Using Centralized Row Level Security to Segment Data Across an Organization

Posted On
Posted By Jonathan Rauh

Organizations regardless of type have data that they want to keep segmented across departments but on which they still need to perform analysis. Finance departments still need to analyze finance data but it unlikely that one would want the entire organization seeing all Finance data. The same would be true for Human Resources or for different locations such as schools or classrooms. Centralized Row Level Security using Tableau’s Data Management add-on allows site administrators to define and manage security down to the individual row level of a table and then share those permissions across data flows and dashboards that use the original permissioned data.

Below I describe how to implement Centralized Row Level Security using a Virtual Connection.

To begin, we need to make a virtual connection. To do this, we will go to ‘New’ and select ‘Virtual Connection.’ This will take us to a new page allowing us to select databases to which we can make a virtual connection.

In this case I will be connecting to a PostgreSQL database and connecting to a file stored in the database on which I will create a data policy.

With the data now connected, we can implement a data policy in the virtual connection in the same way we would in a worksheet. In this case I am demonstrating three policies: an individual policy that sets permissions at the user level, a group policy that sets permissions at the group level, and an OR policy that sets the policy at the individual policy or the group level. But how do we know which policy to use and when would use which one? For the individual policy, imagine a scenario where we have individual users and we want to confine the data that an individual views to just their data. For the group policy, imagine we have an individual location and we only want individuals at that location to see the data. For the OR policy, it would be a case where we wanted both cases to be true, such as an individual Advancement Officer seeing their fundraising data but we wanted the VP of Advancement to see all fundraising data.

We will go to the Data Policies and select ‘Create New Policy.’ We will then drag our data table to Policy 1 and drop it on the ‘Add as Data Policy’ field. We will then select a column to map (the field on which we will set the policy). Below I have shown the individual policy, i.e. USERNAME() = username as the data policy. In this case the login info (username) would need to be included in the data set. We can test the policy by selecting the table icon and clicking the ‘With Policy Applied’ radio button. Below we can see that only rows associated with my username are visible to me.

We can do the same thing at the group level. In this case I am selecting role = ‘SE’ so that only those in the SE group are visible. Note the difference in the Total Rows available to view, 111/443 for the Group versus 56/443 for the individual policy.

Finally, if we want to implement the OR policy we will combine the two. Now we have data associated with me because of the individual policy, or individuals with the role of AE because we combined the role field using ‘OR.’ Note also we now have 278 of 443 rows visible.

If we wanted to go further and become more nuanced we can combine statements using any fields that permit a Boolean (true/false) statement, e.g. [Field 1] = X OR [FIELD 2] = Y OR [DATE FIELD] >= DATETRUNC(‘year’, [Date Field]) and so on.

Once we select publish the data policy is applied and we can now make the connection in Tableau to the data via the virtual connection and secure that the data will operate with our data policy applied.

This feature can be particularly useful for segmenting data for schools or teachers. In general is useful for any organization that needs to provide similar information at different organization levels and do not want to rebuild dashboards for each level of the organization. Just imagine the time savings from not having to recreate dashboards for every school or classroom.

I hope this helps you in your data journey and in seeing and understanding your data. Please reach out with any questions.

Jonathan received his PhD in Public Policy with an emphasis in Quantitative Analytics focusing in Education and Health Policy. He has held multiple roles in education analytics including Research Director for eLearning for the SC Department of Education, Evaluator for multiple NSF Education Grants, and is the author of multiple articles on eLearning and the use of social analytics in K12. He has also served on the faculty at East Carolina University, College of Charleston, and Virginia Commonwealth University where he taught courses in Statistics, Business Intelligence, and Educational Policy Analysis. Jonathan is currently a Lead Solution Engineer with Tableau at Salesforce.

Related Post

One thought on “Using Centralized Row Level Security to Segment Data Across an Organization
  1. Sam Mickens

    Great job of showing how easy it is to implement centralized row level security at the data source level. This is powerful and a necessity!

leave a Comment