On Tableau Extensions


Hello folks – I hope you’ve all recovered from TC18 in New Orleans? What a great gig that was!

Anyway, this post is about one of the most talked about new Tableau features – extensions. This is a new API that allows users to build their own plug-ins to Tableau Desktop, and do pretty much anything, and it hasn’t taken long for the extensions gallery to grow.

ext2

There’s already a ton of great stuff in the extensions gallery!

In the 6 or so years I’ve been working with Tableau, I’ve not seen any feature generate this much chat, debate and passion – certainly among my people, the server admin / COE community.

So here’s what I think about this topic;

 

What I like about extensions

Game changing functionality

There’s no doubt that extensions will lead to a great boost in Tableau functionality. We’ve already seen some excellent arrivals into the extensions gallery such as Show Me More, Write-Back, DataRobot Insights and Wordsmith. I have no doubt that will continue, and fully expect the brilliant Tableau community to build functionality that we haven’t even realised we want yet.

 

Fills gaps in the tool

We’re all pushing Tableau for more features, right? Well extensions must feel like a get out of jail free card for *some* Tableau dev teams. We kinda saw that with Interworks Powertools, which filled a number of gaps, albeit at a cost. I’m sure some extensions will emerge that take the heat off certain Tableau devs, maybe allowing those teams to switch focus to something else, safe in the knowledge that the extension has saved them a job. And that might ultimately lead to more innovation and a faster evolution of the tool.

 

Empowers the community

Placing such power in the hands of the super-enthusiastic and skilled Tableau community is exciting. For Tableau to create a conduit for us users to be able to feel like part of the Tableau dev world is powerful, not just with what we can create, but it’s also like we’ve been welcomed into Tableau’s world with a big embrace, knowing that any of us can contribute directly to the capabilities of the product, knowing that hey – I made that!

It’s a mark of respect for the Tableau community and a statement of trust from the vendor. Nice.

 

What I don’t like about extensions

Potential data leakage

This is obviously the big one. I’ve downloaded an extension, how do I know it’s doing what it says on the tin? Or at least not doing some extra stuff I don’t want?

At the Tableau Conference Server Admin meetup, our friend Tamas Foldi gave the audience a demo of a fictional extension he’d built. It went something like this. He downloaded the .trex file, installed it, then clicked OK to accept the terms and conditions (which displayed almost no info). The extension actually displayed cat pictures in a dashboard (Ann Jackson would have approved).

All fine or so it seemed. Until Tamas fired up a terminal and showed us that the extension was actually extracting all of the data from the workbook and sending it to some obscure URL. Grim.

evil-demo-01

Tamas Foldi’s demo of an extension stealing data

The above is hard to read so please click here for the higher resolution version 

This is the reality of extensions. Once you click that OK to accept the terms, you’re at the mercy of the code. And who knows what might happen then?

 

I can’t (reliably) turn it off on desktop

Given the security concerns I would wager that most admins would like to disable extensions on Tableau Desktop. This is possible with a registry edit, fiddly but achievable and easily done in the packaging process. Same as many of us did with the annoying auto-update feature. So that covers the vast majority of people in any enterprise, which will no doubt have their desktops locked down to prevent unauthorised software installs.

However, as in Jurassic Park, life finds a way. And some users will manage to install software. Not many, but some. And that’s a risk.

 

Vetting

As far as I’m aware, and confirmed by my chats with the extensions team, Tableau don’t check or scrutinize any of the extensions. It’s a public gallery and anyone can upload. Tableau don’t have to approve.

 

The Tableau UX

So there’s a reason that Tableau doesn’t have speedometers, egg-timers, traffic lights and

Will extensions turn Tableau into this?

other chart junk like other tools. It’s because at the heart of the tool is a dedicated research team that applies science to everything Tableau does. If it’s going into the tool then it better be best practice and have some theory behind it. It’s the same reason we don’t have 3D, despite the massive demand on the forums – it’s just not right.

That may not  be the case with extensions. It won’t be long before we get the first extension that produces chart junk, and then many of our Tableau dashboards will look like shit. It won’t matter how much research Tableau do.

 

Technical dependencies

As stated earlier, some of these extensions are pretty good. So in time I’m sure many of my users will come to love one or more extensions, and get great value from them.

But how can I, as an admin, guarantee that the extension will support that next version of Tableau? What if it doesn’t? I can’t hold back an upgrade just because one third-party component doesn’t work. What if the extension vendor decides to sunset their creation, either deliberately or just by getting bored of it? It’s us admins that will get shouted at.

 

Support dependencies

Some of these extensions will be popular. REALLY popular. And many will also be homebrew creations made by one person and their dog. Are they going to be able to handle the influx of emails and support requests that they’ll get after thousands of downloads? How do we even know that the vendor of an extension is legit? Do Tableau keep the pressure on extension vendors to provide decent support or keep the product up-to-date? I don’t think they’d have the cycles to do that.

 

More vendors to get to know

I’m already the vendor relationship manager for a bunch of companies here. Last thing I need is a whole lot more to worry about.

 

Server defaults are on

Now extensions can be disabled on server. And restricted to a whitelist. What I don’t like here is the fact that the default setting for server extensions is ON. Not cool.

Go vote up Mark Kernke’s forum idea to change that default setting.

 

Paid for extensions a huge potential headache

So here’s a conversation I’ve already had here.

User: Hey I wanna buy this extension, it's great. 
Me: Okay - well we need to evaluate it first.
User: Sure, and if you okay it I need you to put it on the server
Me: Who's paying for that then?
User: Well you are, aren't you?
Me: Baaahahahaha

I’ve caught this one at source, but I’m sure there will be a time when someone has already bought an extension (yes I know they shouldn’t, but…) and then they try to pressure me to pay for it on server.

 

Implementing extensions will take a long time in enterprises

Even for the extensions that we do decide to bring in, there’s gonna be a ton of work for my team.

Off the top of my head

  • Evaluate and test the extension on desktop
  • Evaluate and test on server
  • Penetration test and risk evaluation
  • Add to internal software catalogue
  • Establish vendor relationship
  • Work out commercials and support with vendor
  • Get vendor added to our approved supplier list and internally vetted
  • Package extensions
  • Train team in basic support of extension
  • Organise deployment
  • Ongoing support, upgrades & maintenance

I’m sure there’s more. And that would be needed for each one.

 

What I think might help

Now the server admins have been bantering about this for a while. It was seriously the talk of the town at the TC18 server admin meetup.

admins

A beautiful cluster of server admins at TC18

We’ve not been able to come up with many solutions to these problems as of yet but here are some that we did talk about.

Make them easy to disable on desktop

Not an issue for the packaged deployments, more for the rogue installs. We talked about this a lot. No-one could come up with a solution other than somehow tying it back to the licence key. Open to ideas.

 

Set default to off on server

There’s an easy one. And I hear Tableau are already on the case.

 

Digital signatures

Make this a requirement. Packaged, digitally signed extensions that can be easily hosted internally and therefore blocked from accessing the internet.

 

Tableau approved extensions

I’d like to see an upper-class of extension that has been approved by Tableau. Vendor checked out, support checked, code reviewed etc. Give them a special badge and pride of place in the gallery. If Tableau approve then I’m confident it’s not some amateur outfit.

 

So that’s the deal with extensions. Don’t get me wrong, I LOVE this feature. It’s very exciting and will undoubtedly lead to lots of innovation and some cool stuff that we haven’t even imagined yet. But we do need to be careful. The problems for the admin community are clear. I’m looking forward to working with Tableau devs, product managers and the wider community to solve them.

Comments invited, as always.

Regards, Paul

 

Advertisements

2 thoughts on “On Tableau Extensions

  1. Hi Paul, I agree with your article. I have used dashboard extensions on my personal PC, thought they were fantastic (I love the Sankeys!), then put my corporate hat on and went cold. It’s a tough one because some of the early extension releases solve some real world challenges we are grappling with – particularly for downloading all the data in a dashboard from multiple views in one go. However, I don’t want to grow a demand that I am going to have to keep tightly regulated. I can see that I will turn extensions off for the foreseeable future…..

  2. Great post Paul. I think the digital signature and bringing the code internally is the best option. Then you know nothing is leaking and the code can be controlled internally. I’ve already recommended that to a few people who had similar concerns.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s