Have you ever tried to give a group of users access to one level of information on a map, but restrict them from another?!
I was recently given the challenge by a client to differentiate what level of information could be seen by different groups on a visualisation using map layers.
To give some context, the client was using Tableau Desktop and Server version 2021.2.7 (so, this method may not apply after future releases).
The use case they laid out, is essentially an example of column-level security (to my knowledge not available in Tableau at this point). This functionality would allow the option to differentiate access to columns/fields based on the user or group membership.
Row-level security (RLS) which is available in Tableau, involves dynamically filtering which values of a field can be seen based on a user’s name or membership.
In our case, we are aiming to limit the visibility of particular columns in our data instead. i.e. More detailed data is obscured, unless you have permissions.
Everyone can see higher level information like a country, but not everyone can see the cities (any information that refers to the cities).
The work around is to use RLS to achieve this.
When managing permissions in Tableau, it is always best practice to apply these at the highest level possible (assuming it is relevant to your use case).
This usually means creating groups that are specific to the content and creating groups tiered by access levels. This makes it easy to make the applicable users members of multiple groups and it is easier to manage changes.
Once the groups are created, these can be referenced in calculations within the workbook.
· I created 2 groups: City level Access and Country level Access
ISMEMBEROF(‘text’) is the function used to specify this membership.
When we bring this into Tableau, we want to obscure the more detailed information (city level). Therefore, I created 3 similar calculations.
Each uses -
IF ISMEMBEROF(‘City level Access’) THEN [field] END
e.g IF ISMEMBEROF(‘City level Access’) THEN [Lat] END
The [field] is replaced by either City Name, Lat or Long. Any user who is part of the City level group can see the City points on the map, for anyone else those values are NULL and won’t appear.
In my example, the simple chart I built was a map with the UK as the country level and then dots for 5 cities within the UK.
I dragged the Country field from the Data pane onto the canvas and then changed the mark type to Map.
In the use case for my client, they had specific Latitude and Longitude fields for the more detailed locations, which they used on the marks card. This was necessary for them, as Tableau would not have recognized their location names to auto-generate coordinates. However, if you are using city names, Tableau can often recognize these and auo-generate the latitude and longitude values.
As a result, I dragged the RLS City field and held it over the canvas until the map layers option appeared (Add a Marks Layer). Ensure that the RLS City field has a geographic role so the data type is recognized. This also applies to the Lat and Long field we will drag on next. I also made the Lat and Long fields dimensions, so that Tableau doesn't attempt to aggregate them. Lat and Long fields are then dragged onto the existing marks card just created by the City field. At this point, you should see the city locations appear as dots on the map. Lat and Long were on detail and City on Label so that labels appear.
Security
As we are applying these rules to remove visibility, we must protect against users being able to Edit the workbook (and as a result see the data we have obscured), or download the underlying data.
This must be managed at the permissions level on Tableau Server.
Within the workbook I have denied access to download the data and to edit the workbook. (The only remaining clue that there is city level data is in the Map Layer Control on the map).
Usual best practice is to apply permissions at the project level, as long as this is relevant to your use case.
At the workbook level I have ensured that those in the country level group are denied access to Download Summary Data, Share Customized, Download Full Data, Web Edit, Download/Save a Copy, Overwrite etc..
Setting these options to denied, ensures that it overrules any other groups that we might include (so nobody slips through the net who isn’t supposed to).
Our end result shows that those users without download permissions will not see an option in the drop-down menu. And also won’t see an option to Edit.
Be aware of how Site Roles and License Types work and interact with each other. In my example, I was the Site Admin with a creator license and had 2 other users as explorer and viewer.
Resources
Row Level Security Whitepaper - https://www.tableau.com/sites/default/files/whitepapers/tableau-rls-entitlement-tables_0.pdf
License Types - https://help.tableau.com/current/blueprint/en-us/bp_license_types.htm
Site Roles - https://help.tableau.com/current/online/en-us/users_site_roles.htm?source=productlink
Managing Permissions - https://help.tableau.com/current/server/en-us/permissions_projects.htm#lock-asset-permissions