11 Replies Latest reply on Oct 25, 2017 8:10 AM by Thomas Gauthier

    Assigning project-based publishing permissions in Tableau Server (v7.0.6)

    Tim Quayle

      I'd like to assign publishing permissions in Tableau Server (v7.0.6) to individual users/groups for certain projects only.

       

      We have a handful users who would like to publish visualizations and share them with an internal team. My solution would be to to create a special project for which a user has publishing permissions. I do not want that user to have permissions to publish to other projects - only a specific project with limited user access. I know how I can restrict viewing/interacting access to the contents of particular projects, but It seems that publishing permissions are granted for all projects or nothing. Is there a way to work around this without creating a new site?

        • 1. Re: Assigning project-based publishing permissions in Tableau Server (v7.0.6)
          Russell Christopher

          Heya Tim -

           

          There are two distinct sets of permissions that allow a user to Publish.

           

          The first is the "Allow/Deny" Publish permission directly associated with the user. If this sucker isn't turned on, then Tableau Desktop will not allow one to Publish. Think of this as the door man keeping riff raff (like me) out of the hotel you're staying in:

           

          ScreenHunter_01 Dec. 31 11.55.jpg

           

          Next, you need to get into your room, which is accomplished by allowing the user to Write to the Project question. There are number of Roles that grant the Write permission, including "Publisher", "Editor" and "Project Leader":

           

          ScreenHunter_02 Dec. 31 11.58.jpg

           

          So in essence, you need to:

           

          • Grant the user permissions to Publish to the Server
          • Grant the user (or group) permissions to Write to a project or projects via whatever set of permissions you chose (an explicit GRANT of the Write permission or assigning the Editor, Publisher, Project Leader role).

           

          You can read more about this stuff in the Tableau Server Administrator guide.

           

          Hope this helps!

          Hope this helps!

          1 of 1 people found this helpful
          • 2. Re: Assigning project-based publishing permissions in Tableau Server (v7.0.6)
            Tim Quayle

            Russell:

             

            Thanks for the clarification. I have a follow-up question. The challenge we have is that we want to be sure that User A can only publish to Project A (the easy part, via the "write" permission levels for projects as outlined above), but also restrict who can see User A's published content (this seems to be the hard part, because we don't want User A to have any control over this). It seems that even if we assign viewing permissions for Project A and restrict User A's publishing permissions to Project A, every time he publishes a workbook he can specify who gets to see his content. I'm fully aware that we can Assign Permissions to Contents for Project A after User A publishes to it (thus enforcing our desired viewing restrictions), but will those permissions be assigned to all future content he publishes there, or can he override the inherited project permissions every time he publishes? The Server Administrator Guide gives me the impression that the publisher always can override project-level permissions.

             

            Thanks & Happy New Year!

            • 3. Re: Assigning project-based publishing permissions in Tableau Server (v7.0.6)
              Russell Christopher

              Hey Tim -

               

              When someone publishes content, they own it, so can do whatever they like with it. Therefore, there is no way for an Administrator to "take away" a publisher's ability to manage content they published because that publisher is the administrator of said content.

               

              SO, that being said - you're probably going to have to come up with some sort of "publish by proxy" mechanism so that stuff dropped out on the server isn't actually owned by the person(s) who created it.

               

              Here's how I'd probably approach it. Your mix of technical skills is probably different than mine (and therefore, your approach), but you'll hopefully get the general idea:

               

              • Don't grant any users publisher permissions at all. Instead, tell them to drop "reports ready to be published" in an arbitrary fileshare somewhere
              • YOU will write a batch file or program which utilizes Tableau's TabCmd command-line tool to publish anything that lands in that folder using a different user identity. You might do so....
                • Using a file system listener that fires every time something new lands in the folder
                • Using a schedule that launches a batch file every X minutes to publish and delete anything that happens to be in the folder
                • etc....

               

              The long and short of it will be that the original content creator will not be the owner of the content, so you can manage the permissions on the workbooks however you want without them getting in your way.

               

              Hope this makes sense? Sorta?

              2 of 2 people found this helpful
              • 5. Re: Assigning project-based publishing permissions in Tableau Server (v7.0.6)
                Chris Gerrard

                Russell's explanation does an excellent job of illuminating this murky area. Understanding how permissions work, particularly how they interact, is not well documented.

                 

                The Tableau documentation is correct from a technical perspective but it doesn't really help one build the cognitive map needed to navigate the permissions space and achieve the results then need.

                 

                The Tableau Server 8 administrative interface is a big step forward, and should be a real help.

                • 6. Re: Assigning project-based publishing permissions in Tableau Server (v7.0.6)
                  Amy Song

                  Hi Russell,

                  This might be a bit tangential, but I found your post really helpful and thought you might know -- what is the difference between the green checkmark and gray checkmark under publish?  Does it indicate different levels of permissions? Thanks!

                  • 7. Re: Assigning project-based publishing permissions in Tableau Server (v7.0.6)
                    Russell Christopher

                    As I recall, the difference has to do with whether the publish right was specifically granted (green) or implicit (grey).

                    • 8. Re: Assigning project-based publishing permissions in Tableau Server (v7.0.6)
                      Prem Reddy

                      Thank you Russell for elaborating the permission which is really useful. I've now understood how a user can be restricted from publishing to a project in a Site. However, I just wanted to check if "Write/Web Save" is the role which is responsible on the server for either grating or denying Publishing access to the user.

                       

                      if Yes then I would like to know if following requirement could be possible?

                       

                      I do not want the user to provide Publishing access to Project but I want the same user to edit the published contents on to the projects. In that case since in 8.0 there is only one option provided i.e. "Write/Web Save" how would this could be accomplished.

                       

                      Thank you for any help!

                       

                      Thanks,

                      Prem

                      • 9. Re: Assigning project-based publishing permissions in Tableau Server (v7.0.6)
                        Erin Gehn

                        Is anyone familiar with how this same solution could be reached within the current version of Tableau?

                        To reiterate, I would like to give a user permission to publish ONLY to their own project. No other projects.

                        Thoughts?

                        • 10. Re: Assigning project-based publishing permissions in Tableau Server (v7.0.6)
                          Thomas Gauthier

                          Russell Christopher, I assume you don't need to do this anymore, since you can lock the file permissions to the project's permissions (at least if you're on Tableau 10.4)?

                          • 11. Re: Assigning project-based publishing permissions in Tableau Server (v7.0.6)
                            Thomas Gauthier

                            Erin Gehn, Don't you just need to deny them the publish right for all other projects and ensure they aren't administrators or owners?