Permissions can become complicated when security is paramount to information sharing. Paraphrasing what Tableau support told me:
The order of container precedence is (where 1 is the highest precedence):
1. View (this is a sheet in a Workbook)
or another way to show order of presedence: View > Workbook > Project > Site. This means that a Workbook could inherit its Allow permission of "Add Comment" from the parent Project but an Admin could change a specific View within it to Deny "Add Comment", thus all the Views within the Workbook would allow comments to be added except for the one View that had its permission changed.
Since I only have a single Site I don't know how permissions are set there though I would suspect that each Site will have its own permisssions that are independent of the permission of other Sites i.e. the same workbook in Site #1 could have different permissions on it compared to Site #2.
When "Inherit" is set at the Project level it's considered NULL or not set. This means that the next level of permissions would then apply, which is Workbook.
From what I hope I understand correctly:
- Admins need to set permissions at the Project level. This means not using the Inherit column (personally, I don't think it should even be present).
- It's up to the publisher to alter the permissions if necessary i.e. over-ride what is set at the Project level.
- Admins can change the permissions of Projects, Workbooks, AND Views.
- See Home > Administrator Guide > Security > Authorization on how initial permissions are set.
1 of 1 people found this helpful
The way I've set things up to keep my sanity is that workbooks go into Projects, users go into Groups, and each Project has one or more Groups associated with it. When I publish a workbook, I choose the Project and don't mess with anything else. It's worked pretty well (so far).
In Tableau 8.0.4
What might be happening when a Data Source is published in:
Scenario A: Denied for Viewing and rest of the permissions other than Allowing to Connect?
Scenario B: When the permissions are Allowed for Viewing and Connecting and rest of the permissions are denied?
Thanks and regards,
I would default to what the documentation states.
A) The Users for this permission set could still connect to the data source (well, the report they're executing) but they couldn't do anything else regarding that data source. I'm guessing they wouldn't be able to edit the connection or use the Describe... action, stuff like that.
B) Same as above but they could edit the connection and they could use the Describe... action.
Experiment/play with the settings
Thanks for your response Toby, when get a chance, I will experiment. Looks like the B) has one or more features of Connect Editor. Will come back if I have definite answer.
Something I learned from one of the Tableau Conference 2013 video sessions I watched today is that Inherit means "look up and DENY if nothing is there". Wow, that explains so much! If only the documentation had noted that.
Hi Toby, I may be a little off topic but I did not see a way to comment on your Active Directory Blog. I downloaded your file and in trying to save the workbook I am getting a permissions error for the Groups and Group_Users table. What permissions do I need to be able to access these tables? I know that I have access to all of the Postgre tables with the "_" prior to the table names so how are you able to use the others?
Do you mean this?: Tableau Active Directory Assistant
If so, in the description it explains that you need FULL access to your Tableau Server db:
Lastly, you will need to have full access to your Tableau Server db in order to use the Groups_Users.twb workbook. This is very easily accomplished by following the steps in the DAAP documentation.
I opened it back up for comments so if you have additional questions you can now post there.