Fundamentals of Tableau Permissions
- Aurora Broom
The original document this page is based on can be found here → https://docs.google.com/document/d/1RTWNwu3dJ673xaFUJlMzMt_knxOAzbgPczgND8777hk/edit?tab=t.0
Also in this document is the proposed action plan for updating our approach to Tableau permissions, and notes on its implementation.
Page Contents
- 1 Page Contents
- 2 1.0 Fundamentals of Tableau Permissions
- 3 2.0 Row Level Security
- 4 3.0 Active Directory
- 5 X.0 Appendix
- 5.1 X.1 Useful Links
1.0 Fundamentals of Tableau Permissions
Tableau uses projects to organise content and groups to organise users. Managing permissions is easier when permission rules are:
Set at project level
Established for groups
Permissions → determine how users can interact with content such as workbooks and data sources. Permissions are made up of capabilities, which allow users to perform actions. Tableau capabilities include view, filter, download and delete. A row of capabilities is a permission rule. Permission rules can be set for groups or individual users.
Permissions dialogue → the screenshot below shows the permissions dialogue for a workbook.
Effective permissions → the interplay between licence level, site role and multiple permission levels interact to form a user or groups effective permissions. These can be viewed for each workbook and user in the permissions dialogue.
1.1 Levels of Permissions
1.1.1 Project Level Permissions
When in a project (as opposed to an individual workbook), there are several levels of permissions available, as shown in the red and black boxes on the image below. At project level there are only two capabilities available - view and save.
The next tab along - Workbooks - has the full set of capabilities that reflect all the ways a user can interact with a report. A user/group must be explicitly granted capabilities at this level, otherwise they are denied - even if you set them correctly for individual workbooks. Although in the image below, the ‘run data explain' capability has been left blank, this still results in a user not being given that capability, as capabilities must be explicitly granted (opt-in, not opt-out).
1.1.2 Workbook Level Permissions
Viewing the permissions dialogue for a specific report, the full set of capabilities are again available.
1.2 Capabilities
As discussed in the previous section, at workbook level the rull range of 16 capabilities are available. Groups/users can be granted a custom set of capabilities, or there are pre-set groups that can be used instead. The table below lists them in full.
Capability | Standard in template | Description (lets a user…) |
|---|---|---|
View | View | See the workbook or view. If a user hasn’t been granted the view capability, the workbook won’t be visible to them. |
Filter | View | Interact with filters in the view, including keep only and exclude filters. Users lacking this capability won’t see filter controls in the view. |
View Comments | View | View the comments associated with the views in a workbook. |
Add Comments | View | Lets a user add comments to views in a workbook. |
Download Image/PDF | View | Download each view as a PNG, PDF or PowerPoint. |
Download Summary Data | View | View the aggregated data in a view, or in the marks they’ve selected, and download that as a CSV. |
Share Customised | Explore | Add their own custom views to the list of ‘Other Views’ available on a workbook and visible to other viewers. |
Download Full Data | Explore | View the underlying data in a view, or in the marks they’ve selected, and download that data as a CSV. |
Web Edit | Explore | Edit the view in a browser based authoring environment. |
Run Explain Data | Explore | Run the Explain Data tool on marks in editing and viewing mode (if the Explain Data feature is enabled as a site setting). |
Download Workbook/Save a Copy | Publish | Download a packaged workbook, save a copy from the web edit interface as a new workbook. |
Overwrite | Publish | Overwrite (save) the content on the server. |
Create/Refresh Metrics | Publish | Create metrics on the views in a workbook and lets any metrics that a user creates from those views refresh. |
Move | Administer | Move workbooks between projects. |
Delete | Administer | Delete the workbook. |
Set Permissions | Administer | Create permission rules for the workbook. |
X.0 Appendix
X.1 Useful Links
Tableau Server | Managing Permissions with Projects
Tableau Server | Configuring for Managed Self-Service
The Data School | Tableau Server Default Project Permissions
Tableau Server | Manage Sheets in Dashboards and Stories