How to Restrict Gumloop's Tableau Access to Certified Data Sources Only

Last updated: March 31, 2026

Issue

You want Gumloop to only access Certified data sources in Tableau — not every data source your Tableau user can see.

By default, the Gumloop–Tableau integration inherits whatever permissions the connected Tableau user has. There's no built-in "Certified only" toggle.

Solution

Combine Tableau-side permission scoping with certification filtering in Gumloop for a two-layer approach.

Step 1 — Create dedicated Tableau service accounts

Instead of connecting Gumloop with a personal Tableau user, create dedicated service accounts with tightly scoped permissions:

  • Standard account (Viewer level) — access only to projects containing your certified, summary-level workbooks and data sources. Use this for most Gumloop agents.
  • Advanced account (Explorer level) — broader data access for agents that need deeper exploration. Restrict to a smaller group of trusted agents.

Lock down each account via Tableau User Groups so it can only see the projects you approve. This is a hard restriction — Gumloop literally cannot access anything outside those projects.

Step 2 — Add isCertified filtering in your agent

The Tableau REST API supports filtering data sources by certification status. When your Gumloop agent uses the List Datasources tool, pass this filter:

isCertified:eq:true

Add this to your agent's system prompt so it's always applied. Example instruction:

"When listing data sources, always include the filter isCertified:eq:true to restrict results to certified data sources only."

This isn't a hard restriction on its own (the agent could theoretically query uncertified sources by ID), but combined with scoped service accounts it creates a strong two-layer safeguard.

Step 3 — Generate a PAT for each service account

In Tableau, generate a Personal Access Token (PAT) from each service account's settings, then store it in your Gumloop credentials. Each service account gets its own PAT.

Audit Trail

Tableau side: Logs will attribute all activity to the shared service account — not individual end users.

Gumloop side: Every tool call is logged with the specific user ID, tool name, and arguments — full traceability of who triggered what.

Cross-reference both logs by timestamp if you need a complete picture.

PAT Security Tips

  • Set a PAT expiration date — rotate every 90 days or per your security policy.
  • Store PATs only in Gumloop's secure credential store. Never share them in documents or messages.
  • Revoke immediately if a PAT is suspected compromised — do this from the Tableau user's account settings. It won't affect other users.
  • Limited blast radius — because each service account has minimal scoped permissions, a leaked PAT can only access what that account sees.

Setup Checklist

  1. Create dedicated Tableau service accounts (not repurposed from real people).
  2. Use Tableau User Groups to scope project-level access for each account.
  3. Generate PATs for each service account and store them in Gumloop credentials.
  4. Add isCertified:eq:true filter instructions to your agent's system prompt.
  5. Document which agent uses which service account.
  6. Set PAT expiry reminders and rotate periodically.
  7. Start with the Standard account for most agents — only escalate to Advanced where genuinely needed.

Related