8 Replies Latest reply on Nov 7, 2013 1:00 PM by Murali Govindu Branched to a new discussion.

    Inherit permissions on Server


      Tableau Server manual states:

      "If you leave the permission set to Inherited, the user or group's access to the data source will be determined by the group or project permissions."

      It says the same for workbooks.


      What happens if all levels are set to Inherited, which is the default choice for most of the pre-defined permission sets? If the data source says Inherit, and so does the project and group/user, then what inherits what from what?


      I have just been through this closed loop a few times trying to stick to pre-defined permission sets only, and found it impossible. At least one permission set must be customised.

      My case was with the data server extract published to Tableau Server - a user got an error even though she was set up as Interactor. I had to explicitly allow connection to published data source on workbook permission level, Inherit from data source level (she was a "Connector") didn't work.

        • 1. Re: Inherit permissions on Server
          Tracy Rodgers

          Hi Dimitri,


          License levels do not mean that a user will have that level of permissions across all projects, workbooks, views or data sources. The license level means that these are the maximum possible capabilities the user can have.


          When a workbook or project is published, unless the default All Users is specified to have permissions, then each user will have to have the permissions specified if they are to have access. Otherwise, Tableau assumes their access is denied.


          As a rule: Deny trumps Allow.


          The inheritance goes from a group to a user (assuming that the user has neither been denied or allowed access when the rest of the group has not). Another rule of thumb: User permissions trumps Group permissions.


          I hope this helps!



          1 of 1 people found this helpful
          • 2. Re: Inherit permissions on Server

            Thank you, Tracy.


            The reason I posted this was a strange issue when I tired using the new Data Server. I published data extract to our Server and granted one user permission to connect to it. I then published a workbook that used this extract, and published it to a project to which user had interactor access. I used pre-defined Interactor sets for project, so it had a few 'inherit' permissions. The user could not see the published workbook and got the message that they are not allowed to connect to the data source, when I explicitly set permissions to 'Allow' on data source. To fix this, I had to change 'Inherit' to 'Allow' for 'Data connect' on workbook.

            This confused me a lot, as I still don't know how the permission inheritance works between data sources and workbooks.

            • 3. Re: Inherit permissions on Server
              Tracy Rodgers

              Hi Dimitri,


              Sorry, I'm just getting back to this one. Think of it as almost a hierarchy. Project-->Workbook-->View. Even if the user is given rights to the datasoource, if the user is Denied anywhere along the chain above, then that overrides him having rights to the datasource. Therefore, as noted, you'll have to give specific permissions within the desired workbook.


              Hope this helps further explain it!



              • 4. Re: Inherit permissions on Server
                Emma Whyte



                Sorry to jump on the back of this question, but I have a related issue.


                Can any one please define what a Data Source Connector is and when I have to set it to allow?


                I have a series of workbooks in a project that use a Tableau Server data source.


                I have a group of users who are set as Interactors. Do I also have to set them to "allow" on the Data Source Connector?  When it is set to "inherited" it says they are denied access to the data source connection.  Will this mean they cannot connect to the workbooks?





                • 5. Re: Inherit permissions on Server
                  Tracy Rodgers

                  Hi Emma,


                  The Data Source Connector is a Role--a pre-defined set of common capabilities made by Tableau to make it easier for defining what a user/group's permissions should be. The data source connector in particular, allows the user/group to connect to the data source on the server.


                  If your group of Interactors are denied access to the data source connection within either the group or project permissions, then they will also be denied here.



                  • 6. Re: Inherit permissions on Server
                    Emma Whyte

                    Hi Tracy


                    Thanks for the reply.


                    Could you let me know that if the users are denied access to the data source connection will they be able to see the views in the workbook? Or by not being able to connect to the data source does this restrict them from seeing views created by that data source?





                    • 7. Re: Inherit permissions on Server
                      Murali Govindu

                      Hi Tracy,


                      In Tableau 8.0.4:


                      What might be happening when a Data Source is published in:


                      Scenario A: Denied for Viewing and rest of the permissions other than Allowing to Connect?


                      Scenario B: When the permissions are Allowed for Viewing and Connecting and rest of the permissions are denied?


                      Thanks and regards,


                      • 8. Re: Inherit permissions on Server
                        Murali Govindu

                        Hi, Emma


                        I don't think so it will effect the viewing capabilities of the user when they are permitted to view the workbook but not the data source.  The data sources connection would be useful for those who wanted has some vested interest atleast in seeing the data connections - like types, joins, tables, etc..(I am not talking about manipulations/ editing here).


                        I am sure you might have experienced this by now.