If youâre authenticating and authorizing access to embedded content using Tableau connected apps, you can control and customize the user experience based on usersâ contexts. This customization is enabled by a combination of including user attributes in a JSON Web Token (JWT) and applying user attribute functions in embedded content, such as workbooks. By including user attributes in your embedding workflow, you can manage data access policies in the same place you manage other policies in your organization and personalize the experience for users so they only see the information that is relevant to them.
In this section
What are user attributes?User attributes are user metadata defined by your organization. User attributes can be used to determine access in a typical attribute-based access control (ABAC) authorization model. User attributes can be any aspect of the user profile, including job roles, departmental membership, management level, etc. They might also be associated with run-time user contexts like where the user is signed in or their language preference.
By including user attributes in your embedding workflow, you can control and customize the user experience through data access and personalization.
The process of enabling user attributes is summarized in the following steps.
For security purposes, user attributes are only validated in an authentication workflow if the user attribute setting is enabled by a site admin (on Tableau Cloud) or server admin (on Tableau Server).
For Tableau CloudFor more information about site settings, see Site Settings Reference topic in the Tableau Cloud Help.
For Tableau ServerEnabling user attributes on Tableau Server must be done programmatically using the Tableau REST API. In addition, you can enable the features.vizDataServiceClientEnable option in Tableau Services Manager (TSM) to support user attributes in published data sources.
attributeCaptureEnabled attribute to true using the Update Site method. This enables user attributes for all Tableau Server embedding workflows.features.VizDataServiceClientEnable option in TSM by doing the following:
tsm configuration set -k features.VizDataServiceClientEnable -v true
tsm pending-changes apply
For more information, see features.VizDataServiceClientEnable in the Tableau Server Help.
As a site admin, configure a connected app using direct trust or OAuth 2.0 trust. You can skip to the next step if youâve already created one or more connected apps on your site.
For Tableau ServerAs an server admin, configure connected app using direct trust or OAuth 2.0 trust. You can skip to the next step if youâve already created one or more connected apps on your server or site.
3. Include user attributes in the JWTMake sure the JWT contains the user attributes.
Example
Suppose you have an employee, Fred Suzuki, who is a manager located in the South region. You want to ensure that, when Fred reviews reports, he is only able to see data for the South region. In a scenario like this, you might include the Region user attribute in your JWT like in the Python example below.
import jwt
token = jwt.encode(
{
"iss": connectedAppClientId,
"exp": datetime.datetime.utcnow() + datetime.timedelta(minutes=5),
"jti": str(uuid.uuid4()),
"aud": "tableau",
"sub": user,
"scp": ["tableau:views:embed", "tableau:metrics:embed"],
"Region":["South"],
},
connectedAppSecretKey,
algorithm = "HS256",
headers = {
'kid': connectedAppSecretId,
'iss': connectedAppClientId
}
)
Important: Network traffic between Tableau Cloud and the client is over HTTPS, and HTTPS is also recommended for Tableau Server. Because HTTPS uses encryption for secure communication, no one should be able to intercept the encoded JWT. However, the end-user can access the unencrypted JWT and can decode it. As a general rule, the user attributes should only contain information you don't mind exposing to your users.
4. Ensure the content author includes user attribute functionsEnsure the content author includes the user attribute functions and related filters to control what data can display in the embedded content. To ensure the user attributes from the JWT are passed to Tableau, the content must contain one of the following user attribute functions:
USERATTRIBUTE('attribute_name')USERATTRIBUTEINCLUDES('attribute_name', 'expected_value')The function that the content author uses depends on whether the user attributes are expected to return a single value or multiple values. For more information about these functions and examples of each, see User Functions in the Tableau Help.
Note: Preview of the content with these functions are not available when authoring in Tableau Desktop or in Tableau Cloud. The function will return NULL or FALSE. To ensure the user functions work as expected, we recommend the author review the functions after embedding the content in an external application.
Example
Continuing the example introduced in Step 3. Include user attributes in the JWT above, to pass the âRegionâ user attribute from the JWT to a workbook, the author can include USERATTRIBUTEINCLUDES. For example, USERATTRIBUTEINCLUDES('Region', [Region]), where âRegionâ is the user attribute and [Region] is a column in the data. Using the new calculation, the author can create a table with Manager and Sales data. When the calculation is added, the workbook returns âFalseâ values as expected.
To show only the data associated with the South region in the embedded workbook, the author can create a filter and customize it to show values when the South region is âTrue.â When the filter is applied, the workbook becomes blank as expected because the function is returning âFalseâ values and the filter is customized to show âTrueâ values only.
5. Embed the content in your external applicationUse the Tableau Embedding API to embed the content in your external application and ensure that you include the JWT in the <tableau-viz> web component or TableauViz object.
Example
To conclude the example from Step 4: Ensure the content author includes user attribute functions above, after you embed the view in an external application, the Sales data in the view is customized to Fred Suzuki because his user context is the South region.
Managers from the regions represented in the workbook should see the value associated with their region. For example, Sawdie Pawthorne from the West region sees data specific to her region.
Managers whose regions are not represented in the workbook see a blank workbook.
Known issues and limitations Blank images using the Tableau REST APITableau REST API requests Query Preview Image, Query Workbook Image, and Get Custom View Image produce blank images.
LimitationsRetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4