9 Replies Latest reply on Mar 22, 2018 6:44 AM by Toby Erkson

    Clarifying "Connect to Data Source" Permission

    Sean Mullane

      It seems that when a workbook is published using a separate published data source, viewers of the workbook need permissions 1. to view the workbook and 2. to connect to the data source in order to view the workbook. Setting aside that this is somewhat confusing...

       

      My question is: is the "Connect to data source" permission sufficient to allow a user to connect directly to a data source and see the detailed data if they have Desktop? Or does the user need to be a publisher as well? Note that this questions is about named users, not the Guest user.

       

      Our scenario is such that we don't want all users able to see the workbook to see the detailed data, so no connecting to the data source for them, but we'd like to use separately published data sources for maintainability and to prevent data source proliferation. If those users can always connect to the data source then it seems using published data sources is off the table for us. The threads below have some information but not the complete picture:

       

      Publisher of Data Source cannot access it from desktop

      Re: Why does a user who accesses a view that connects to a data source must have both View and Connect permission to see the view?

      Re: Forbidden Action ... Guests must have Connect permission?

        • 1. Re: Clarifying "Connect to Data Source" Permission
          Toby Erkson

          Sean Mullane wrote:

           

          ...

          My question is: is the "Connect to data source" permission sufficient to allow a user to connect directly to a data source and see the detailed data if they have Desktop? Or does the user need to be a publisher as well? Note that this questions is about named users, not the Guest user...

          For this question, yes, a Desktop user would require "Connect to data source" permission to connect to the data source.  The right of Publisher has no bearing here as it's a function to the Tableau Server and not to the Tableau Desktop application.

          • 2. Re: Clarifying "Connect to Data Source" Permission
            Toby Erkson

            Sean Mullane wrote:

             

            ...

            Our scenario is such that we don't want all users able to see the workbook to see the detailed data, so no connecting to the data source for them, but we'd like to use separately published data sources for maintainability and to prevent data source proliferation. If those users can always connect to the data source then it seems using published data sources is off the table for us...

             

            Curious, why aren't you using extracts for your report consumers and setting the "View Summary Data" to Allow and the "View Underlying Data" to Deny?

             

            Also, even if the workbook is opened in Desktop and there's a live data source to connect to, the Desktop user still has to enter in the credentials before continuing otherwise it will fail.

            • 3. Re: Clarifying "Connect to Data Source" Permission
              Sean Mullane

              That's the idea, with the extract being published as a separate data source. But it looks like having an extracted separate data source would not allow us to prevent a user connecting from desktop - there would be no additional credentialing required at that point since we're using the Run As user to refresh.

               

              The reason we were interested in using separately published extracted data sources was for reusability for the publishers. It's not a critical concern, so it looks like we'll primarily opt not to publish data sources separately.

              • 4. Re: Clarifying "Connect to Data Source" Permission
                Jared Kubly

                Was a solution to this issue ever discovered? I can't fathom why a user must be able to connect to a data source directly when the user already has permissions to access a view which is connected to that data source. The current model makes it possible for anyone who can view a View to circumvent any built in filters and access all of the underlying data by connecting directly to the data source via Desktop.

                • 5. Re: Clarifying "Connect to Data Source" Permission
                  Sean Mullane

                  Not to my knowledge, but we're still on 8.2 so I couldn't say about v9.

                  • 7. Re: Clarifying "Connect to Data Source" Permission
                    Srini Ramanathan

                    Sean,

                    I am seeing this question after a whole year and hope you already have the right answers from your own experiments. In any case, I would like to help readers of this thread -

                    Here is my understanding from all the tests I ran on Tableau Server and the support tickets I opened with Tableau. Published data sources is the right approach for enterprises which need control on the server for 2 reasons (1) Ensure data security (2) Ensure Server resources are optimally used.

                     

                    Connect to published data source is only required for users that need to analyze the data on Tableau Desktop.

                    View permission of the data source is required for the user to realize that the data source exists in that Tableau project.

                     

                    Extracts as we all know speed up dashboards, but if you create an extracted published data source, any workbook built using that data source will reveal the data to the interactor/viewer based on workbook level permissions. Connect permissions to the data source has no bearing if interactors and viewers see the data.

                    • 8. Re: Clarifying "Connect to Data Source" Permission
                      Jon Fox

                      Hi Sean,

                       

                      Appreciating this was several years ago but this thread still featured prominently when I was searching for a solution to much the same problem.  I thought I would add what I have found here in case it benefits others who are searching for the same answers - particularly around the differences between the View and Connect data source permissions.

                       

                      If you publish a packaged workbook to Tableau Server, the users of that workbook must have the 'View Workbook' permission enabled.  No data source permissions are required, given that there is no separate data source for a packaged workbook.

                       

                      If you publish a workbook that connects to a Tableau Server data source, the users must have both the 'View Workbook' and 'Connect Data Source' permissions enabled.  If they do not have the latter then the users will see the workbook and view thumbnail previews in the menu - but the individual views will fail to open.

                       

                      Interestingly, the 'View Data Source' permission is irrelevant in terms of being able to open connected workbooks on Tableau Server - 'Connect' is all that is needed for that.

                       

                      The 'View Data Source' permission will list it in Data Sources menu, independently of any connected workbooks.  However, if a Tableau Server user selects a data source in that list they must also have the 'Connect Data Source' permission in order to select 'New Workbook' and therefore access the full data.  Therefore, having View Data Source without Connect Data Source seems kind of pointless because a user can see a data source exists without being able to access the data.

                       

                      For a Tableau Desktop user to be able to open a connection to the Tableau Server data source and bring the full data into their workbook, they must have both the View Data Source and Connect Data Source permissions.

                       

                       

                      In summary, if you want your users to be able to open workbooks without being able to open the full underlying data, give your users View Workbook and Connect Data Source permissions - but disable the View Data Source permission.  This will enable the workbook they open to connect to the separate data source - but it will prevent users from accessing the full data source separately, even if they are Tableau Desktop users.  Obviously you'd also disable the Download Full Data and Web Edit permissions to ensure those do not provide any access to the full underlying data.

                       

                      You could then have a separate group with both View and Connect data source permissions enabled, which would allow those users to access the full data source and build workbooks in either Web Authoring or Tableau Desktop.

                       

                      I hope this is useful.

                      1 of 1 people found this helpful
                      • 9. Re: Clarifying "Connect to Data Source" Permission
                        Toby Erkson

                        Srini & Jon,

                        Permissioning can get confusing and your explanations are helpful for others.  Thanks!