tableau-embedding-in-lightning
Embedding Tableau dashboards (and Tableau Pulse insights) inside Lightning App / Record / Home pages — Tableau Embedding API v3 in an LWC, the connected-app + JWT trust pattern for SSO from Salesforce to Tableau, row-level security so a Salesforce user only sees their data in Tableau, CSP / Trusted Sites configuration for the Tableau host, and the Tableau Viz Lightning Web Component (drag-and-drop alternative to a custom LWC). NOT for building Tableau dashboards / data sources (that's Tableau-side work), NOT for CRM Analytics (Tableau is the separate product; see data/crm-analytics-patterns).
Best use case
tableau-embedding-in-lightning is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Embedding Tableau dashboards (and Tableau Pulse insights) inside Lightning App / Record / Home pages — Tableau Embedding API v3 in an LWC, the connected-app + JWT trust pattern for SSO from Salesforce to Tableau, row-level security so a Salesforce user only sees their data in Tableau, CSP / Trusted Sites configuration for the Tableau host, and the Tableau Viz Lightning Web Component (drag-and-drop alternative to a custom LWC). NOT for building Tableau dashboards / data sources (that's Tableau-side work), NOT for CRM Analytics (Tableau is the separate product; see data/crm-analytics-patterns).
Teams using tableau-embedding-in-lightning should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/tableau-embedding-in-lightning/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How tableau-embedding-in-lightning Compares
| Feature / Agent | tableau-embedding-in-lightning | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Embedding Tableau dashboards (and Tableau Pulse insights) inside Lightning App / Record / Home pages — Tableau Embedding API v3 in an LWC, the connected-app + JWT trust pattern for SSO from Salesforce to Tableau, row-level security so a Salesforce user only sees their data in Tableau, CSP / Trusted Sites configuration for the Tableau host, and the Tableau Viz Lightning Web Component (drag-and-drop alternative to a custom LWC). NOT for building Tableau dashboards / data sources (that's Tableau-side work), NOT for CRM Analytics (Tableau is the separate product; see data/crm-analytics-patterns).
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Tableau Embedding in Lightning
Tableau dashboards can be embedded directly in a Salesforce
Lightning page so users do not have to switch tools. The embedding
mechanics are well-documented; the operational complexity is in
auth (SSO from Salesforce to Tableau) and in row-level security
(making sure a logged-in Salesforce user only sees their own slice
of the Tableau data).
This skill covers the LWC build, the JWT-based SSO pattern, the
Trusted Sites / CSP configuration that the platform requires, and
the row-level security pattern that ties it all together.
## The two embed approaches
| Approach | When to use |
|---|---|
| **Tableau Viz LWC** | Drag-and-drop component on a Lightning page; minimal-code option; suitable for simple dashboards |
| **Custom LWC + Tableau Embedding API v3** | Need programmatic control: pass parameters, filter on record context, listen to viz events |
Tableau Pulse (Tableau's metric / AI-summary surface) embeds
similarly — Tableau provides Pulse-specific embedding.
## Tableau Embedding API v3 (custom LWC)
The Embedding API is a JavaScript SDK. In an LWC, you load the SDK
as a static resource (or a third-party `<script>` if CSP allows),
then instantiate a `tableau.Viz` against a `<div>` you render.
```javascript
import { LightningElement } from 'lwc';
import { loadScript } from 'lightning/platformResourceLoader';
import tableauApi from '@salesforce/resourceUrl/tableauEmbeddingApiV3';
export default class TableauEmbed extends LightningElement {
async renderedCallback() {
if (this.isInitialized) return;
this.isInitialized = true;
await loadScript(this, tableauApi);
const viz = document.createElement('tableau-viz');
viz.src = 'https://tableau.example.com/views/Sales/Dashboard';
viz.token = await this.getJwt(); // SSO token; see below
this.template.querySelector('.tableau-container').appendChild(viz);
}
}
```
The `<tableau-viz>` web component is provided by the Embedding API;
its attributes drive filters, parameters, and styling.
## JWT SSO — the trust pattern
Anonymous embed (no SSO) works for fully public dashboards but
exposes them to anyone with the URL — almost never what you want.
The recommended SSO is **JWT-based**:
1. Tableau admin creates a Connected App in Tableau (a "JWT Direct
Trust" type). This generates a Client Id and Secret Id.
2. Salesforce Apex generates a short-lived JWT signed with that
Secret Id, with claims that identify the Salesforce user (email
or username) as the Tableau viewer.
3. The LWC asks Apex for the JWT and passes it to `<tableau-viz>` as
the `token` attribute.
4. Tableau validates the JWT, identifies the user, and applies row-
level security based on the user identity.
The Apex side typically uses `Crypto.signWithCertificate` with a
named certificate; secrets are stored in Custom Metadata or Named
Credentials, not hardcoded.
## Row-level security
Tableau's row-level security is configured on the **Tableau side**,
not Salesforce. The pattern:
1. Data source has a user-identity column (e.g. `OwnerEmail`).
2. Data source filter: `[OwnerEmail] = USERNAME()` where
`USERNAME()` is Tableau's user-identity function.
3. SSO from Salesforce passes the Salesforce user's email as the
Tableau identity.
4. When the user opens the embedded viz, the filter restricts to
their rows.
If the SSO claim is wrong (e.g. passes a service-account name), the
filter applies to that account's rows — typically empty or
incorrect. RLS bugs almost always trace back to identity-claim
misconfiguration.
## CSP and Trusted Sites
The Tableau host URL must be added to:
- **Lightning Trusted Sites** (Setup -> CSP Trusted Sites). Without
this, the iframe / fetch is blocked by Lightning's CSP.
- **CORS allowlist** if Apex makes a fetch to Tableau (rarer; JWT
flow is local).
Both are admin-side configuration steps.
## Recommended Workflow
1. **Choose the embed approach.** Tableau Viz LWC for simple drop-in; custom LWC + Embedding API v3 for programmatic control.
2. **Configure CSP Trusted Sites.** Setup -> CSP Trusted Sites; add the Tableau host URL with `Connect-Source` and `Frame-Source` permissions as appropriate.
3. **Set up JWT Connected App in Tableau.** This is Tableau-side config; provides Client Id and Secret Id.
4. **Implement the JWT generator in Apex.** Sign with `Crypto.signWithCertificate`; claim payload identifies the Salesforce user; expiry short (5 min).
5. **Build the LWC.** Load the Embedding API static resource; render `<tableau-viz>`; pass JWT and parameters.
6. **Configure Tableau-side row-level security.** Data-source filter matches the JWT subject claim.
7. **Test as different Salesforce users** to confirm RLS works. Test with an inactive user to confirm the JWT generation fails gracefully.
## What This Skill Does Not Cover
| Topic | See instead |
|---|---|
| Building Tableau dashboards / data sources | Tableau-side training |
| CRM Analytics (Salesforce native) | `data/crm-analytics-patterns` |
| Tableau-side admin (sites, projects, permissions) | Tableau Server / Cloud admin |
| SAML SSO into Tableau (alternative to JWT) | Tableau SSO docs |Related Skills
lwc-lightning-record-forms
Lightning Data Service form components for LWC — when to use lightning-record-form vs lightning-record-edit-form vs lightning-record-view-form, output-field vs input-field, density modes, layout types (Compact/Full), and the platform-managed validation/save/error UI. NOT for fully custom form layouts (use lwc/lwc-custom-form-with-uiRecordApi) or aura:recordEditForm (Aura is deprecated for new work).
lwc-lightning-modal
LightningModal base class (Winter '23+): extending LightningModal, open() static method, modal headers/bodies/footers, close() with result, size variants, accessibility. NOT for lightning-dialog legacy patterns (deprecated). NOT for in-page overlays (use SLDS popover).
lightning-navigation-dead-link-handling
Use when an LWC navigates via NavigationMixin to records or pages that may no longer exist, lack the user's access, or be permanently moved. Triggers: 'lightning navigation 404', 'navigate to deleted record', 'NavigationMixin error toast', 'graceful fallback when target page missing', 'permission denied on navigation'. NOT for general routing within an SPA or for Experience Cloud public-facing routing.
tableau-salesforce-connector
Tableau ↔ Salesforce integration patterns: Tableau Salesforce connector, Tableau for Salesforce, CRM Analytics alternative, Data Cloud + Tableau, embedded Tableau dashboards. Choose between connector modes (live, extract, direct-to-Data-Cloud). NOT for CRM Analytics Studio (use crm-analytics-foundation). NOT for generic Tableau Server setup.
crm-analytics-vs-tableau-decision
Use when deciding between CRM Analytics (formerly Einstein Analytics / Tableau CRM) and Tableau Desktop, Tableau Server, or Tableau Cloud for a Salesforce-centric analytics requirement. Triggers: 'CRM Analytics vs Tableau', 'which BI tool for Salesforce', 'Tableau for Salesforce data', 'Einstein Analytics vs Tableau', 'analytics platform decision', 'licensing comparison CRM Analytics Tableau', 'Tableau Next', 'Tableau+ for Salesforce'. NOT for implementation guidance on configuring CRM Analytics datasets, recipes, or Tableau workbooks — use admin/einstein-analytics-basics for that.
lightning-page-performance-tuning
Use when a Lightning record page, home page, or app page is slow to load or render — covers Experienced Page Time (EPT) analysis, component count reduction, progressive disclosure via tabs and conditional rendering, Lightning Experience Insights diagnostics, and DOM/XHR minimization strategies. Triggers: 'Lightning page is slow', 'EPT is high', 'record page takes too long to load', 'too many components on page', 'Lightning Experience Insights shows slow page', 'how to optimize Lightning page performance'. NOT for Visualforce page performance (separate concern). NOT for Apex or SOQL query optimization (use apex/apex-cpu-and-heap-optimization or data/soql-query-optimization). NOT for report or dashboard performance (use admin/report-performance-tuning).
lightning-experience-transition
Use when planning, sequencing, or troubleshooting an org-wide migration from Salesforce Classic to Lightning Experience. Covers the LEX Transition Assistant Readiness Check, asset triage matrix (Visualforce, JavaScript buttons, page layouts, Knowledge, email templates, list views, AppExchange), pilot/wave rollout sequencing, end-user adoption telemetry, and cutover criteria. Triggers: 'lightning experience transition', 'classic to lightning migration plan', 'LEX readiness check', 'why are some users still on Classic', 'turning on Lightning for everyone'. NOT for individual asset migrations like a single VF page (use lwc/visualforce-to-lwc-migration), a single JavaScript button (use admin/custom-button-to-action-migration), or Knowledge article migration (use admin/knowledge-classic-to-lightning) — this skill orchestrates the program. NOT for Lightning App Builder page design (use admin/lightning-app-builder-advanced).
lightning-bolt-template-authoring
Use when an admin or partner needs to package an Experience Cloud (Community) site as a reusable Lightning Bolt Solution for distribution — covers the export workflow from Experience Builder, what gets bundled (ExperienceBundle, custom apps, flow categories, theme, layouts, navigation menus) versus what does NOT (data, CMS content, files), choosing Bolt vs managed package vs unlocked package vs cloning a site, sandbox-to-production promotion, multi-org distribution, AppExchange listing as a Bolt, and template versioning via the LightningBolt metadata `versionNumber`. Triggers: 'turn this community into a reusable template', 'package an Experience Cloud site to ship to multiple orgs', 'export Experience Builder template for AppExchange', 'should we use a Bolt or a managed package for this community', 'create an industry-specific community starter', 'how do we version our partner portal template', 'distribute branded Experience site across business units'. NOT for general Experience Cloud site build, content, or member setup (use admin/experience-cloud-site-setup, admin/experience-cloud-cms-content, admin/experience-cloud-member-management). NOT for shipping Apex / LWC / data-model functionality as a product (use devops/managed-package-development, devops/second-generation-managed-packages, devops/unlocked-package-development). NOT for moving a single Experience site between sandbox and prod as a one-off (use admin/experience-cloud-deployment-admin, devops/cicd-for-experience-cloud).
lightning-app-builder-advanced
Advanced Lightning App Builder usage: component visibility filters, custom page templates, Dynamic Forms, Dynamic Actions, page performance optimization, LWC targetConfig for record pages. Use when building complex record pages or custom app templates. NOT for basic page layout configuration. NOT for LWC component development (use lwc/* skills). NOT for Dynamic Forms basics (use dynamic-forms-and-actions).
knowledge-classic-to-lightning
Migrating Classic Knowledge (KnowledgeArticleVersion / Article Types) to Lightning Knowledge (Knowledge__kav with record types): article-type-to-record-type mapping, multi-language translation preservation, data category re-architecture, file attachment porting, version and publication-state retention, channel visibility translation, and downstream Case Feed / Community / Bot rewiring. NOT for new Lightning Knowledge setup (use admin/knowledge-base-administration) or for editorial workflow design (use admin/knowledge-publishing-workflow).
xss-and-injection-prevention
Use when writing or reviewing Visualforce pages, Apex controllers, or LWC components that output user-supplied data, build dynamic queries, or construct HTTP responses. Triggers: 'XSS in Visualforce', 'SOQL injection vulnerability', 'how to encode output in Apex', 'JSENCODE Visualforce', 'open redirect prevention'. NOT for Apex CRUD/FLS enforcement (use soql-security or apex-crud-and-fls), NOT for Shield encryption (use shield-encryption-key-management), NOT for AppExchange security review process (use secure-coding-review-checklist).
visualforce-security-and-modernization
Use when hardening or modernizing legacy Visualforce pages — covers the platform CSRF token model and when disabling it is a security regression, view state encryption guarantees and the 170 KB ceiling, FLS/CRUD enforcement gaps on `<apex:outputField>` and on getters that return sObjects, `<apex:includeScript>` interaction with the org Content Security Policy, hosting LWC inside a VF page via `lightning:container` / `lightning-out`, and the retire-vs-harden-vs-leave-alone decision for an inventory of legacy pages. Triggers: 'should I rewrite this Visualforce page in LWC', 'CSRF protection disabled on Visualforce page is that safe', 'community user sees a field they should not on a Visualforce page', 'view state encryption is that enough for sensitive data', 'how do I host an LWC inside a Visualforce page', 'apex:dynamicComponent and apex:actionFunction safe to keep'. NOT for greenfield Visualforce architecture (use apex/visualforce-fundamentals — controller types, view state pattern selection, PDF rendering); NOT for Visualforce email template authoring (use apex/visualforce-email-templates if/when that skill is authored); NOT for general Apex security review across triggers and async (use apex/soql-security and security/secure-coding-review-checklist).