Tableau OCF Permission Mirroring¶
Alation Cloud Service Applies to Alation Cloud Service instances of Alation
Customer Managed Applies to customer-managed instances of Alation
Permission mirroring synchronizes object access in a Tableau BI source in Alation with the corresponding user access rights on the Tableau server. This ensures that Alation users only see authorized Tableau objects and helps maintain data security across both platforms.
When permission mirroring is enabled for your Tableau source, Alation will query the Tableau server to determine the objects that a user is permitted to view. It will then filter the Tableau objects displayed in Alation to match those permissions. This process happens dynamically, so if a user’s permissions change in Tableau, the objects they can see in Alation will also be updated automatically.
Permission mirroring applies to a wide range of Tableau objects, including:
Sites
Projects
Workbooks
Sheets
Datasources
It applies to all users who have access to the Tableau source in Alation, including Server Admins.
Example:
Permission Mirroring in Alation¶
Alation’s permission mirroring feature ensures that users see only the Tableau content they are authorized to view, directly within the Alation catalog.
Enable Permission Mirroring¶
To enable permission mirroring for a Tableau source, navigate to the Settings > Metadata Extraction tab of your Tableau source.
Turn on the Enable permission mirroring toggle to mirror the user permissions from Tableau to Alation. By default, this option is disabled.
Important
Enabling permission mirroring will increase time for metadata extraction significantly as Alation will invoke Tableau API to get permission for each project, workbook, datasource, and report.
Specify the domain name(s) separated by comma in the User Domain Name field for Tableau users whose permissions Alation will extract and click Save.
Alation supports extraction of permissions from multiple domains. Ensure you have performed the required configuration in your Active directory.
To enable permission mirroring for a Tableau source, navigate to Settings > Metadata Extraction tab of your Tableau source.
In Application Settings, toggle Disable Permission Enforcement off to enable permission mirroring from Tableau to Alation. By default, this option is enabled, which means permission mirroring is not in effect.
In Additional Settings, turn off the Disable Permission Extraction toggle to extract the user permissions from Tableau to Alation. By default, this option is enabled.
In Additional Settings, specify the specify the domain name(s) separated by comma in the User Domain Name field for Tableau users whose permissions Alation will extract. Alation supports extraction of permissions from multiple domains. Ensure you have performed the required configuration in your Active directory.
Important
Enabling permission mirroring will increase time for metadata extraction significantly as Alation will invoke Tableau API to get permission for each project, workbook, datasource, and report.
Data Extraction and Permission Retrieval¶
When extracting data from Tableau with permission mirroring enabled, Alation gathers user information and access rights for sites, projects, data sources, workbooks, and sheets. To efficiently determine visibility, Alation focuses on users with view permissions, as this is the only access level necessary for a user can see a Tableau object. For more information on Tableau permissions, see Permissions.
Alation considers both the user’s site role and any object-level permission rules (defined by groups or direct user assignments) to accurately reflect Tableau’s access controls. Alation also retrieves information on view permissions for users with all site roles except Unlicensed.
User Account Mapping Between Tableau and Alation¶
Alation aligns user permissions with Tableau by matching usernames. During data extraction, Alation compares usernames between the two systems. A successful match, like jsmith@company.com in both Tableau and Alation, enables permission mirroring, ensuring users see only authorized Tableau objects in Alation. A mismatch, such as jsmith@company.com in Tableau and john.smith@company.com in Alation, prevents permission transfer, resulting in the user seeing no Tableau objects.
Note
Matching users between Alation and Tableau is case-insensitive. This means that usernames john.smith@company.com and John.Smith@company.com will be matched as the same user.
Important
Enabling permission mirroring is most effective when Alation and Tableau share the same authentication method, for example, LDAP authentication using the same LDAP directory. Otherwise, users in Alation who need access to a Tableau source must have usernames that exactly match their counterparts in Tableau.
Note
Users with the site role Unlicensed in Tableau will not be able to see any extracted objects under a Tableau source in Alation.