Tableau Security Model

Methods

The methods used to secure the content on the U-M Tableau Server subsequently exposed to staff and faculty authorized to view the underlying data include:

  • Signing into the Tableau web server
  • Trusted authentication
  • SAML
  • Shibboleth
  • Active Directory

A valid uniqname and password are required for successful authentication to the server. Only active employees are considered licensed users. A daily script either adds or removes access based on their HR employment role via Active Directory active employment status.

Two-factor authentication is not required by the Tableau web server. However, applications that embed Tableau data visualizations within their pages are at their current discretion to continue using two-factor authentication for verification of users' identities. U-M employees must read and agreed to the access and compliance guidelines with regard to the proper use of data before they can access and interact with Tableau visualizations.

Data Governance

University standard practices related to data and information security also apply to Tableau data visualizations.

  • Data Sources
    ERP data sources (Financial, eResearch, Planview, etc.): same security applies
  • Accountability
    Each publisher needs to share the content that they publish with the appropriate audience(s). It is the publisher’s responsibility to determine the scope of visibility to the data visualization and to whether to the underlying data is visible.
  • Access and Compliance
    All users of Tableau Web server content will be prompted to read and comply with the university Information Security Policy (SPG 601.27)

U-M Tableau Server Roles

Role Control over
Site Administrators Sites
Project Leaders Projects
Publishers Workbooks, dashboards
Editor Can save changes to workbooks under a new name
Interactor Can use filters in visualizations to analyze the data
Viewer Static, read only view of visualization

Projects and Groups

Projects and groups associated to those projects are another way that access and security on the Tableau published content will be controlled.

Note: For units administering their own Tableau web server sites, project creation, access granted is under their control.

Submit a ServiceLink request to have a new Tableau Project or Group created or updated. The BI team will review all requests to ensure that naming standards are being used and no project is named in a way that will confuse who owns it, or what its content holds.

MCommunity groups can be used as the source of the initial load to an Active Directory group and then to a Tableau group. No removals from an MCommunity group will subsequently affect a Tableau group membership.

A new feature of MCommunity—a driver that will allow you to simply add the group to a master group that becomes entitled to AD—will be coming in 2014. Tableau allows one to import members from an Active Directory (AD) group directly into a Tableau Group for controlling/allowing access to Tableau Projects. Until then, ITS Access and Accounts can set the entitlement flag. Example:

"{"system":"umroot-ad","changeDate":"20121210151755Z","foreignKey":"DEV-Development Fundraising Community"}"