This content is part of the comprehensive Governance in Tableau documentation.
Data security is of the utmost importance in every enterprise. Tableau allows customers to build upon their existing data security implementations. IT administrators have the flexibility to implement security within the database with database authentication, within Tableau with permissions, or a hybrid approach of both. Security will be enforced regardless of whether users are accessing the data from published views on the web, on mobile devices, or through Tableau Desktop and Tableau Prep Builder. Customers often favor the hybrid approach for its flexibility to handle different kinds of use cases. Start by establishing a data security classification to define the different types of data and levels of sensitivity that exist in your organization.
When leveraging database security, it is important to note that the method chosen for authentication to the database is key. This level of authentication is separate from the Tableau authentication (e.g. when a user logs in to Tableau, he or she is not yet logging into the database). This means that Tableau users will also need to have credentials (their username/password or service account username/password) to connect to the database for the database-level security to apply. To further protect your data, Tableau only needs read-access credentials to the database, which prevents publishers from accidentally changing the underlying data. Alternatively, in some cases, it is useful to give the database user permission to create temporary tables. This can have both performance and security advantages because the temporary data is stored in the database rather than in Tableau.
In addition, extract encryption at rest is a data security feature that allows you to encrypt .hyper extracts while they are stored on Tableau Server. Available as of 2019.3, Tableau Server administrators can enforce encryption of all extracts on their site or enable users to encrypt all extracts associated with particular published workbooks or data sources. For more information, see Extract Encryption at Rest. Tableau Online is already fully encrypted at rest.
You can limit which users see what data by setting user filters on data sources. This allows you to better control what data users see in a published view based on their Tableau login account. Using this technique, a regional manager can view data for her region but not the data for the other regional managers. With these data security approaches, you can publish a single view or dashboard in a way that provides secure, personalized data and analysis to a wide range of users on Tableau. For more information, see Data Security and Restrict Access at the Data Row Level.