Cyral
Get Started Sign In
  1. Cyral
  2. Solution home
  3. Access Management
  4. Access Management

Using Tableau to access a Cyral-protected Snowflake database

Modified on: Mon, 30 Aug, 2021 at 12:49 PM

Your database clients continue to work once Cyral protection is added to your databases. Below, we show how to use Tableau to connect to a Cyral-protected Snowflake database.

In this document, we focus on the standard Tableau Online interface, but the same steps apply to other Tableau versions as well.

Limitations

  • When accessing data through Tableau Prep, Cyral does not log the endUser.

  • Tableau Flows are not supported. Please use a Tableau Worksheet or Workbook to connect to your data.


Create a connection in Tableau with native authentication

  1. To create a new connection to a server in Tableau, you need a connector to store the database connection details. In the Connect to Data window, click on the Connectors tab, then specify that you want to connect to a Snowflake server.

  2. Provide the connection details: 

    1. for server name, provide the Cyral sidecar address;

    2. if desired, add an optional role to use when connecting; and

    3. for authentication method, choose Username and Password, and provide the Snowflake username and password.

  3. Click the Initial SQL tab and add the following query:

SET TABLEAUENDUSER = [TableauServerUser]

  1. Click Sign In.


Create a connection in Tableau with Single Sign-On (SSO) authentication

Currently, the Cyral product supports using SSO with Snowflake and Tableau through OAuth. For that, an OAuth integration must be created in the Snowflake account. This page contains detailed information for this step. If you’re using Tableau Online, the following command statement will create an integration called ts_oauth_int1.

create security integration ts_oauth_int1

  type = oauth

  enabled = true

  oauth_client = tableau_server;


After this statement is executed in Snowflake, you can proceed to add a new connection in Tableau using OAuth. 

  1. Create or open the workbook where you'll add the database connection details.

  2. Select Connect to Data. (If you're creating a new workbook, you'll see the Connect to Data screen automatically. If you're adding a data source in an existing workbook, click New Data Source in the workbook screen.) 

  3. In the Connect to Data screen, specify that you want to connect to a Snowflake server.

  4. Provide the connection details: 

    1. for server name, provide the Cyral sidecar address;

    2. if desired, add an optional role to use when connecting; and

    3. for authentication method, choose Sign in using OAuth. When you do this, a new browser window will pop up where you can enter SSO credentials.

  5. Click the Initial SQL tab and add the following query:

SET TABLEAUENDUSER = [TableauServerUser]

  1. Click Sign In.

Run queries

Once you have successfully connected to a Snowflake server, you can start running queries. For that, you can use the Custom SQL tool. you can type the desired query in it, and then click on Update Now to see the results.

Log query activity 

The Cyral activity log shows the user's Tableau identity as the endUser, and it shows their database user identity as the repoUser, and their database role as dbRole. Here's a sample segment of the Cyral activity log showing the identity information about a person who has connected to a Cyral-protected Snowflake repository using Tableau:

"identity": {

        "endUser": "nancy.drew@hhiu.us",

        "repoUser": "gsamsa",

        "dbRole": "accountadmin"

        }


Note: When using Tableau Prep, Cyral logs to not capture the endUser name.



Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.

Still have questions?

Submit a ticket