Show Table of Contents
When you publish a workbook to Tableau Online or Tableau Server, you can publish the data it connects to as an integrated part of the workbook (embedded into the workbook), or as separate, standalone data sources. In addition, if the data you’re publishing requires anyone who wants to view it to enter a user name and password, you specify how others get access to the data when they open the workbook.
The latter is true also when you publish a data source on its own.
This type of authentication to your data is independent of how people sign in to your Tableau Online or Tableau Server site. For example, to give people direct access to the data in a workbook, you would embed a designated database user’s credentials into the data source’s connection. But anyone viewing the workbook would still need to be able to sign in to the site on Tableau Online or Tableau Server to open your workbook.
This topic describes how to set authentication on data connections as part of the publishing process.
Set the authentication type (most connection types)
Note: This topic does not apply to connections to that do not require authentication, such as text files or Excel files. However, you can set authentication when you publish extracts of those data types.
For many types of connection you can embed a database user’s name and password, or set a type of impersonation. Specific exceptions are described in the later sections in this topic.
The following steps describe how to set authentication as part of publishing a data source or workbook. You can do this for each connection in the data source.
In the Publish Workbook dialog box, go to the Data Sources area, which lists the workbook’s connections, and select Edit.
In the Manage Data Sources popup, after you decide whether to publish the data source separately or as part of the workbook, select an authentication type for each connection in the data source.
The available authentication types depend on the connection type, and they can include one or more of the following:
Prompt user: Users must enter their own database credentials to access the published data.
Embedded password: The credentials you used to connect to the data will be saved with the connection and used by everyone who accesses the data source or workbook you publish.
Server run as account: Tableau Server only. The server’s Run As User account will authenticate all users.
Viewer credentials or Publisher credentials: Tableau Server only. In a Kerberos, SAP HANA, or Impala environment, the user’s domain user name and password are used. These are explained in more detail in the sections below this list.
Impersonate via embedded account or Impersonate via server Run As account: (Available only when publishing SQL Server data to Tableau Server.) You can embed credentials through which SQL Server creates the connection and then impersonates the signed-in Tableau Server user. To create the connection you can specify the server’s Run As account or a different database user that has the appropriate permissions for impersonation.
For more information, see the topics under SQL Server Impersonation in the Tableau Server Help.
Refresh not enabled or Allow refresh access: These options appear when you publish an extract of cloud data such as from Salesforce, and database credentials are needed to access the underlying data. Allow refresh access embeds the credentials in the connection, so that you can set up refreshes of that extract on a regular schedule. Setting Refresh not enabled prompts users when they open the workbook.
Important: How you want to keep extracted data fresh is also a factor. If you want to set up an automatic refresh schedule, you must embed the password in the connection. In addition, if you’re publishing a cloud data connection to Tableau Online, the publishing steps will alert you if you need to add Tableau Online to the data provider’s authorized list.
(Tableau Server only.) Select Viewer credentials to use the user’s domain user name and password to access a Kerberos-enabled Teradata, PostgreSQL, Microsoft SQL Server, or Microsoft Analysis Services data source.
(Tableau Server only.) Select Viewer Credentials to authenticate users who access the data source in these environments:
You use single sign-on to SAP HANA and Tableau Server is configured for SAP HANA SSO.
You use Impala with Cloudera Hadoop, and Tableau Server is configured for single sign-on.
Some connections (for example, Salesforce, OneDrive, and Google) use a type of authentication in which the data provider sends a secure access token (using OAuth 2.0), so that the credentials themselves are not stored with Tableau. You need to create and embed these credentials after publishing, from the Data Connections page on the server.
If you publish to Tableau Server, see Edit Connections in the Tableau Server Help.
If you publish to Tableau Online and the workbook connects to Salesforce, Google Analytics, Google Sheets, Google BigQuery, OneDrive, Dropbox, and QuickBooks Online data, see Refresh Data Using Saved Credentials in the Tableau Online Help.
For Dropbox and OneDrive, when you publish a data source or workbook and select Embedded password, Tableau creates a saved credential and embeds it in the data source or workbook.
When you publish a workbook that connects to a Tableau Online or Tableau Server data source, rather than setting the credentials to access the underlying data, you set whether the workbook can access the published data source it connects to. Regardless of the original data type, the choice for server data sources is always Embedded password or Prompt users.
If you select to prompt users, a user who opens the workbook must have View and Connect permissions on the data source to see the data. If you select embed password, users can see the information in the workbook even if they don’t have View or Connect permissions.
Comprehensive Steps for Publishing a Workbook