Was this page helpful?
Yes No
Tableau Help > Tableau Server for Windows Help > 

How Permissions are Evaluated

Permissions in Tableau Server are assigned to content resources—projects, workbooks, data sources, and sometimes to individual views. You use permission rules to specify who can work with a content resource.

What users can access and the actions available for each content type, are determined by the following:

  • Site role. A user's site role determines whether a user can publish, interact with, or only view resources. For more information, see Set Users’ Site Roles.

  • Content permissions. Every project, workbook, data source, or view can have a unique set of permission rules.

    A permission rule includes the user or group, and the set of capabilities you want to grant users for a resource (such as the ability to edit a view). Each permission role template (such as Editor, Interactor, Viewer) specifies a predefined set of capabilities for the rule. If the capabilities that are selected do not match a predefined template, the permission role template changes to Custom.

    Available capabilities vary depending on the resource. Capabilities can be set to Allowed, Denied, or Unspecified. Denied always takes precedence over Allowed, and Unspecified results in Denied if no other permission rules allow a capability for a user.

  • Ownership. Content owners always get full access to the content they've published. In projects with locked permissions, content owners cannot edit permissions for their workbooks and data sources.

Users with the Set Permissions capability can change permissions for content items in projects that aren't locked. Administrators, content owners, and users with the Project Leader capability automatically have the Set Permissions capability.

You can set permission rules for an individual user or group for each resource. This diagram illustrates how permission rules are evaluated in Tableau Server.

A user’s effective permissions for a given content resource are determined by the following:

  • The maximum capabilities allowed through the site role.

  • Whether the user owns the content item.

  • The result after Tableau evaluates permission rules applied to that user and all groups the user is a member of.

Notes on permissions

  • Server and site administrators can access all the resources in a site with full permissions.

  • You cannot set permissions at the site level; permissions are assigned to resources only.

  • As content owners, publishers get full access to their content. Administrators can manage permissions on content after it’s published.

    Another option for practicing content governance is to lock permissions at the project level. This does not change publishers’ ownership of the content they publish after the project is locked. However, it enables default permissions for ther users and prevents publishers from being able to change those default permissions during the publishing process. See Lock Content Permissions to the Project.

  • Individual user permissions on resources take precedence over group permissions on resources. In other words, user permissions trump group permissions.

  • Workbook permissions serve as templates for view permissions. When content permissions are locked to the project, and when a workbook uses tabbed views, views inherit their workbook permissions. When permissions are not locked, and when a workbook is saved without tabs, the workbook and view permissions can be edited independently.

  • Project default permissions serve as templates for content in a project. When content permissions are locked to the project, the workbooks and data sources always use the default permissions. When permissions are not locked, workbook and data source permissions can be edited independently.

  • For each content item, every site user is automatically included in the All Users group. As a result, the All Users permission rule affects how permissions are evaluated for users when you create additional group permission rules for that content item.

    If you use Tableau Server in an environment where openly sharing knowledge and information across the organization is important, set the permission rule for the All Users group in the Default project to the Publisher permission template. Users can publish to and consume content from new projects.

    If you use Tableau Server in an environment where restricting access is important, set the permission rule for the All Users group in the Default project to the role of None. Then, add explicit permissions for groups and users to allow them to publish and work with content in new projects.

The order of precedence in which Tableau evaluates permissions

  1. Server and Site Administrator: Administrators can access all site content with full permissions.

  2. User - Unlicensed, Viewer license, or Guest: If a user is Unlicensed, has a Viewer license (different than Viewer site role), or is a Guest, there are certain capabilities they are never allowed to perform. If the capability is explicitly denied for the user because of licensing, they are denied.

  3. Project Owner: If the user owns the project that contains the content, the capability is allowed. Otherwise,

  4. Project Leader: If the user has the Project Leader capability, or is in a group that has the Project Leader capability, they are allowed. If the user is explicitly denied the Project Leader capability, they are denied. Otherwise,

  5. User - Authorizable Owner: If the user is the owner of the content, they are allowed. Otherwise,

  6. User - Capability Denied: If the user has been explicitly denied the capability for the content, they are denied. Otherwise,

  7. User - Capability Allowed: If the user has been explicitly allowed the capability for the content, they are allowed. Otherwise,

  8. Group - Capability Denied: If the user belongs to a group that has been explicitly denied the capability for the content, they are denied. Otherwise,

  9. Group - Capability Allowed: If the user belongs to a group that has been explicitly allowed the capability for the content, they are allowed. Otherwise,

  10. The user is denied access to the content.