9 Replies Latest reply on Oct 18, 2018 7:16 PM by Ann Ho

    Understanding Tableau Nested Project Permissions

    Mark Wu

      I spent hours and hours to test Tableau's new nested project and its permissions. My test results are presented at today's Tableau Server Admin virtual user group meeting. The deck used is also attached and the recording is from Tableau Admin Virtual User Group 3 2 - YouTub   (from 40 mins onwards). Here is the summary:

      1. To publish to a child project, all the following 3 conditions must be met:
        • Publisher site role
        • Publisher permissions to parent project
        • Publisher permissions to the child project
      2. Only top parent project can be locked. If parent is unlocked, child can't be locked. For locked project :
        • All child projects are locked
        • All child projects have same permissions as parent project has.
        • All permission changes apply to all child projects automatically
        • Child projects can still have different owner
        • Child projects can’t have different project leaders
      3. Project owner vs. project leaders
        • Both can create  child project
        • Both have full control for its child projects (delete, manage contents, change permissions, etc)
        • Both are inherited as project leader to all its child projects.
        • Project(or child project) can have only one owner but multiple project leaders. However it is not recommended to have too many project leaders for any projects since project leaders have superpower for its content.
      4. Leverage project owner & project leader's super privileges for more self-service
        • Change extract refresh schedule
        • Modify any workbooks
        • Change workbook owner
        • Change data source owner
        • Change data source user/password
        • Delete workbooks
        • Change workbook or data source permissions
        • Move workbook
        • Restore old revision
        • Lock or unlock project permission
        • Certify or uncertified data sources (10.4)
        • Create or delete sub project folder(10.5)

      Read more at my blog @ Enterprise Tableau.   Pls feel free to share your understanding or questions.

        • 1. Re: Understanding Tableau Nested Project Permissions
          Andy Piper

          Mark--

           

          Thanks for the information. It is very helpful as I look to reconfigure our TS for use with 10.5.1.

           

          Do you know if the developers are looking at other permissionings within the folder structure beyond 10.5.1? I'm specifically looking for them to add the following abilities:

          • Locked sub-folders
          • Publishing rights only within sub-folders, not the parent folder as well

           

          In case Tableau developers are looking at this, here's why:

          • Our Marketing umbrella has about 12 different groups, each with their own folder currently
          • Each folder uses AD-groups for permissions such that only members of that specific marketing group can access their group-specific workbooks
          • Each folder has one or more publishers just for that Marketing group
          • We also have folders in which all of Marketing can access

           

          It would be nice to have:

          • One Marketing folder (primary)
          • Workbooks available to all of marketing are then stored here
          • Sub-folders within the primary would then allow each marketing department their own space for their own workbooks
          • Publishers for each space would only be able to publish to their specific spaces, not the area where all of Marketing can get to -- that should be the role of the primary project owner/publisher, not a sub-folder owner/publisher
          • Locked sub-folders would allow the sub-folder owners to dictate which AD-groups have permissions and allow workbooks published to the sub-folders take on the permissions of the sub-folder, not the primary (since not everyone with access to the primary should be able to view a workbook in a sub-folder).

           

          Thanks again,

           

          Andy

          • 2. Re: Understanding Tableau Nested Project Permissions
            Mark Wu

            Pls vote the following IDEAS:

             

            1 of 1 people found this helpful
            • 3. Re: Understanding Tableau Nested Project Permissions
              Andy Piper

              Thanks, Mark. I've voted up for these ideas. We will likely forego using nested folders in many cases until permission options available are more in line with our business.

              • 4. Re: Understanding Tableau Nested Project Permissions
                Forum Parikh

                Thanks Mark for sharing the details.

                 

                My question is for upstream inheritance for UNLOCKED child projects to the parent project which does not seem to work today. Unlocking leads to disconnected parent and child project level permissions.When you permission a new group on a child project, the same does not get updated on the parent project. You have to also add the group on the parent same as done on child. Ideally, for permissions, the parent should be the master level permission whereas the child project can have one or more of the groups that are permissioned to the parent.

                 

                I do vote for locking child projects which will help to restrict and inherit permissions on workbooks and data sources. But additionally, would want to atleast be able to easily manage and have visibility of the full permission coverage on the parent level based on all the groups the child projects are permissioned to.

                 

                Do you have any suggestions and is there a way today which I am not aware of?

                 

                Forum Parikh

                • 5. Re: Understanding Tableau Nested Project Permissions
                  Mark Wu

                  Forum, There are two types of permission at project level. One is who can publish to this project, two is who can access the content of the project. I will talk about both here:

                  1. Who can publish to this project? Tableau does make us to duplicate the publisher permission efforts at child project level and parent level. Given this is the way how it works, how to do the setup? Pls see example @ Publisher permissions on Nested projects
                  2. Who can access the content of the project? Actually this type of permission is purely controlled at workbook or data source level. The permissions at project level are only as default during the publishing process. However publishers (owners) can deviate to whatever permissions during or post publishing, which is why Tableau calls permission managed by owner (unlocked). For example, even group ABC has no access permission at parent or child level, when I publish a workbook, I can give group ABC access to my workbook - there is absolate nothing a project level at parent or child level can do about.

                  Seems to me that you want parent level to automatically have full access permissions that each child level has. Today Tableau parent project level and child project level permissions are completely separated and independent, which gives us flexibility to meet different use case (for example, there is other use case where small group of ww users to access parent level only). Let's say that Tableau has the feature you asked in the future, it still does not matter due to the fact that access permission is actually controlled at workbook or data source level, unless Tableau allows us to lock permission at child project level.

                   

                  How to achieve what you are asking today? It can be done if you sync Directory groups with Tableau server groups: Let's say that the WW SALES project has AMR, EMEA and APAC sub-projects. I will have 4 Directory groups syncing to Tableau server: AMR-Interactors, EMEA-Interactors, APAC-Interactors, and WW-Interactors. The WW-Interactors Directory groups has all other 3 groups as sub-groups. After all those 4 group syncing to Tableau server, and you give WW-Interactors interactor permission to WW SALES project, AMR-interactors to AMR, etc.  When you permission a new AMR-West group, you can add it to AMR-Interactors in your Directory, that is all.

                   

                  Hope this help.

                  • 6. Re: Understanding Tableau Nested Project Permissions
                    Sunil Gudipati

                    Mark Wu,

                     

                    I am sure you would have tested this, could you please let me know if this is true !!!

                     

                    • A Project Leader / Project Owner can subscribe the Views for other Users on 2018.1.2?
                    • Can Project Leader / Project Owner subscribe to Users outside Tableau ? ( my research says that outside Tableau Users arent allowed)
                    • Does 2018.1.2 or later versions allow Project Subscriptions to Groups? Multiple Users in a group? (Ex: Create a local group for only for subscription purposes and use this group for delegating Subscriptions?)
                    • 7. Re: Understanding Tableau Nested Project Permissions
                      Mark Wu

                      Project leaders/owners can subscribe others but can't subscribe users outside Tableau (you may have to take as 2-step process: change the workbook owner and the subscribe). I do not believe that you can subscribe to a group and I hope that Tableau will NOT build this feature in the future either since Tableau server is best for interactive and should not be used as email bursting server.   Tableau has feature to add all members from a group to subscription but after the subscription is saved, the group member changes will not be reflected to the subscription recipients anymore.

                       

                      If you really want to subscribe to a group, one workaround is to create one special user with group email address, then you can subscribe to this user, the email will be sent to the group.

                      • 8. Re: Understanding Tableau Nested Project Permissions
                        Sunil Gudipati

                        If you really want to subscribe to a group, one workaround is to create one special user with group email address, then you can subscribe to this user, the email will be sent to the group.

                         

                        • This Special User in AD ? with a group Email Address? is this what you were referring to ?
                        • What if we have a SAML Authetication with AD? and not a core based licensing rather Server based License? this wouldnt work isnt it?
                        • 9. Re: Understanding Tableau Nested Project Permissions
                          Ann Ho

                          I'm excited to report that we have released a capability that solves for the condition reported in #1 above. This feature is available in our September maintenance releases, going back to all major releases since 10.5 when nested projects were launched.  With the update, users now have the ability to browse the project hierarchy and publish to a nested project even if the user doesn't have permission to the parent project.

                           

                          In the example below, I have permission to publish in the Supplier Details but not in the Suppliers.  You see that the Supplier project is greyed out and cannot be selected but can be expanded to show the nested project.  Users will need to have at least View permission on the parent projects to navigate through the project tree.

                          Publish.gif

                           

                          To enable this capability, users will need to update Tableau Desktop and administrators will also need to update Tableau Server.  Using Tableau Online?  You just need to update your version of Tableau Desktop.

                           

                           

                           

                           

                          -Ann