A very cool new thing we learnt today at the Data School is how permissions behave in Tableau Server when applied to different levels. Let’s assume that we have a project with some contents in it in our Server. In this example, the project will be under my name in the DS18 parent project and will have four contents in it, as shown in Figure 1.
Theoretically, changing user permissions on the main project should also change the permissions to all project’s contents, right? Well, not necessarily..
Figure 1 – The project we will be working on has four contents and three parent projects
Adding Project’s Permission Rules
First of all, let’s go on and change the project rules applying to our project. We could do that by clicking on the three dots […] located right next to a project’s name (Figure 1) and then click on “Permissions…” (Figure 2).
Figure 2 – In order to edit a project’s permission rules, click on the three dots and then select permissions
Then, a new window will pop-up with the permission settings for this project. As we can see in Figure 3, this window allows us to set some permission rules for group/users at the top. Also, it illustrates the effective permissions at the bottom, with all the users in our server and a list of what they are allowed to do.
Figure 3 – The project permission window
The three usernames greyed out are the usernames of the three administers that created the projects higher above the hierarchy. As we can see at the top of Figure 1, our project (named Angelos Pachis) is a sub-project to Projects “Cohorts/ In training /DS18”. Each one of these projects has a different creator (administer) who is allowed to make changes in children projects. In your case, you may not have those users there.
Moving on, let’s assume that I want to exclude a particular group from doing any change on my contents or even viewing them. I should hence add a permission rule to that particular group, denying them any activity. To do that, I clicked on the”Add Group/User Rule” button and looked for the group I wanted to deny access (Figure 4). Let’s say, DS19 🙂
Figure 4 – Looking up the group we want to change permission rules for
I would then have to go on and click on the template and from the drop down list select the “Denied” option. See how the template changed from “None” to “Denied” and all the boxes that were greyed initially changed to red with an X character inside (Figure 5).
Figure 5 – Denying all Data Sources permissions for DS 19
Are we done? No. If we click on the Workbook window, we can see that our changes did not apply there (Figure 6). We should then go on and deny permissions to DS19 from Projects, Workbooks, Data Rows and Flows.
Figure 6 – Permissions should be denied for each of Projects, Workbooks, Data Sources, Data Roles and Flows respectively. Changing Permission rules in one of them would not apply to the rest!
Once you are done with that, close the permissions window. Theoretically, now all the permission changes should have been applied to all contents within this project.
But is this truly the case?
Let’s check this out. On any of your projects, click on the three dots appearing next to the name and then click onto Permissions (Figure 7).
Unfortunately, you would probably find out that the permission rules have not been applied to any of your project’s contents (Figure 8).
Figure 8 – Permission rules for one of our project’s contents. As we can see, the permission rules applied previously on our project have not been applied its contents.
Why did this happen and how can I solve it?
And that is because if we go back to our project permission window (Figure 3), we can see on the top left hand-side that our project’s content permissions is set to Customizable, which means that our content starts with project permission rules permissions can be modified by content owner. We would like our content to inherit the project permission rules and also not allow any change to our content-level permissions. So we should change our content permissions to be Locked instead (Figure 9).
Figure 9 – Changing content permission from Customizable to Locked would apply any project permission rules to the project’s contents.
If we now go to the Permission window of any of our contents, we would see that the permission rules have been applied successfully (Figure 10). Sorry DS19!
Figure 10 – Project’s permission rules have been successfully applied to all contents.
Wanna know more about Tableau Server permissions? I encourage you to read the following articles:
Understanding Tableau Permissions by Chris Love
Tableau Server Default Project Permissions by Stephanie Kearns
Set Permissions and Ownership by Tableau