1 Reply Latest reply on Mar 31, 2017 9:31 AM by Patrick A Van Der Hyde

    Best practice for permissions management across projects that contain workbooks that share a single published data source

    Walker Storrer

      Hi, I could use some advice.


      I manage a Tableau Server (10.0) site that has many projects, but I want to simplify the issue for clarification. I have one project called Development, where permissions are locked to the project and only "Group A" has access. I have another project called Training, where permissions are managed by the content owner and beta testing groups have access to specific workbooks. There are two workbooks in Development that share the same data source. That data source, since it exists in Development and permissions are locked to the project, can only can be accessed by "Group A." If I move one of the workbooks to training and grant access to "Group A" and "Group B," then "Group B" will be unable to connect to the data source. Thus, I would need to go into the Development project and add "Group B" to the project, while setting their Project-permissions to None, their Workbook-permissions to None, and their Data Source-permissions to Connector.


      Now imagine this on a larger scale where there are multiple functional teams that manage their own Development environment and share a training environment. It is very hard to train these publishers to grant access to users in two separate places. I often get complaints that someone is unable to connect to a data source because the project leader thought that adding a group to the Training project and setting their Data Source-permissions to Connector would allow access. Instead, they needed to add the group to the Training project, provide Project-permissions at the project-level, Workbook-permissions at the workbook-level (since permissions are managed by the content owner for the Training project), and Data Source-permissions in an entirely separate project. That is three locations that permissions need to be set.


      My solution is to provide the "All Users" group the Connector capabilities for every published data source. Are there any red flags I'm overlooking? Most of our users do not have a Tableau Desktop license and we do not allow web-editing. Allowing every user to connect to every data source just means that if they have access to a workbook, then they can connect to the data source.