Tableau users who rely on Cyral for identity provider-based user identity attribution may, depending on their identity provider (IdP) configuration, see the wrong user attribute logged in Cyral as the user's SSO username.
If your organization uses the IdP user's email (rather than the IdP username) as the SSO username (and if usernames are not the same as users’ email addresses), then you will need to make the following changes in Tableau and Cyral to ensure that SSO users' email will be logged and used for policy enforcement:
In your Tableau console, in your data source(s) that connect to repositories watched by Cyral, edit the connection's initial sql value so that it uses cyral.email instead of cyral.enduser. See the cyral documentation page for Tableau ( https://cyral.com/docs/bi-tools/tableau ) for details.
For example, for Redshift the initial sql would be:
SELECT 'cyral.email', [TableauServerUser]
Using the Cyral API, configure the Cyral connection driver for Tableau to process email identities by setting the attribute, useEmailCarrier. Use the Cyral API to set this, as shown in this example:
curl -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -s -X PUT
https://example.cyral.com:8000/v1/integrations/confExtensions/instances/26MQxdoeiXl6NmQrfC17Xa32109
-d '{ "category": "builtin", "name": "testTableauDenodo", "parameters": "{\"applicationName\": \"testTableauDenodo\", \"useEmailCarrier\":true}", "purpose": "connectionDriver", "templateType": "tableau"
Learn more:
