Server Lockdown - Tableau Server Roles & Permissions

by Neil Lord

So you just installed your first Tableau Server….well done you!

But now comes the exciting task of establishing what access your users have within the server…ugghhh dull.

There is an important distinction to make at the start between Roles and Permissions within Tableau Server. Sites have Roles and Projects & Workbooks have Permissions. Clear on that? It is crucial that you understand this as what you do at Site level (setting roles) will effect what happens at Project & Workbook level (setting permissions).

Configuring Site Roles

Above we have our users that have been loaded on to the server, I’ll walk you through the user and give an explanation of what they can and can’t do.

Pablo – Pablo is a Viewer, he can look at dashboards and that is it, he can’t interact with them, he can’t users filters and he can save custom views. All he can do is see a “picture” of the dashboard as a snapshot.

Jmac  – Jmac is an Interactor, he can see dashboards and interact with them, like changing a filter or creating a custom view but that’s about it.

Jamie & Marc – Jamie and Marc are Publishers, they can do all of the above but they can create and upload workbooks and data sources. This roles would usually be given to people with desktop licences.

Laura – Laura is a Site Administrator, she can all of the above and have complete control over the site…including deleting it! With the Administrator roles, nothing you do at the Permissions level will effect what they can actually do. Effectively this is the all singing, all dancing access. Top level access for the site.

Neil (me) – Neil is the most trusted of all the employees and as such he is Server Administrator, He can do anything anywhere and there is nothing you can do to stop him!

Lastly Natasha – Sadly Natasha was fired (sensitive HR issues) as such she is Unlicensed, because she has content (workbooks) on the server she cannot be deleted but she has absolutely no access to the server or its content, nada, zilch, zip.

And that’s as simple as Site Roles get!

If you get stuck Tableau Server gives you a summary of what each of the roles can do…just hover over the help icon when assigning the role

Now we have defined the Site Role for each user lets look at Permissions and see how these two work together…

Project & Workbook Permissions

In this Project the Permissions have been set as standard, Publisher, Interactor & Connector,

Pablo (Viewer Site Role) – Can he Publish? No, his Site Role does not give him the rights to publish workbooks. Can he see and use workbooks? Sort of, he can see the workbooks and he can see a snapshot of the data but he cannot interact, again defined by the Site Role. He also needs the connector option here because he still needs to connect to the data just to get a snapshot.

Jmac (Interactor Site Role) – Can he Publish? No, like Pablo the Site Role is preventing him from doing this. Can he see and use workbooks? Yes, he can play with the data and create custom views.

Jamie & Marc (Publisher Site Role) – Publish? Yes. See and use Workbooks? Yes.

Laura & Neil (Administrator Site Role) – Publish? Yes. See and Use Workbooks? Yes

Natasha (Unlicensed Site Role) – Publish? No. See and Use Workbooks? No. Natasha cant even get access to the server in the first place.

You may (or may not) have noticed this grey box in the top corner. This means that the Permissions for this project are locked down and Publishers cannot override this when uploading their workbooks. Only the Project Owner (who ever created it) can do this.

Say for example the Project Permission was set to Viewer….

This would only effect Jamie & Marc’s access to this project and they would now not be able to publish, Pablo & Jmac had the Site Roles that allowed to see the workbooks (at various levels as described before). And Laura & Neil were administrators so they get unrestricted access.

So that all seems pretty logical right? Not too complex. As JMac said when teaching us, there is no right and wrong answer with Roles and Permissions there are just several ways to achieve the same results.

Oh, remember that grey box from earlier?

Well if you should have this set to Managed by Owner then the person publishing the dashboard can decided who sees and uses it. But remember the Site Roles still apply….so there is no point assigning anything to Natasha because she can’t even sign in.

I hope this has clarified this for you….if not, JMac has written a more comprehensive blog on the subject read it!