Permissions in Tableau server: what are they and how do I use them?

by Bethany Fox

Permissions in Tableau Server basically control who can see what. There are many different areas you can set permissions, 6 different areas in fact: SiteProjectGroupUserWorkbook and Data Source. I won’t go in to the details here about how these different levels work, but if you want to find out more, check out this great blog by our very own Jonathan MacDonald.

In this blog, I’ll be explaining the different parts of setting up a permission for a new user or group, and what they mean. Say, for example, I wanted to add a new user rule in a project. The page to do so looks like this:

permissions-new-user_li

At the bottom, outlined in orange, is the button to add a new user or group rule. Adding a rule for a group will apply to all users in that group, whereas adding a rule to a user will only apply for that particular user. Here I have chosen to add a new rule for the Data School user. When you choose to add a rule, you have three sections to specify which permissions you want to allow them: Project highlighted in greenWorkbooks highlighted in blue, and Data Sources highlighted in purple. All sections are automatically set to None, which means that no permission has been specified for that section. Let’s have a look at the different options in each section drop down.

Project permissions

project-permissionViewer – The user or group can view the workbooks and views in the project.

Publisher – The user or group can publish workbooks and data sources to the server.

Project Leader – The user or group can set permissions for all items in a project. (Note: If Project is set to Project Leader, then the permissions for Workbook and Data Sources do not need to be changed, they will automatically have full control)

None – Sets all capabilities for the permission rule to Unspecified.

Denied –  Sets all capabilities for the permission rule to Denied.

 

 

Workbook permissions

workbooks-permissionViewer – The user or group can view the workbook or view on the server.

Interactor – The user or group can view the workbook or view on the server, and can interact with it completely including editing the workbook, applying filters, view underlying data, and export images and data.

Editor – Sets all capabilities for the rule to Allowed.

None – Sets all capabilities for the rule to Unspecified.

Denied – Sets all capabilities for the rule to Denied.

 

 

 

Data Sources permissions

data-sources-permissionConnector –  The user or group can connect to the data source on the server.

Editor – The user or group can connect to, download, delete, and set permissions on data sources on the server, and can also publish data sources. If they are the owner of a published data source, the can update connection information and extract refresh schedules.

None – Sets all capabilities for the permission rule to Unspecified.

Denied – Sets all capabilities for the permission rule to Denied.

 

 

 

Fine tuning the permissions

In each of the 3 sections, there is a little ‘fast forward’ icon next to the headers. Clicking on this allows us to create custom permissions, giving us more control than the preset options give us.

fine-tune-permissionEach section is then split up in to multiple capabilities, shown by the icons at the top of each column. We can then specify whether these capabilities are set as Unspecified (blank), Denied (red cross) or Allowed (red cross). If left as Unspecified, the capability will take on whatever the default setting is. If set to Denied, then the user or group will be denied the capability, no matter what the default setting is. If set to Allowed, then the capability will be allowed, if and only if it is set to Allowed or Unspecified in the default.

 

More details on the fine tuning of parameters can be found in Dan Watt’s blog, here