Denodo - Connecting to Denodo from Tableau

From Tableau Desktop

Tableau uses a built-in connector to connect to Denodo views. After launching Tableau Desktop, complete the steps below to configure your connection depending on your use case. See the From Tableau Server section below if you plan to publish workbooks to Tableau Server.

Connecting to Denodo with your UMICH (Level-1) account 1, 2:

  1. From the To a Server list, click Denodo
  2. Complete the Denodo configuration screen: 
  • Server: denodo.it.umich.edu
  • Port: 9996
  • Database: gateway
  • Authentication: Integrated Authentication
  • Require SSL: Box checked
  1. Click Sign In.

Connecting to Denodo with a non-person service account:

  1. From the To a Server list, click Denodo
  2. Complete the Denodo configuration screen: 
  • Server: denodo.it.umich.edu
  • Port: 9996
  • Database: gateway_ldap
  • Authentication: Username and Password
  • Username: <username>
  • Password: <password>
  • Require SSL: Box checked
  1. Click Sign In.

1Kerberos must be installed and connected to ADSROOT on the workstation running Tableau Desktop.

2Considerations for Michigan Medicine Users: Use of Integrated Authentication may require launching Tableau Desktop using "Run as" with UMICH (Level-1) credentials. Also note that in the event this does not work from a Health Information Technology & Services (HITS) core-image system, the simplest workaround is to configure the Tableau connection to Denodo using Username and Password authentication with a non-person account as outlined above in Connecting to Denodo with a non-person account.

From Tableau Server

Connection using non-person service account (most common)

In this scenario, the Denodo connection in a Tableau workbook published to Tableau Server is configured with a non-person service account using Username and Password authentication as outlined above in Connecting to Denodo with a non-person service account. The two main use cases for this authentication model are:

  • Your workbook sources from a Tableau extract that is refreshed from Tableau Server.
  • You wish to use a live connection to Denodo but it’s not practical or feasible to grant your workbook users access to the underlying Denodo views. Instead, you control data access via the workbook permissions.

Connection using Kerberos constrained delegation

This model is used when the workbook uses a live connection to Denodo and needs to issue queries as the logged-in Tableau user. This is a common scenario when the Denodo views apply row-level security and must constrain the result set to only those rows permitted to the logged-in Tableau user. The TDX data set is one such example.

The campus Tableau server is configured with Kerberos Constrained Delegation that can “pass through” credentials to Denodo. When a Tableau server workbook uses a live connection to Denodo and the Tableau data source is configured appropriately, Tableau server will issue the query to Denodo as the logged-in Tableau user.

To enable this functionality, configure the Tableau’s workbook’s data source as shown above in Connecting to Denodo with your UMICH (Level-1) account and publish to Tableau Server using viewer permissions as follows:


 

Note:

  • Unlike connecting with a non-person service account, each workbook user required Read permissions to the underlying Denodo views
  • Michigan Medicine’s Tableau server is not configured with Kerberos Constrained Delegation
Tags: 
Denodo
Last Updated: 
Thursday, June 30, 2022