Update 03/31/2014: Tableau has released a Salesforce canvas solution, which consists of excellent documentation and example workbooks. Check out their blog post:
http://www.tableausoftware.com/about/blog/2014/3/now-available-salesforce-canvas-documentation-embedding-tableau-29499
Or download the zip file here
original post:
I wrote this up recently and I didn't want anyone else to have to slog through it... so enjoy!
Primer on Integration of the Tableau
Platform with Salesforce
This document is broken out by “task”. Refer to each type of desired
solution on the remaining pages.
Tasks:
- Get access to and analyze Salesforce data with
offline/on-premise hardware using Tableau Desktop or Tableau Server.
- Get access to and analyze Salesforce data
online/in the cloud using Tableau Desktop or Tableau Server.
- Provide row-level security for Salesforce data
when using Tableau Desktop or Tableau Server (example: sales reps seeing only
their relevant information)
- Provide URL links from a Tableau dashboard to
relevant Salesforce information.
- Embed a Tableau dashboard into the Salesforce
web interface. (example: when looking at an account in Salesforce, there is a
Tableau dashboard embedded into the account view showing details for that
account)
- Integrate Salesforce authentication with Tableau
Server authentication when all users are behind a firewall using Active
Directory. Desired behavior is that end users only have to log into a web
application once.
- Integrate Salesforce authentication with Tableau
Server authentication when users are outside a firewall and not using Active
Directory. Desired behavior is that end users only have to log into a web
application once.
- Encryption technologies. Ensure that Tableau
Server is running with SSL enabled.
1 – Get
access to and analyze Salesforce data with offline/on-premise hardware using
Tableau Desktop or Tableau Server.
In this initial example, we want
to pull Salesforce data out of the cloud and into an on-premise data warehouse.
This can be achieved using a third party tool such as www.dbamp.com:
Pros
|
Cons
|
Provides an easy, automated method of aggregating
Salesforce data offline for analytics
|
Requires on-premise hardware and local installation of
SQL Server.
|
Allows integration with other local systems inside the
corporate network
|
Requires configuration and setup and ongoing DB
maintenance.
|
All standard and custom Salesforce objects are supported.
|
|
There are other ODBC tools out
there as well. The same basic concept applies: using a third part ETL process,
you can pull Salesforce objects and data out of Salesforce and into a data
warehouse of your choosing. At this point, the data is available to all users
inside of a corporate network. Tableau Desktop and Tableau Server connect to
this data just like any other supported data source.
2 - Get access to and analyze Salesforce data online/in the cloud using
Tableau Desktop or Tableau Server.
In this example, we want to pull
Salesforce data out of the Salesforce cloud and put it into Tableau Server
directly. For this connection type, we recommend Tableau’s Salesforce
connector:
In this mode, Tableau will use
the Salesforce API and perform a query and retrieval of data from Salesforce. Tableau
Desktop will automatically extract the data using our fast in-memory data
engine:
This type of connection will work
anywhere, anytime. As long as Tableau Desktop and Tableau Server have access to
Salesforce, you can use the built-in live connector to retrieve Salesforce
information.
Once extracted, you can perform
incremental updates against the Salesforce object. This is a very efficient way
of maintaining the latest most up-to-date information inside of Tableau Desktop
or Tableau Server:
Furthermore, you can schedule
this extraction using Tableau Server. You will need to embed credentials at the
time you publish the Tableau data connection:
Tableau Server will then
automatically perform incremental refreshes of this data connection:
At this point you have a
continuous and full data analytics experience for Salesforce data; the data
originates in Salesforce and ends up inside of the Tableau Server “Data Server”
and is now available for any new connections, whether in the browser or Tableau
Desktop:
3 - Provide row-level security for Salesforce data when using Tableau
Desktop or Tableau Server. Example: sales reps seeing only their relevant information.
Regardless of the authentication
solution (see later sections), once your users are connected to the Salesforce
data, you may want or require them to see only their data. In the previous
section (2) we connected to Salesforce using Tableau’s native connector. This
connection used the current user at the time of the connection. Tableau does
not currently support a truly “live” connection to Salesforce data because it
would be quite slow and would also utilize the Salesforce API quota extensively
and expensively. Plus, the native Salesforce web user interface already serves
this purpose.
In lieu of a live connection
which would handle per-user security just as if you were logging into
Salesforce directly, Tableau supports row-level security models by identifying
the currently logged-in Tableau Server or Tableau Desktop user and then
comparing this information against actual data. Remember that in section 1 and
2 we already received this data or information. All we need to do now is
compare Tableau users to this information. An example Tableau Server user ID
such as “Adam King”…
…would be matched up against the
accounts that Adam King owns by creating a Tableau calculated field like so:
In the calculation shown above,
the function FULLNAME() returns the full name of the Tableau Server user ID, and
[Owner name] is a Salesforce field on the accounts object.
You can then add this filter to
your views and dashboards. Each user will only see their data at this point.
Further, you can add this filter to the data source directly – it will never be
exposed and will always enforce row-level security across your organization:
This type of configuration can be
for convenience to simply reduce the “data noise” associated with large sales
or services teams – the default for individuals would be to see only their
data, but still browse other people’s data. Or, this configuration can be truly
locked down and secure – the default for individuals is that they would only
see their data with no exceptions. The Tableau platform supports either of
these modes.
4 - Provide URL links from a Tableau dashboard to relevant Salesforce
information.
A common requirement for Tableau
users is to link out from a Tableau dashboard back to the Salesforce web user
interface. This is easily achieved using Tableau “Actions”. The action would
key off of the Salesforce object ID. The destination URL is the standard
Salesforce URL https://na4.salesforce.com/
In Tableau Desktop, you can
design a URL action on any sheet or dashboard. For example, to create an action
which links out to the Salesforce “Lead” object, your action would look like
this:
Once created, this action would
look like the following on a Tableau dashboard:
5 - Embed a Tableau dashboard into the Salesforce web interface. Example:
when looking at an account in Salesforce, there is a Tableau dashboard embedded
into the account view showing details for that account.
In contrast to the previous
example, Tableau customers also want to embed a Tableau dashboard directly into
their Salesforce portal. This is also achieved through the use of URL
manipulation. The URL control is in the opposite
direction from the previous example: Salesforce is controlling a Tableau
dashboard.
Two design choices are required
for this to work. These include: A) Both Salesforce and Tableau Server need to
be accessible to the end users on a network and transport level, and B)
Authentication choices need to be made (see next two sections).
Assuming both A and B are
satisfied, setting up an embedded Tableau visual inside of Salesforce has two
main steps. The first is creating a Salesforce APEX frame – this is usually
done by a Salesforce administrator. The frame code looks like the following:
<apex:page standardController="Account"><apex:iframe src="http://tableauserver/views/SFDC_viz/dashboard?:embed=yes&:tabs=no&AccountID={!Account.Id}" height="340px" width="910px" scrolling="false"/></apex:page>
The Salesforce administrator will
take the following basic steps to create and use this code:
Create
a visualforce page with an iframe to display the viz.
The
standardController is the name of the object that is related to the ID you will
be passing.
The
{!Account.Id} merge field will not work unless the standardController is set
properly on the page.
The reason this works is that all
published Tableau Server visualizations can “receive” filters on the URL
directly. In the above example, we want to provide an account overview using a
Tableau Visual. We create this dashboard in Tableau Desktop, and Publish to
Tableau Server. This dashboard contains the field “AccountID” somewhere on the
level of detail for the visual. The APEX code invokes the URL and hands in the
current Account ID at run time. This is notated with Salesforce syntax: {!Account.Id}
This is very straight-forward to
configure. You can of
course design your embedded dashboards to look however you want them to.
6 - Integrate Salesforce authentication with Tableau Server
authentication when all users are behind a firewall using Active Directory. Desired
behavior is that end users only have to log into a web application once.
This section assumes you also have
section 5 in mind: the ability to embed Tableau visuals directly in Salesforce.
In section 6 and 7, we introduce the two main methods of authentication most
commonly seen by our customers. Both of these methods have as their main
desired behavior the following statement:
“End users should not
have to log in twice, once to the Salesforce system and a second time to
Tableau Server.”
When all users will be accessing
Salesforce from behind a corporate network and firewall, this is fairly
straightforward. Tableau Server should be installed/deployed using “Active
Directory” mode.
End users will still need to log
into Salesforce, but any embedded Tableau visuals or dashboards will pick up the
current identity of the user using the web browsers’ existing credentials. This
is a built-in feature of Tableau Server and achieved with a Microsoft security
mechanism known as “SSPI“)
In section 3 we discussed
row-level security requirements. These would still apply and some considerations
of the data model need to be taken into account:
a) If
we have end users logging into Salesforce with their email address, we will
need some type of data-driven mapping which associates their email address with
their Active Directory Account.
b) Alternatively,
we can retrieve the end users’ “Full Name” which will often match across
multiple systems. The “Full Name” can be retrieved in a Tableau calculated
field with the FULLNAME() function.
c) Lastly,
the Salesforce user ID itself makes an excellent join candidate when creating
robust data-driven security solutions, as this alphanumeric string never
changes over time.
7 - Integrate Salesforce authentication with Tableau Server
authentication when users are outside a firewall and not using Active
Directory. Desired behavior is that end users only have to log into a web
application once.
If active directory is not an option due to network and
remote office considerations, and a single sign-on experience is still a
requirement, then the remaining alternative for Tableau Server is to enable
“Trusted Tickets Authentication”. This is discussed in the online
documentation here.
Tableau’s “trusted tickets” authentication works by
having Tableau Server 100% trust an existing external web application – in this
case Salesforce – this is achieved on an IP address basis.
Because Salesforce cannot present itself to an external
application by IP address, in order to integrate the authentication, Tableau
customers stand up a machine which acts as a proxy between Tableau Server and
Salesforce.
Tableau Server only has to trust this one single proxy
machine. This machine in turn simply acts as a wrapper for the Salesforce apex
frame.
8 – Encryption and SSL.
Because Salesforce has SSL enabled by default, you will
want to enable SSL support for Tableau Server. Otherwise, your end users may
get a warning in their browser about mixed networks – undesirable from an IT
point of view. To enable SSL support, review the
online help here.
Good luck and happing
integrating!!
