<< VIEW FULL RESOURCE LIBRARY

Enterprise Security: Tableau vs. Power BI

October 24, 2019

Microsoft, Tableau

Compare Approaches to the Key Security Concerns

Large organizations often see business users adopting the desktop versions of Tableau and Power BI before a full strategy is developed. Eventually, the need to share and publish reports from these visual analytics tools arises and a corporate approach and associated policies need to be established. For large enterprises, concerns typically center around security, fitting into the overall IT infrastructure and data audits.

During this webinar recording, we compare and contrast the approaches to security taken by Tableau and Power BI to help you make wise choices when planning out enterprise level deployments.

We dive into enterprise security related topics including

  • Single sign on
  • Users, groups and permissions
  • Row-level security
  • On-premise data access
  • Audit logs
▼ TECHNOLOGIES COVERED


Power BI, Tableau

▼ PRESENTER

Bob Looney
Sr. Director of Software Engineering
Senturus, Inc.

Bob Looney leads software development and BI architecture efforts at Senturus, focusing on software and cloud architecture in the Power BI and Tableau practices. Before coming to Senturus, Bob was designing, building and scaling business intelligence software, reports and dashboards for use by thousands of restaurants.

▼ PRESENTATION OUTLINE 1

  • Architecture overview
    • Desktop
      • Power BI desktop (Windows)
      • Tableau desktop (Windows, Mac)
    • Vendor hosted service
      • Power BI service (app.powerbi.com)
      • Tableau Online (online.tableau.com)
    • On-prem server
      • Tableau Server – (Windows, Linux)
      • N/A
        • Power BI Report Server – subset of Power BI service
      • On-premise data access
        • Power BI Gateway (Windows)
        • Tableau Bridge (Windows)
      • Mobile apps
        • Both offer iOS and Android apps
      • Example architecture diagram
      • Tableau Server architecture
        • Tableau Server works as a standalone web app⏤like most other on prem or SaaS applications
        • Application is installed on a server or VM
      • Power BI service architecture
        • Power BI service is designed as a piece of the larger Microsoft Azure cloud architecture
      • Azure AD Connect
        • On-premise Active Directory domains need to be synced to Azure Active Directory
        • This is done using a Microsoft utility called AD Connect
        • If you’re using other Office 365 applications (Exchange Online, SharePoint Online) with Active Directory, this step has already been completed by your IT department
      • Component overview summary
        • Largely the same core components and features
        • Tableau has a few unique strengths
          • Mac desktop/Linux server
          • On-premise server
        • Power BI is strong when an organization is already implementing Office 365/Azure
          • IT will already be managing users and groups

▼ PRESENTATION OUTLINE 2

  • Single sign on
    • Enterprises use single sign on to increase security
    • Multi-factor authentication (MFA) at the SSO level
    • SMS text messages
    • Authentication mobile apps/security tokens or keys
    • Tableau single sign on
      • Works like most other SaaS applications
      • Default authentication is the user’s own username and password database
      • Supports SAML and OpenID Connect (Google) for SSO
    • Tableau set up
      • Similar to other SaaS applications
      • Several options are well documented and supported by
        Tableau
    • Power BI single sign on
      • Unlike most other SaaS applications
      • Power BI does not maintain a separate database of usernames and passwords
      • Power BI uses Azure Active Directory to authenticate users
      • Azure AD’s default authentication is Microsoft’s own identity provider (IdP)
      • You can replace Azure’s authentication step with another identity provider (IdP)
      • Supports WS Federation, WS-Trust and SAML-P protocols
      • If your IT group sets this up, it is replaced for all Microsoft authentication calls (Office 365, Azure login, connected apps
      • Using a third party IdP is possible, but
        • Microsoft points you to your IdP if you have questions
        • Microsoft doesn’t provide any IdP specific setup steps
        • Microsoft no longer tests and validates IdPs
      • Both platforms support Single Sign On
      • Are you already using Office 365?
        • Power BI SSO setup will be faster
        • Tableau SSO Setup is still possible
      • Are you using an organization wide IdP (Okta, onelogin, etc) not tied to Azure?
        • Tableau SSO setup will be faster
        • Power BI SSO setup is still possible
  • Users and groups
    • Tableau manual, bulk options are well supported
    • Tableau groups, manual
      • Adding and assign groups manually
      • Users are typically placed in one or more groups
      • Best practice: use groups to assign permissions
    • Tableau users and groups – API
    • Tableau users and groups – IDP
      • New feature allows the configured IdP to maintain users
      • Only Okta and one login supported currently
    • Power BI users
      • Anyone can download and install Power BI desktop (no license needed (just machine permissions to install)
      • Publishing or using data sources on Power BI service requires a Power BI Pro license
      • An end user could install and start using Power BI service without IT involvement until that trial expires
    • Power BI users, manual
      • You cannot make a user specifically inside Power BI
      • IT typically controls this process
      • On prem AD, Azure AD or Office 365
    • Power BI groups, manual
      • You cannot make a group inside Power BI
      • IT typically controls this process
    • Power BI users and groups – API
    • Summary
      • Both platforms support users and groups
      • Both platforms support automation features
      • Power BI will leverage users and groups from Azure AD—AD connect can sync on prem AD to the cloud
      • Tableau will need a method/process to create users and groups prior to SSO login—enterprises will likely want to automate this process

▼ PRESENTATION OUTLINE 3

  • Row-level security (RLS)
    • Permissions enforce which folders, reports and data sources users can access and to what extent (view, edit, create, delete)
    • “Which reports can a user see or edit?”
    • Always enforced at the BI tool level
    • RLS is a pattern that restricts access to slices of your data (aka Entitlements)
    • “What data rows can a user see in a report?”
    • Enforced at the DW or BI tool level
    • The combination of permissions and RLS enforce your company’s data governance policies
    •  Example
      • Two people in an organization have permission to view the same report
      • When they view the report, they see different slices of the data
      • Company policy
        • A store manager should only have access to their store
        • A corporate manager should have access to all stores
    • Implementation
      • In an enterprise environment, you have a choice of where to implement RLS
      • Option 1: data warehouses can implement RLS at the model layer. Power BI and Tableau can then be configured to pass the logged-on user info to the DW to enforce RLS
      • Option 2: Power BI and Tableau can implement RLS at the server application layer. They use the logged-on user and enforce RLS using logic at the dataset and workbook level
    • Power BI passing the data warehouse logged-on user
      • Option 1: implement RLS in the DW (Power BI)
        • Works really well with analysis services
        • Supports a limited set of other DW/DBs using Kerberos delegation
    • Tableau passing the data warehouse logged-on user
      • Option 1: implement RLS in the DW (Tableau)
        • Initial SQL feature can pass logged on user
        • Impersonation command executes for each session / query
        • SQL Server
        • Oracle
      • Also supports a limited set of DW/DBs via Kerberos delegation
      • Specific SAP HANA and SAP BW support as well
      • Tableau Online not supported
    • Implementing row-level security in Power BI 
    • Option 2: implement RLS in the Application (Power BI)
      • Power BI Desktop:
        • Create roles
        • Test roles – view as roles
      • Power BI Service:
        • Assign users and groups to roles
        • Test roles
        • Deliver reports to users that enforce RLS
    • Power BI desktop – create roles
      • Static role – manage RLS with BI groups
      • Dynamic role – manage RLS with a data table
      • All based on the DAX language
        • USERPRINCIPALNAME() = user@company.com
    • Power BI desktop – test roles desktop
      • Use view as roles to test a role as a user in desktop
    • Power BI service – test roles online
    • Implementing row-level security in Tableau
      • Option 2: implement RLS in the application (Tableau)
      • Tableau Desktop
        • Create roles
        • Assign users and groups to static filters
      • Test roles
      • Tableau Server/Online
        • Assign users to groups
        • Deliver reports to users that enforce RLS
    • Tableau desktop – create roles, filter
      • Create a static filter and map users and groups
      • Define all mappings
      • Tableau group assigned to a value for the selected field
      • Dynamic filters can use built in functions in a calculated field
        • USERNAME()
        • ISMEMBEROF()
        • USERDOMAIN()
    • Tableau desktop – implement and test filter
      • RLS Fflter becomes a set that can be added as a filter on the worksheet
      • Test RLS with the dropdown of groups and users from Tableau Server
      • Cannot test RLS on the server, only in desktop
    • Roles can also be tested online against published reports
    • Summary
      • Enterprises with an existing DW with RLS should assess if the BI tool is compatible
        • Tableau supports a wider variety of DWs
      • Enterprises without a DW or with incompatible DW technologies can enforce RLS at the BI tool level
        • Static filters—maintain groups in the BI tool to enforce
        • Dynamic filters—maintain entitlement data table, leverage BI tool user functions to enforce

▼ PRESENTATION OUTLINE 4

  • Permissions
    • Tableau permissions
      • Typical folder (project) structure where permissions cascade down
      • Nested folders are possible
      • Assign/restrict a user or group at the project, workbook and data source levels
      • Project level view of permissions
      • Workbook level permissions
      • Data source permissions
    • Power BI permissions
      • Power BI calls folders workspaces
      • Nested folders are not possible
      • Use the new/upgraded workspace experience
    • Power BI report permissions
      • Permissions are assigned at the folder level, not the report level (unlike Tableau)
      • You can control some interactions at the report level, but for all users using report settings
    • Power BI dataset permissions
      • Datasets have a specific set of permissions
      • Inherited from the workspace, overridden at the dataset level
    • Summary
      • Both applications cascade permissions from the project/workspace (folder) down to the reports, dashboards and datasets
      • Power BI has broader user permission settings at the folder level
      • Tableau offers nested folders and deeper fine tuning of user permissions
  • On-premise data access
    • Companies often store data in a data warehouse or databases in an on-premises data center
    • Tableau and Power BI can be hosted online
      • Power BI service is only available as a vendor hosted service
      • Tableau Server running in a cloud (AWS, Azure) or Tableau Online will also need this
    • When deployed like this, a gateway or bridge is needed to securely access data
    • Tableau Bridge
      • Tableau product that provides access to on-premises data
      • Provides both live and extract data access
      • Can be run as a Windows service (always on)
      • Centralized, web-based administration
      • No clustering support
      • No Kerberos support
    • Power BI Gateway
      • Microsoft product that provides access to on-premises data
      • Provides both DirectQuery and extract data access
      • Can be run as a Windows service (always on)
      • Centralized, web-based administration
      • Clustering support
      • Kerberos support
    • Best practices
      • Place the bridge/gateway near the data sources to reduce latency when possible
      • Same subnet and switch on physical hardware
      • Same virtualized hosts/minimize physical network traffic
      • Minimize WAN hops and ensure appropriate bandwidth
      • Plenty of RAM, multi-core CPUs and fast disks
      • Monitor network and OS for resource bottlenecks
    • Summary
      • Both platforms offer similar products to securely access on-premise data
      • Gateway/Bridge components only runs on Windows (64 bit)
      • Power BI takes a clustering approach which should translate to higher availability and redundancy
      • Tableau does not support Kerberos (passing user for RLS) via the Tableau Bridge
  • Audit logs
    • Power BI audit logs
      • Uses the Office 365 security and compliance portal
      • Combined with Exchange, SharePoint and office data
      • Search and download audit log activity
      • Send alerts based on activity log events
    • Tableau audit logs
      • Reports found under the site status tab
      • Data stored in the Tableau database drives Tableau reports and dashboards
      • Use dashboard alert feature to build custom notifications on user activity
      • Filter and/or download underlying data
    • Summary
      • Both platforms offer similar audit capabilities
      • Both platforms offer alerts based on user activity