Home Forums SQL Server 2008 Security (SS2K8) How to impersonate an AD Login within a AD Group defined in SQL RE: How to impersonate an AD Login within a AD Group defined in SQL

  • Thanks for the reply. Let me explain what is going on. We are implementing Tableau Server. Tableau is a data discovery/BI tool and server allows sharing of the Tableau workbooks. When developing a workbook, you define a data connection to the SQL databae using windows authentication. When you publish a workbook to Tableau Server, they give you 2 kinds of authentication options: Use the run-as account or impersonate using the Run-as account. The first option is giving the AD login the Tableau Server is running as read permissions to your DB so all queries are run using this account. The second option is giving the AD run-as login account the permissions to impersonate other AD logins defined on the SQL Server. So anyone that runs the workbook on the Tableau server would need to be granted permissions in SQL server and the Run-As account given impersonation permissions on this login. I didn't necessarily like option 1 since this Tableau Server will be used globally and our DB is only for local access so it didn't seem to pass the smell test.

    Security is controlled within Tableau Server with AD Groups. I initially was hoping to define these same groups within SQL server but since I have to grant impersonation rights, it looks like I have to define every last login that will run the workbook on the Tableau Server. I had hoped there would be one more authentication type where Tableau Server just passed the AD credentials from the user logged into Tableau Server through to the backend database being referenced in the workbook. This seems to be a better option in my opinion.