2 Replies Latest reply on Jul 14, 2015 8:31 AM by tim.latona

    Assign permissions to contents and overwriting permissions

    tim.latona

      Hi all,

       

      Here's a hypothetical situation I'd like some advice on, please correct me if any assumptions are wrong, I've tested but could have missed something:

       

      • Project A currently has one AD group (Group 1) with access to interact with workbooks
      • Publishers in Project A have been publishing workbooks and Group 1 have been successfully viewing
      • One specific publisher has published a workbook in Project A that explicitly allows only one user to view
      • The owners of Project A now decide that they need to add another AD group (Group 2) to access their project

       

      As an admin of course, I can just grant access to Group 2, but my testing shows that they wouldn't inherently get permissions to any existing workbooks.

       

      I could also "assign permissions to contents" which would trickle down the new permissions for Group 2, but that, in my testing, has shown that it would overwrite the permissions on the workbook that explicitly only allowed one user to view.

       

      How do I handle adding groups to projects, but retain any workbook level permissions that were specifically created to minimize access?

        • 1. Re: Assign permissions to contents and overwriting permissions
          Dan Rosenthal

          Hi Tim,

           

          You are correct.  Permissions assigned to workbooks and permissions assigned to projects are independent.  Adding new permissions for Group 2 to Project A will not affect the existing workbooks in Project A in any way.

           

          You are also correct that Assign Permissions to Contents (APTC) will overwrite all existing permissions on workbooks, views, and datasources within the project.

           

          Here are a few things you could do:

          1. You could move this unique workbook to a separate project.  Then you can add the new Group 2 permission to Project A and run APTC.  Thus, this would not affect the workbook.
          2. You could also use the REST APIs http://onlinehelp.tableau.com/current/api/rest_api/en-us/REST/rest_api_ref.htm to programmatically add the Group 2 permission to both Project A and every workbook and datasource within it.  You would likely need to combine Query Workbooks for User and Add Workbook Permissions.  Looking at the documentation it appears this won't affect sheet-level permissions, so be mindful that these permissions will only affect the sheets of workbooks with Display as Tabs enabled.

           

          Best of luck

          Dan

          1 of 1 people found this helpful
          • 2. Re: Assign permissions to contents and overwriting permissions
            tim.latona

            Dan Rosenthal

             

            Thank you for responding. I gotta say I think this is a significant miss on Tableau's part. They should consider:

             

            • Adding a checkbox (unchecked by default) that allows a publisher to publish a book that will ignore APTC.
            • Create an optional, more verbose version of APTC that allows an admin to view any disparate workbook permissions prior to hitting the button. Or, doing a quick inventory of workbook permissions to call out that there's a book with non-standard permissions and allow me to overwrite, skip or cancel.

             

            I would feel terrible if I unintentionally opened a workbook to a broader group solely because I was trying to edit project permissions.