If you’re an avid whitepaper reader, then you’ve probably already read Marc Rueter’s excellent Tableau Security Whitepaper.
In it, he discusses the difference between unrestricted and restricted trusted tickets.
In the document, he writes:
By default tickets are only valid for navigating to views. This prevents users from navigating to other parts of the Tableau Server such as content listings and administration
This is our definition of a restricted ticket – you can only see views – the user can navigate to any URL under http://<servername>/views/<workbookname>/<viewname>.
What is an unrestricted ticket? It allows the user to view anything on the server that they have permissions to see. For example, they could view listings of workbooks, data sources, etc. One might use an unrestricted ticket to enable the user to browse the whole portal using the standard Tableau Server User Interface. This is a bit of an edge case scenario, but still quite useful from time to time.
How do you implement it? First you have to turn the feature on:
tabadmin set wgserver.unrestricted_ticket true
tabadmin configure
tabadmin restart
Then, you modify the URL used to display Tableau Server content in your embed.
Using the PHP embedding sample found in Tableau Server7.0extrasembeddingphp, you might normally code your iframe like this:
<iframe src=“<?php echo get_trusted_url(get_user(),‘localhost’,’views/Date-Time/DateCalcs’)?>”
width=“400” height=“400”>
</iframe>
To take advantage of unrestricted tickets, simply direct the user to somewhere “browse-able”, like the root of Tableau Server:
<iframe src=“<?php echo get_trusted_url(get_user(),’localhost’,’/’)?>”
width=“400” height=“400”>
</iframe>
