 31: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/31.jpg)
Scenario 1
Darth Vader has a Site Role of “Viewer”
A group he’s a member of implies that he can edit published content.
Do you think he will have the permission
to Edit?
![Page 32: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/32.jpg)
The answer is no, he will not have access
![Page 33: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/33.jpg)
Darth Vader is now leaving the business
I want to restrict him from downloading workbooks or underlying data before he leaves.
Can I achieve this by adding specific userpermissions while still having him as a member of the group driving the permissions?
Scenario 2
![Page 34: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/34.jpg)
![Page 35: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/35.jpg)
Scenario 3Obi Wan Kanobi has just started with our organization Has been assigned a site role of “Explorer” but not yet added to any groups
All the projects have a default permission setting of “None” for the default “All Users” group.
How and what can he do with these projects while he waits to be added to the correct group?
![Page 36: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/36.jpg)
Data Security
![Page 37: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/37.jpg)
Multiple Approaches to Data Security
Implement security on the database
Implement security solely in Tableau
Privileges on the Database role
![Page 38: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/38.jpg)
Database Security—Login Account
Windows Authentication
Username and password
SSL Option
![Page 39: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/39.jpg)
Database Security–Authentication Mode
Prompt user
Embedded password
Server run as accountWindows integrated security only
Viewer credentials/Publisher Credentials (Tableau Server only)
Kerberos-enabled Teradata, PostgreSQL, MS SQL Server, MSAS
SAP HANA and BW SSO
Impala SSO
Impersonation (via embedded account or Run As account)MS SQL Server only
![Page 40: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/40.jpg)
DEMO
![Page 41: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/41.jpg)
Session Re-cap
Authentication
Auth Options, LDAP, SSO
Authorization
Structure, Permissions, Scenarios, Decision Tree
Data Security
Native Tableau User Filters, Table Security Model, Database policies models
![Page 42: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/42.jpg)
Tableau Server security in depth
S E S S I O N R E P E AT S
Thursday | 2:15 – 3:15 | MCCNO – L3 - 351
Big Easy data securityTuesday | 4:00 – 5:00 | MCCNO – L2 – 297
Wednesday | 10:15 – 11:15 | MCCNO – L2 – 204
Data level security with Tableau DesktopTuesday | 12:30 – 1:30 | MCCNO – L3 – 338
Wednesday | 1:45 – 2:45 | MCCNO – L2 – 211
![Page 43: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/43.jpg)
Please complete the
session survey from the
Session Details screen
in your TC18 app
![Page 44: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/44.jpg)
Thank you!
#TC18
![Page 45: Welcome [tc18.tableau.com] · 2020-01-06 · Data Security –protect your data in multiple ways. Authentication. Authentication Local Authentication Active Directory LDAP Identity](https://reader034.fdocuments.us/reader034/viewer/2022050513/5f9d5250a5623139e034f577/html5/thumbnails/45.jpg)