Version(s): 6.1, 7.0
Last Modified Date: 15 Jul 2014
Article Note: This article is no longer actively maintained by Tableau. We continue to make it available because the information is still valuable, but some steps may vary due to product changes.
When you connect to a live data source from Tableau Server, there are several options and settings that work together to achieve different results. The Authentication mode in the table below is the option you choose in Tableau Desktop when you publish a workbook to Tableau Server. It is different than Tableau Server user authentication, which you configure during Tableau Server Setup.
User-based filters, the embedded password option and the impersonation modes have similar effects—when users click a view, they are not prompted for database credentials and they see only the data that pertains to them. However, user-based filters are defined in the workbook by authors, and the impersonation authentication modes rely on security policies defined by administrators in the database itself. You can find more details in the"User Filtering" topic of the Tableau Desktop Online Help. For information on impersonation, see the "Appendix B: Configuring SQL Server Impersonation" section of the Tableau Server Administrator Guide.
|Database Connection Options||User-Related Questions|
|Database logon account uses…||Authentication mode||Is database security possible per Tableau Server user?||Are user filters the only way to restrict which data each user sees?||Are web caches shared among users?|
|Windows NT Integrated security||Server Run As account||No||Yes||Yes|
|Impersonate via server Run As account||Yes||No*||No|
|Specific username and password||Prompt users: Users are prompted for their database credentials. Credentials can be saved.||Yes||No||No|
|Embedded password: The database username and password are embedded.||No||Yes||Yes|
|Impersonate via embedded password: The database username and password with impersonate permission are embedded.||Yes||No*||No|
*Tableau recommends that you do not use this authentication mode with user-filters.
Some of the options above require configuration steps that must happen during Tableau Server setup and/or before you publish a workbook. See the Tableau Server Administrator Guide for information about:
- SQL Server impersonation
- Run As User
- Embedded credentials
- Saved passwords setting
Database Connection Options
Windows NT Integrated Security (Windows Authentication)
When Windows NT Integrated security is used for the account that connects to the database, it means that users are authenticated to the database through NT instead of through the database's built-in security mechanism.
- Server Run As account: Tableau Server uses its Run As User account credentials to connect to the database. All users of this instance of Tableau Server use this connection information for the database. Unless user-filters are defined in the workbook, they all see the same information when they click a view.
- Impersonate via server Run As account: To use this option, each Tableau Server user must also have an individual SQL Server database account. Tableau Server uses a Run As User account to connect to the database that has impersonate permission for each database user. The Run As account acts on behalf of each user. When users click a view, what they see is restricted by their individual database permissions. User-filters are not needed or recommended.
Username and Password (not embedded)
When you use Username and Password to connect to the database, you are using the database's built-in security mode for user authentication.
- Prompt user: Tableau Server prompts each user to log in to the database with their database username and password. If you already have database security set up, this is a good option to make sure that security is honored by Tableau Server. There is an optional setting to allow Tableau Server to remember this password so users have to enter it only once.
- Embedded password: This option can't be used with Windows authentication. Tableau Server uses the workbook author's embedded credentials to connect to the database server. All users of this instance of Tableau Server use this connection information for the database. Unless user-filters are defined in the workbook, they all see the same information when they click a view.
- Impersonate via embedded password: To use this option, each Tableau Server user must also have an individual SQL Server database account. The account credentials that the workbook author embeds must have impersonate permission for each database user. The author's account acts on behalf of each user. When users click a view, what they see is restricted by their individual database permissions.
Q: Can I automatically pass the credentials of a Tableau Server user to the database?
A: Yes, if you are using either of the impersonation options.
If you are using the other options, no—with one exception: if Saved Passwords is enabled in the Tableau Server Administration pane, a user needs to enter their credentials only one time per data source. These data source credentials are then stored in Tableau Server and re-used for the user's next connection to the data source. Note that these credentials are separate from those used to log in to Tableau Server.
Q: I am using Active Directory for my Tableau Server authentication and my database authentication. Are the user's credentials automatically passed to the database?
A: Yes, if you are using the"Impersonate via server Run As account" authentication mode. No, if you are using any other authentication mode.Alternate Search Terms:InformationPublishing Sharing