Manage Dashboard Extensions in Tableau Server
Dashboard extensions are web applications that run in custom dashboard zones and can interact with the rest of the dashboard using the Tableau Extensions API. Dashboard extensions give users the ability to interact with data from other applications directly in Tableau.
Note: You must be a server administrator to enable dashboard extensions on the server, or to block specific extensions from running. You must be a server administrator to add extensions to the safe list and to control the type of data the extensions can access. The server administrator can also configure whether users on the site will see prompts when they add or view extensions in a dashboard. For information about extension security and recommended deployment options, see Extension Security - Best Practices for Deployment
For information about using dashboard extensions in Tableau, see Use Dashboard Extensions.
Dashboard extensions are web applications and could be running on any computer set up as a web server. This includes local computers, computers in your domain, and third-party web sites. Because extensions could be hosted on third-party sites and could have access to the data in the dashboard, you want to only allow the extensions you trust. See Test extensions for security.
For security, you can use the settings for dashboard extensions on Tableau Server to control and limit the dashboard extensions that are allowed to run.
Be default, no extensions are allowed unless they have been explicitly added to the safe list.
You can change the Default behavior for Extensions to also allow extensions that haven't been added to the safe list. If you change the default to allow unknown or unspecified extensions to run, those extensions are also allowed, provided that they do not require full data (access to underlying data) from the view. If a user adds one of these unknown extensions to a dashboard, the user first sees a prompt where they can choose to allow or deny the extension permission to run.
By default, only extensions that use the HTTPS protocol are allowed, which guarantees an encrypted channel for sending and receiving data (the only exception is for
If the extension requires full data (access to the underlying data) the extension will not be able to run on Tableau Server unless you explicitly add the extension to the safe list and grant the extension access to full data.
Server administrators can control a global setting to allow extensions for all sites on the server. Server administrators can also put extensions on a global block list to prevent them from running (see Block specific extensions). By default, extensions are enabled on the server (with the constraints previously described). You can change the settings that enable and control dashboard extensions.
Change the global setting enabling extensions on the server
To change this setting for the server, go to Manage All Sites > Settings > Extensions. If the server just has a single site, the global controls appear on the settings page for the site.
Under Dashboard Extensions, select or clear the Enable users to run extensions on this server checkbox. If not selected, extensions are not allowed to run. This setting overrides the settings for each site.
Change the default settings for a site
Server administrators can control whether to enable extensions for the site and whether to enable the default behavior (or policy) for extensions. That is, if enabled, the default behavior is that extensions that are not already on the safe list are allowed, provided that they do not request full data. And users will see prompts asking for permission to run those extensions.
To change these settings for the site, go to Settings > Extensions.
Under Dashboard Extensions, select Enable users to run extensions on this site.
Under Default behavior for Extensions, select Enable unknown extensions to run, always displaying user prompts and without full data access.
Server administrators can add or remove extensions from the safe list for a site. When you add an extension to the safe list, you can control whether to allow the extension to have access to full data. See Add extensions to the safe list and configure user prompts.
As a web application, an extension is associated with a URL. You use this URL to test and verify the extension. You also use the URL to add the extension to the safe list to allow full data access, or to the block list to prohibit any access.
If you have the extension manifest file (
.trex), an XML file that defines properties for the extension, you can find the URL from the
<source-location> <url>https://www.example.com/myExtension.html</url> </source-location>
If you have added the extension to the dashboard, you can find the URL from the extension properties. From the More Options menu, click About.
The About dialog box lists the name of the extension, the author of the extension, the web site of the author, along with the URL of the extension.
To ensure that users can use extensions that are trusted, you can add them to the safe list for the site.
On the safe list, you can control whether to grant the extension full data access. You can also control whether users will see a prompt asking them to allow the extension access to data. If the extension does not require full data access, you don’t need to add it to the safe list. However, you might want to add an extension to the safe list so that you can configure whether or not users see the prompts. When you hide the prompt from users, the extension can run immediately.
Go to Settings > Extensions.
Under Enable Specific Extensions, add the URL of the extension. See Identifying an extension.
Choose to Allow or Deny the extension Full Data Access.
Full data access is access to the underlying data in the view, not just the summary or aggregated data. Full data access also includes information about the data sources, such as the names of the connection, fields, and tables. In most cases, if you are adding an extension to the safe list so that it can run, you will also want to allow the extension to have access to full data, if the extension requires it. Before adding extensions to the safe list, be sure to Test extensions for security.
Choose to Show or Hide the User Prompts.
Users see the prompts by default when they are adding an extension to a dashboard, or when they are interacting with a view that has an extension. The prompt tells users details about the extension and whether the extension has access to full data. The prompt gives users the ability to allow or deny the extension from running. You can hide this prompt from users, allowing the extension to run immediately.
The default global policy allows unknown extensions to run, provided that they only access summary data. Server administrators can keep specific extensions from running by adding them to the block list for the server. If an extension is on the global block list it overrides any settings for the extension on the safe list for a site.
To add an extension to the blocked list for the server, go to Manage All Sites > Settings > Extensions. On single-site installations, the block list is on the site Extensions settings page.
Under Block Specific Extensions, add the URL of the extension. See Identifying an extension.
Examine the source files
*.trex), you can find the source location, or URL indicated where the extension is hosted, the name of the author, and the web site of the author or company to contact for support. The
<source-location> element specifies in the URL, the
<author> element, specifies the name of the organization and the web site to contact for support (
website="SUPPORT_URL"). The web site is the Get Support link user see in the About dialog box for the extension.
All extensions are required to use HTTPS protocol (
https://) for hosting their extensions. You should examine the source files for the extension to ensure that any reference to external libraries is also using HTTPS or is hosted on the same web site as the extension. The one exception to the requirement of HTTPS is if the extension is hosted on the same computer as Tableau (
To the extent possible, make sure you understand what the code is doing. In particular, try to understand how the code is constructing requests to external sites, and what information is being sent in the request. In particular, check if any user-supplied data is validated to prevent cross-site scripting.
The Tableau Extensions API provides methods that can access the names of the active tables and fields in the data source, the summary descriptions of the data source connections, and the underlying data in a dashboard. If an extension uses any of these methods in a view, the extension developer must declare that the extension requires full data permission in the manifest file (
.trex). The declaration looks like the following.
<permissions> <permission>full data</permission> </permissions>
Tableau uses this declaration to provide a prompt to users at run time that gives them the option of allowing this access or not. If the extension uses any one of these four methods, without declaring full-data permission in the manifest file, the extension will load but the method calls will fail.
getDataSourcesAsync() method is called.
Test the extension in an isolated environment
If possible, test the dashboard extension in an environment that is isolated from your production environment and from user computers. For example, add a dashboard extensions to a safe list on a test computer or virtual machine that's running a version of Tableau Server that is not used for production.
Monitor traffic created by the dashboard extension
When you test a dashboard extension, use a tool like Fiddler, Charles HTTP proxy, or Wireshark to examine the requests and responses that the extension makes. Make sure that you understand what content the extension is requesting. Examine the traffic to be sure that the extension is not reading data or code that is not directly related to the purpose of the extension.