1 of 1 people found this helpful
Heya Tim -
There are two distinct sets of permissions that allow a user to Publish.
The first is the "Allow/Deny" Publish permission directly associated with the user. If this sucker isn't turned on, then Tableau Desktop will not allow one to Publish. Think of this as the door man keeping riff raff (like me) out of the hotel you're staying in:
Next, you need to get into your room, which is accomplished by allowing the user to Write to the Project question. There are number of Roles that grant the Write permission, including "Publisher", "Editor" and "Project Leader":
So in essence, you need to:
- Grant the user permissions to Publish to the Server
- Grant the user (or group) permissions to Write to a project or projects via whatever set of permissions you chose (an explicit GRANT of the Write permission or assigning the Editor, Publisher, Project Leader role).
You can read more about this stuff in the Tableau Server Administrator guide.
Hope this helps!
Hope this helps!
Thanks for the clarification. I have a follow-up question. The challenge we have is that we want to be sure that User A can only publish to Project A (the easy part, via the "write" permission levels for projects as outlined above), but also restrict who can see User A's published content (this seems to be the hard part, because we don't want User A to have any control over this). It seems that even if we assign viewing permissions for Project A and restrict User A's publishing permissions to Project A, every time he publishes a workbook he can specify who gets to see his content. I'm fully aware that we can Assign Permissions to Contents for Project A after User A publishes to it (thus enforcing our desired viewing restrictions), but will those permissions be assigned to all future content he publishes there, or can he override the inherited project permissions every time he publishes? The Server Administrator Guide gives me the impression that the publisher always can override project-level permissions.
Thanks & Happy New Year!
2 of 2 people found this helpful
Hey Tim -
When someone publishes content, they own it, so can do whatever they like with it. Therefore, there is no way for an Administrator to "take away" a publisher's ability to manage content they published because that publisher is the administrator of said content.
SO, that being said - you're probably going to have to come up with some sort of "publish by proxy" mechanism so that stuff dropped out on the server isn't actually owned by the person(s) who created it.
Here's how I'd probably approach it. Your mix of technical skills is probably different than mine (and therefore, your approach), but you'll hopefully get the general idea:
- Don't grant any users publisher permissions at all. Instead, tell them to drop "reports ready to be published" in an arbitrary fileshare somewhere
- YOU will write a batch file or program which utilizes Tableau's TabCmd command-line tool to publish anything that lands in that folder using a different user identity. You might do so....
- Using a file system listener that fires every time something new lands in the folder
- Using a schedule that launches a batch file every X minutes to publish and delete anything that happens to be in the folder
The long and short of it will be that the original content creator will not be the owner of the content, so you can manage the permissions on the workbooks however you want without them getting in your way.
Hope this makes sense? Sorta?
Russell's explanation does an excellent job of illuminating this murky area. Understanding how permissions work, particularly how they interact, is not well documented.
The Tableau documentation is correct from a technical perspective but it doesn't really help one build the cognitive map needed to navigate the permissions space and achieve the results then need.
The Tableau Server 8 administrative interface is a big step forward, and should be a real help.
This might be a bit tangential, but I found your post really helpful and thought you might know -- what is the difference between the green checkmark and gray checkmark under publish? Does it indicate different levels of permissions? Thanks!
As I recall, the difference has to do with whether the publish right was specifically granted (green) or implicit (grey).
Thank you Russell for elaborating the permission which is really useful. I've now understood how a user can be restricted from publishing to a project in a Site. However, I just wanted to check if "Write/Web Save" is the role which is responsible on the server for either grating or denying Publishing access to the user.
if Yes then I would like to know if following requirement could be possible?
I do not want the user to provide Publishing access to Project but I want the same user to edit the published contents on to the projects. In that case since in 8.0 there is only one option provided i.e. "Write/Web Save" how would this could be accomplished.
Thank you for any help!
Is anyone familiar with how this same solution could be reached within the current version of Tableau?
To reiterate, I would like to give a user permission to publish ONLY to their own project. No other projects.