/
Fundamentals of Tableau Permissions

Fundamentals of Tableau Permissions

Owned by Aurora Broom
Last updated: 02 Dec, 2024
7 min read

The original document this page is based on can be found here → https://docs.google.com/document/d/1RTWNwu3dJ673xaFUJlMzMt_knxOAzbgPczgND8777hk/edit?tab=t.0

Also in this document is the proposed action plan for updating our approach to Tableau permissions, and notes on its implementation.

Page Contents

 

1.0 Fundamentals of Tableau Permissions

Tableau uses projects to organise content and groups to organise users.  Managing permissions is easier when permission rules are:

  • Set at project level

  • Established for groups

Permissions → determine how users can interact with content such as workbooks and data sources.  Permissions are made up of capabilities, which allow users to perform actions.  Tableau capabilities include view, filter, download and delete.  A row of capabilities is a permission rule.  Permission rules can be set for groups or individual users.

Permissions dialogue → the screenshot below shows the permissions dialogue for a workbook.

Effective permissions → the interplay between licence level, site role and multiple permission levels interact to form a user or groups effective permissions.  These can be viewed for each workbook and user in the permissions dialogue.

Picture 1. Example Tableau permissions dialogue for a workbook

 

1.1 Levels of Permissions

1.1.1 Project Level Permissions

When in a project (as opposed to an individual workbook), there are several levels of permissions available, as shown in the red and black boxes on the image below. At project level there are only two capabilities available - view and save.

image-20241128-095429.png
Picture 2. Project dialogue box, showing the project permissions

The next tab along - Workbooks - has the full set of capabilities that reflect all the ways a user can interact with a report. A user/group must be explicitly granted capabilities at this level, otherwise they are denied - even if you set them correctly for individual workbooks. Although in the image below, the ‘run data explain' capability has been left blank, this still results in a user not being given that capability, as capabilities must be explicitly granted (opt-in, not opt-out).

image-20241128-100114.png
Picture 3. Showing the workbooks tab in the project permissions dialogue

1.1.2 Workbook Level Permissions

Viewing the permissions dialogue for a specific report, the full set of capabilities are again available.

Picture 4. Example Tableau permissions dialogue for a workbook

 

1.2 Capabilities

As discussed in the previous section, at workbook level the rull range of 16 capabilities are available. Groups/users can be granted a custom set of capabilities, or there are pre-set groups that can be used instead. The table below lists them in full.

Capability

Standard in template

Description (lets a user…)

Capability

Standard in template

Description (lets a user…)

View

View

See the workbook or view. If a user hasn’t been granted the view capability, the workbook won’t be visible to them.

Filter

View

Interact with filters in the view, including keep only and exclude filters.  Users lacking this capability won’t see filter controls in the view.

View Comments

View

View the comments associated with the views in a workbook.

Add Comments

View

Lets a user add comments to views in a workbook.

Download Image/PDF

View

Download each view as a PNG, PDF or PowerPoint.

Download Summary Data

View

View the aggregated data in a view, or in the marks they’ve selected, and download that as a CSV.

Share Customised

Explore

Add their own custom views to the list of ‘Other Views’ available on a workbook and visible to other viewers.

Download Full Data

Explore

View the underlying data in a view, or in the marks they’ve selected, and download that data as a CSV.

Web Edit

Explore

Edit the view in a browser based authoring environment.

Run Explain Data

Explore

Run the Explain Data tool on marks in editing and viewing mode (if the Explain Data feature is enabled as a site setting).

Download Workbook/Save a Copy

Publish

Download a packaged workbook, save a copy from the web edit interface as a new workbook.

Overwrite

Publish

Overwrite (save) the content on the server.

Create/Refresh Metrics

Publish

Create metrics on the views in a workbook and lets any metrics that a user creates from those views refresh.

Move

Administer

Move workbooks between projects.

Delete

Administer

Delete the workbook.

Set Permissions

Administer

Create permission rules for the workbook.

1.3 Locking and Customisable Content Permissions

1.3.1 Locked Permissions

Permission rules can bet set at project level and locked, so all content in that project inherits those rules. This means that no rules can be modified, added or removed at workbook level. If using locked permissions, the capabilities in both the Projects and Workbooks tab in this project permissions dialogue must be set - otherwise workbooks will be inaccessible to non-admins.

1.3.2 Customisable Permissions

The other option from locked is customisable content permissions.  This means admins have to manually set permission rules on each workbook.  If permission rules are not set, the workbooks will be inaccessible to users.

Picture 5. Various dialogue boxes showing how permissions can be set to either be locked or customisable

1.3.3 Updating Permissions

When using customisable project permissions, changing the workbook-level permissions in the project dialogue will not update the inherited permissions of workbooks already published to that project. In order to overwrite or remove permission rules across a number of reports, switch the asset permissions from customisable to locked. Set the permission rules at project level and they will then apply to all reports and nested projects. The permissions can then be switched back to customisable if you need to make any further changes at report level.

image-20241202-132918.png
Picture 6. The asset permissions dialogue of a project, showing an admin about to switch from customisable to locked.

If the workbook-level permissions are updated at project level while still customisable, any new publications to that folder will inherit the updated rules. Otherwise a workbook must be fully deleted from the folder and published fresh in order to update their inherited permissions. Simply editing in desktop and republishing is not enough.

 

1.4 Effective Permissions

Effective permissions work from the bottom up.  That means that where permissions are set at multiple levels, the permissions set at child level take precedence over those set at parent level.

Picture 7. Screenshots of the permission dialogues at project level and workbook level

 

1.5 Other Useful Information

1.5.1 All Users Group

By default, all users on Tableau server are added to an ‘All Users’ group.

1.52 Default Permissions

Every project that is created on Tableau Server will automatically be given the same permissions as the Tableau Server Default project.  In order to implement a standard approach for the 'All Users’ group across all Tableau projects, the permission rules on the Default project must be set.  Currently both permission capabilities at that project level are set to ‘deny’.

image-20241128-102634.png
Picture 8. Permissions dialogues for the Default project, showing both project and workbook permission rules

1.5.3 Tabbed Views

When sheets (aka tabbed views) are shown as navigational tabs at the top of each view, permissions for all sheets will inherit the workbook permissions.  However, if you want to manage access independently across sheet tabs, the workbook must:

  • Be published to Tableau Server

  • Be in a project with customisable content permissions

  • Not show sheets as tabs

In a customisable project any changes to workbook-level permissions won’t be applied if tabbed views are off.  In that instance changes to permissions must be made on individual views.  Please note that although this is possible, it is not recommended as general practice.

 

2.0 Row Level Security

Row-level security (RLS) allows the data in a report to be filtered depending on the person viewing it.  For example, only allowing research staff in Biology to view their own research output data and not that of other departments.

2.1 Creating a User Filter

  • Navigate to the sheet you want to restrict

  • Server → Create User Filter → [Dimension you want to restrict on, e.g. Department]

  • In the left hand panel, select the user or group you want the filter to apply to

  • In the right hand panel, select what values you would like them to see

  • Once set up, this rule will appear the data panel as a set, similar to this:

  • Drag this user filter to the Filters shelf (where it will become a context filter)

2.2 Testing a User Filter

In the bottom right hand of Tableau, you can preview what a sheet will look like for a different user.

Picture 9. Screenshot of a report open in Tableau Desktop, showing how user filters are applied and tested

 

3.0 Active Directory

Staff members are added to various g0- groups in Tableau via the Active Directory, which is updated every night.  Each group corresponds to a department or area.  The names and codes can be found here:

Sort on ‘code’ with all other fields blank in order to produce a list of departments in order. This process gives staff a Tableau login, and can give them the correct row-level access (where this is set up).

Some more information can be found on this HR wiki page:https://uoy.atlassian.net/wiki/spaces/HRSYS/pages/20873407

X.0 Appendix

X.1 Useful Links

Tableau Server | Permissions

Tableau Server | Managing Permissions with Projects

Tableau Server | Configuring for Managed Self-Service

The Data School | Tableau Server Default Project Permissions

Tableau Server | Manage Sheets in Dashboards and Stories

 

Related content