This post is a continuation from my previous post on Row-level Security (RLS). Despite the abundant amount of blogs and articles on RLS, Column-Level Security seems to be less popular and rarely mentioned. In this article, I will provide step-by-step instruction on how to implement Column-Level Security in Tableau

Required Knowledge: Basic knowledge of Tableau Server and Tableau
Difficulty: Easy

Row-Level Security vs Column-Level Security

Row-Level Security restricts data access at the row level, whereas Column-Level Security restricts access at the column level. For example, only salesmen in New York city can see sales of this city is an example of RLS because New York is a value (row) in the City Dimension. On the other hand, only members of the Marketing Team can see discount value. This would be an example of Column-Level Security as Discount is a measure (column).

How to implement Column-Level Security

There are 4 steps to implement CLS:

  1. Decide who gets to see which measure
  2. Create a Calculated Field using User Function
  3. Use the Calculated Field in the Dashboard
  4. (Optional) Filtering & Formatting

Step 1: Decide who gets to see which measure

Similar to RLS, first we need to decide who gets to see which measure. In this exercise, I will use the sample superstore sales dataset. Only the Marketing – Analyst Team and the Management Team can see both Discount value and sales value, whereas the sales teams can only see the sales figure. For this exercise, I created 3 extra user groups on Tableau Server, MKT – Analyst, Management, and Sales – All.

Step 2: Create a Calculated Field using User Function for measures

Next, we need to create a calculated field for Discount and call it “Discount CLS” to restrict access to members of MKT – Analyst and Management only.

IF ISMEMBEROF(“MKT – Analyst”) OR ISMEMBEROF(“Management”) THEN [Discount]
You can create a calculated field for Sales measure as well if you also want to restrict the access for this measure too.

Step 3: Use the Calculated Field in the view

The third step is to use this calculated field “Discount CLS” to create something. I created the following view.

Using impersonation, I can see that the calculation works because I cannot see Discount when I impersonate as someone in the Sales Team

Step 4: (Optional) Filtering & Formatting

What if you don’t even want the Sales Team to see the column heading Discount? The trick is to filter out the sub-categories where the SUM(Discount CLS) is null. However, you will need to create 2 separate worksheets, one for sales and one for discount, otherwise, you would filter out everything.

Now, we will have a blank worksheet for discount if the users are not in MKT – Analyst or Management.

The last step is to put both on a dashboard, in a horizontal container. Make sure that ‘Fixed Width’ Option is unticked for both worksheet. This will allow the Sales worksheet to expand when the Discount worksheet is empty and contract when there are values in the discount worksheet. The result looks like this: (left: view for Management, right: view for Sales)

If you decide to hide the header for Discount worksheet, make sure to turn off sort control.

If you’re a perfectionist like me, you can also create a calculation for the dashboard title to make it dynamic (Show “Sales” for Sales team and show “Sales & Discount” for Management & Marketing Analyst).

IF ISMEMBEROF(“Marketing – Analyst”) OR ISMEMBEROF(“Management”) THEN “Sales & Discount”

Final Remarks

If you read my previous post on Row-Level Security, you will notice that this method of implementing CLS doesn’t filter at the data source level. Essential, the columns are still there in the underlying data, we just hide it from views on the dashboard. This means that if the users have access to the data source, they will be able to see the measures we hid from the views.



The Data School
Author: The Data School