1 2 Previous Next 15 Replies Latest reply on Jun 15, 2017 1:26 AM by Wilson Hery Branched to a new discussion.

    Reporting on Permissions for Server Projects

    Suzi King

      Is there a way to create a view which lists projects and the users and groups who have been granted permissions to that project? I am trying to keep track of projects and which groups and users have access to the workbooks in the project. I have looked at some of the Server Admin Views, but I have not seen any with that information.

       

      Thank you!

        • 1. Re: Reporting on Permissions for Server Projects

          Hey Suzi,

           

          We're working on some custom admin views behind the scenes that should be released for public consumption sometime within the next week or two (hopefully). Once we have the custom admin views released, it should be much easier to help you accomplish what you're trying to do. So hang tight, I've bookmarked this page, and as soon as I know more, I'll reach out. In the meantime, I'm moving this to our new server admin section.

           

          Thanks,

           

          Diego

          2 of 2 people found this helpful
          • 2. Re: Reporting on Permissions for Server Projects

            Thanks Diego!  I appreciate your help and I look forward to those new views!

            • 3. Re: Reporting on Permissions for Server Projects
              vikram bandarupalli

              Suzi, I've built a custom view to get this information. If you can email me directly, i can share the .twb in the meantime.

              You can use this to connect to your postgres to get the information you need.

               

              I'm sure Diego will come up with a better version.

               

              Thanks,

              Vikram

              1 of 1 people found this helpful
              • 4. Re: Reporting on Permissions for Server Projects
                vishwanath Pendyala

                Hi

                 

                This gives you list of the workbooks user has access to. If you can modify the query a bit , you can get at project level.

                 

                Finding Tableau Server User Permissions

                 

                Thanks

                Vishwa

                2 of 2 people found this helpful
                • 5. Re: Reporting on Permissions for Server Projects
                  Suzi King

                  Vikram - I would love to see what you have done. Not sure where to find your email?

                   

                  Thanks

                  Suzi

                  • 6. Re: Reporting on Permissions for Server Projects
                    Suzi King

                    Thanks Vishwa  Looks like a fun project to dive into this morning! Thank you!

                    • 7. Re: Reporting on Permissions for Server Projects

                      Hey Suzi,

                       

                      I'd take a look here!

                       

                      Postgres "workgroup" database is open and documented

                      1 of 1 people found this helpful
                      • 8. Re: Reporting on Permissions for Server Projects
                        Jeff Strauss

                        I have some custom sql created against the internal postgres that taps into the nextgen_permissions table and joins to many other tables to get the info you need.  If the documentation or admin views don't help, then let me know.  I made integrated this into part of my custom portal on server.

                        • 9. Re: Reporting on Permissions for Server Projects
                          John Westfall

                          Vikram,

                           

                          I would also like to see the view you have built to access the user permissions by project.  Is this something you can share here, and/or would you be willing to share?  I'm unable to locate the database tables in the Workgroup Postgresql database that store permissions.

                           

                          Thanks

                          • 10. Re: Reporting on Permissions for Server Projects
                            Rick Kunkel

                            Hi, Suzi. Check this out.  Permissions workbook

                             

                            It will list permissions by object or identity.  In the partial screenshot below, for example, I've checked "Project" to see permissions on projects.  In this example, you can see that the user called "ustabserv" has been explicitly denied (hence a red square) the "View" capability to the "LookAtMeProject" Project.

                             

                            (Tip: Hiding the All Users group by unchecking "All Users" cleans up most of these representations significantly.  Of course, if you're interested in permissions for the "All Users" group, don't uncheck it.)

                             

                            Keep in mind there there's no permission inheritance for objects in Tableau Server.  (I'd preferred that "Inherited" had been named "Undefined" instead.)  So, just because ustabserv has been denied View access for this project doesn't mean they can't see the objects inside it.  If I wanted to keep ustabserv from seeing workbooks or views inside this project, I'd have to click "Assign permissions to contents" on the project permissions screen.  Doing so would result in me seeing explicit deny permissions for ustabserv on workbooks and views in the below view as well.

                             

                            permission-project.png

                            2 of 2 people found this helpful
                            • 11. Re: Reporting on Permissions for Server Projects
                              Toby Erkson

                              Rick Kunkel wrote:

                               

                              ...

                              So, just because ustabserv has been denied View access for this project doesn't mean they can't see the objects inside it.  If I wanted to keep ustabserv from seeing workbooks or views inside this project, I'd have to click "Assign permissions to contents" on the project permissions screen.  Doing so would result in me seeing explicit deny permissions for ustabserv on workbooks and views in the below view as well.

                               

                              Wait a second.  If a Project is created and Permissions are set, I was under the impression that denied people/Groups would be affected by the Permissions.  So 'ustabserv' wouldn't even be able to enter the given Project.  When I tested this, having a user try to enter a Project where the Permissions were set against them (denied) I got the appropriate response:

                               

                              I did not use the "Assign permissions to contents".  I set the View Permission to Allow and Deny several times for the Project and results were consistent:  Project visible when Allow was set, Project not visible when Deny was set.  Trying to jump directly to a workbook wouldn't work when Deny was set (above image).

                               

                              So I'm confused about what you're saying.  Then again, Permissions aren't a simple process.  I agree that the Inherit Permission is confusing; I don't like it, either.  I'd rather not see it at all.

                               

                              I wonder if the "Assign permissions to contents" is only meant for the Workbook Permissions, while all the other Permissions for the Project apply directly to the Project and thus have no need to be inherited by its contents (workbooks)?

                              • 12. Re: Reporting on Permissions for Server Projects
                                Rick Kunkel

                                Thanks for the response, Toby.  I should have provided more detail.  The upshot is that you've forced me to re-test some of my understanding, which is good.

                                 

                                Here are some clarifying observations of mine.  They are not really logically connected from top to bottom, but they should help explain my understanding:

                                 

                                • If a user is denied view access to a project, they cannot navigate to it.  (This, I believe, is what you are seeing.)
                                • If a user knows the exact URL for a workbook or view, they can go to it unless they've been explicitly denied.
                                • A workbook will adopt the project permissions at publish time by default.

                                 

                                 

                                The interaction of the above factors means that, if the admin does NOT click "Assign permissions to contents" when setting project permissions:


                                If the workbook existed in the project prior to deny view permission being set on the project:

                                1. Users denied view permission to the project cannot navigate to the project
                                2. Users denied view permission to the project CAN see the workbook by going to the URL.  This is because the workbook does not have the deny view permission set.


                                If a workbook is published to the project after deny view permission is set on the project:

                                1. At publish time, the workbook will adopt the same deny view permission as the project by default.  This means that the workbook will have a deny view permission set.
                                2. As a result, the deny view permission is explicitly set on the project and workbook, and users cannot navigate to the project OR view the workbook.

                                 

                                In other words: If you deny permission on a project but don't assign permissions to contents, users will not be able to navigate to that project, but they will be able to see things inside of it that were published earlier, if they know the URL.  Workbooks published after the permissions are set will adopt the project permissions, meaning that users are denied access to them (as most likely is desired).

                                 

                                 

                                More generally speaking, it helps me to think of each asset -- project, workbook, view, (and data source) -- having its own permissions, unconnected to the permissions around it.  Furthermore, clicking "Assign permissions to contents" copies the permissions from the higher-level asset to the lower-level assets; lower-level assets haven't in that sense "inherited" anything from higher-level assets.

                                2 of 2 people found this helpful
                                • 13. Re: Reporting on Permissions for Server Projects
                                  Michael Chen

                                  Hi Suzi,

                                   

                                  You may find this post helpful for finding your answer:

                                  New Views for Tableau Server Administrators — BI on BI

                                   

                                  Thank you

                                  MC

                                  1 of 1 people found this helpful
                                  • 14. Re: Reporting on Permissions for Server Projects
                                    Laura John

                                    Hi Rick,

                                    Delayed reponse, but I have a related question.  If a user is granted explicit permissions to a workbook, but not the project and is not denied access to the project, should they still be able to see the project since they have access to workbooks in the project?    I thought this was the case, but in the last couple weeks we have found that users cannot see the project unless we explicitly add them on the project (in addition to the workbooks).

                                    thanks!

                                    1 2 Previous Next