# BI Tool Configuration Recommendations

Immuta can enforce policies on data in your dashboards when your BI tools are connected directly to your compute layer.

This page provides recommendations for configuring the interaction between your database, BI tools, and users.

## Connect directly to the database instead of extracts or imports

To ensure that Immuta applies access controls to your dashboards, connect your BI tools directly to the compute layer where Immuta enforces policies without using extracts. Different tools may call this feature different names (such as *live connections* in Tableau or *DirectQuery* in Power BI).

Connecting your tools directly to the compute layer without using extracts will not impact performance and provides host of other benefits. For details, see [Moving from legacy BI extracts to modern data security and engineering](https://www.immuta.com/blog/bi-extracts-to-modern-data-security).

## Use personal credentials to authenticate and query data

Personal credentials need to be used to query data from the BI tool so that Immuta can apply the correct policies for the user accessing the dashboard. Different authentication mechanisms are available, depending on the BI tool, connector, and compute layer. However, Immuta recommends to use one of the following methods:

* Use **OAuth single sign (SSO)** on when available, as it offers the best user experience.
* Use **username and password authentication** or **personal access tokens** as an alternative if OAuth is not supported.
* Use **impersonation** if you cannot create and authenticate individual users in the compute layer. Impersonation allows users to query data as another Immuta user. For details, see the [reference guide for your data platform integration](/SaaS/configuration/integrations.md#integrations).

For configuration guidance, see [Power BI configuration example](/SaaS/configuration/application-configuration/how-to-guides/bi-tools/power-bi.md) and [Tableau configuration example](/SaaS/configuration/application-configuration/how-to-guides/bi-tools/tableau.md).

## Authentication method matrix

Immuta has verified several popular BI tool and compute platform combinations. The table below outlines these combinations and their recommended authentication methods. However, since these combinations depend on tools outside Immuta, consult the platform documentation to confirm these suggestions.

|                      | Amazon Redshift                                 | Azure Synapse Analytics | AWS Databricks                         | Azure Databricks | Google BigQuery | Snowflake | Starburst                                       |
| -------------------- | ----------------------------------------------- | ----------------------- | -------------------------------------- | ---------------- | --------------- | --------- | ----------------------------------------------- |
| **Power BI client**  | OAuth/SSO                                       | Not tested              | OAuth/SSO                              | OAuth/SSO        | Not tested      | OAuth/SSO | OAuth/SSO                                       |
| **Power BI service** | OAuth/SSO                                       | Not tested              | Databricks personal access token (PAT) | OAuth/SSO        | Not tested      | OAuth/SSO | :x:                                             |
| **Tableau Desktop**  | [Username and password](#user-content-fn-1)[^1] | OAuth/SSO               | OAuth/SSO                              | OAuth/SSO        | OAuth/SSO       | OAuth/SSO | [Username and password](#user-content-fn-1)[^1] |
| **Tableau Server**   | [Username and password](#user-content-fn-1)[^1] | OAuth/SSO               | OAuth/SSO                              | OAuth/SSO        | OAuth/SSO       | OAuth/SSO | [Username and password](#user-content-fn-1)[^1] |
| **QuickSight**       | :x:                                             | :x:                     | :x:                                    | :x:              | :x:             | :x:       | :x:                                             |

[^1]: You could also use impersonation


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.immuta.com/SaaS/configuration/application-configuration/how-to-guides/bi-tools/index.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.