5 Replies Latest reply on Jun 12, 2018 1:34 PM by Mark Wu

    Understanding Tableau Nested Project Permissions

    Mark Wu

      I spent hours and hours to test Tableau's new nested project and its permissions. My test results are presented at today's Tableau Server Admin virtual user group meeting. The deck used is also attached and the recording is from Tableau Admin Virtual User Group 3 2 - YouTub   (from 40 mins onwards). Here is the summary:

      1. To publish to a child project, all the following 3 conditions must be met:
        • Publisher site role
        • Publisher permissions to parent project
        • Publisher permissions to the child project
      2. Only top parent project can be locked. If parent is unlocked, child can't be locked. For locked project :
        • All child projects are locked
        • All child projects have same permissions as parent project has.
        • All permission changes apply to all child projects automatically
        • Child projects can still have different owner
        • Child projects can’t have different project leaders
      3. Project owner vs. project leaders
        • Both can create  child project
        • Both have full control for its child projects (delete, manage contents, change permissions, etc)
        • Both are inherited as project leader to all its child projects.
        • Project(or child project) can have only one owner but multiple project leaders. However it is not recommended to have too many project leaders for any projects since project leaders have superpower for its content.
      4. Leverage project owner & project leader's super privileges for more self-service
        • Change extract refresh schedule
        • Modify any workbooks
        • Change workbook owner
        • Change data source owner
        • Change data source user/password
        • Delete workbooks
        • Change workbook or data source permissions
        • Move workbook
        • Restore old revision
        • Lock or unlock project permission
        • Certify or uncertified data sources (10.4)
        • Create or delete sub project folder(10.5)

      Read more at my blog @ Enterprise Tableau.   Pls feel free to share your understanding or questions.

        • 1. Re: Understanding Tableau Nested Project Permissions
          Andy Piper

          Mark--

           

          Thanks for the information. It is very helpful as I look to reconfigure our TS for use with 10.5.1.

           

          Do you know if the developers are looking at other permissionings within the folder structure beyond 10.5.1? I'm specifically looking for them to add the following abilities:

          • Locked sub-folders
          • Publishing rights only within sub-folders, not the parent folder as well

           

          In case Tableau developers are looking at this, here's why:

          • Our Marketing umbrella has about 12 different groups, each with their own folder currently
          • Each folder uses AD-groups for permissions such that only members of that specific marketing group can access their group-specific workbooks
          • Each folder has one or more publishers just for that Marketing group
          • We also have folders in which all of Marketing can access

           

          It would be nice to have:

          • One Marketing folder (primary)
          • Workbooks available to all of marketing are then stored here
          • Sub-folders within the primary would then allow each marketing department their own space for their own workbooks
          • Publishers for each space would only be able to publish to their specific spaces, not the area where all of Marketing can get to -- that should be the role of the primary project owner/publisher, not a sub-folder owner/publisher
          • Locked sub-folders would allow the sub-folder owners to dictate which AD-groups have permissions and allow workbooks published to the sub-folders take on the permissions of the sub-folder, not the primary (since not everyone with access to the primary should be able to view a workbook in a sub-folder).

           

          Thanks again,

           

          Andy

          • 2. Re: Understanding Tableau Nested Project Permissions
            Mark Wu

            Pls vote the following IDEAS:

             

            1 of 1 people found this helpful
            • 3. Re: Understanding Tableau Nested Project Permissions
              Andy Piper

              Thanks, Mark. I've voted up for these ideas. We will likely forego using nested folders in many cases until permission options available are more in line with our business.

              • 4. Re: Understanding Tableau Nested Project Permissions
                Forum Parikh

                Thanks Mark for sharing the details.

                 

                My question is for upstream inheritance for UNLOCKED child projects to the parent project which does not seem to work today. Unlocking leads to disconnected parent and child project level permissions.When you permission a new group on a child project, the same does not get updated on the parent project. You have to also add the group on the parent same as done on child. Ideally, for permissions, the parent should be the master level permission whereas the child project can have one or more of the groups that are permissioned to the parent.

                 

                I do vote for locking child projects which will help to restrict and inherit permissions on workbooks and data sources. But additionally, would want to atleast be able to easily manage and have visibility of the full permission coverage on the parent level based on all the groups the child projects are permissioned to.

                 

                Do you have any suggestions and is there a way today which I am not aware of?

                 

                Forum Parikh

                • 5. Re: Understanding Tableau Nested Project Permissions
                  Mark Wu

                  Forum, There are two types of permission at project level. One is who can publish to this project, two is who can access the content of the project. I will talk about both here:

                  1. Who can publish to this project? Tableau does make us to duplicate the publisher permission efforts at child project level and parent level. Given this is the way how it works, how to do the setup? Pls see example @ Publisher permissions on Nested projects
                  2. Who can access the content of the project? Actually this type of permission is purely controlled at workbook or data source level. The permissions at project level are only as default during the publishing process. However publishers (owners) can deviate to whatever permissions during or post publishing, which is why Tableau calls permission managed by owner (unlocked). For example, even group ABC has no access permission at parent or child level, when I publish a workbook, I can give group ABC access to my workbook - there is absolate nothing a project level at parent or child level can do about.

                  Seems to me that you want parent level to automatically have full access permissions that each child level has. Today Tableau parent project level and child project level permissions are completely separated and independent, which gives us flexibility to meet different use case (for example, there is other use case where small group of ww users to access parent level only). Let's say that Tableau has the feature you asked in the future, it still does not matter due to the fact that access permission is actually controlled at workbook or data source level, unless Tableau allows us to lock permission at child project level.

                   

                  How to achieve what you are asking today? It can be done if you sync Directory groups with Tableau server groups: Let's say that the WW SALES project has AMR, EMEA and APAC sub-projects. I will have 4 Directory groups syncing to Tableau server: AMR-Interactors, EMEA-Interactors, APAC-Interactors, and WW-Interactors. The WW-Interactors Directory groups has all other 3 groups as sub-groups. After all those 4 group syncing to Tableau server, and you give WW-Interactors interactor permission to WW SALES project, AMR-interactors to AMR, etc.  When you permission a new AMR-West group, you can add it to AMR-Interactors in your Directory, that is all.

                   

                  Hope this help.