Was this page helpful?
Yes No

Set Permissions on Individual Content Resources

Tableau Server on Windows now includes Tableau Services Manager (TSM), which replaces the Configuration Utility and the command line tool. If you need help for an earlier version of Tableau Server, see the Tableau Help page.

As an administrator, or as a user granted the Set Permissions capability on a specific resource, you can change permissions on that resource (data source or workbook).

Generally we recommend setting permissions at the project level for all content in the project. A reason you might want to deviate from this practice, for example, is to explicitly deny the some capabilities on a data source or workbook that has a data source or user filter that enables a form of row-level security.

Capabilities you can set on data sources

Use permission rules to set the following capabilities for a data source:

Capability Description


View the data source on the server.


Connect to the data source. The Connect permission allows a user to connect to a data source from an editor (in Tableau Desktop or Tableau Server web editing).

Note: If a workbook author embeds credentials in a workbook or view, users who also have the Web Edit permission will be able to access to the workbook’s data source regardless of their Connect permissions.


Publish data sources to the server and overwrite data sources on the server.

Download Data Source

Download the data source from the server.

Note: Cube data sources, like those for Microsoft Analysis Services or Oracle Essbase connections, must be used locally. To download the published data source to Tableau Desktop, the user must have the Download capability. You must explicitly grant the Download permissions regardless of the permissions role you apply. For more information, see Cube Data Sources.


Delete the data source.

Set Permissions

Grant or deny permissions for the data source.

Permission role templates for data sources

Template Description


Allows the user or group to connect to the data source on the server.


Allows the user or group to connect to, download, delete, and set permissions on data sources on the server. They can also publish data sources, and as long as they are the owner of a data source they publish, they can update connection information and extract refresh schedules. (The latter two capabilities are no longer available if an administrator or project leader changes data source ownership.)


Sets all capabilities for the permission rule to Unspecified.


Sets all capabilities for the permission rule to Denied.

Capabilities you can set on workbooks and views

The list of capabilities and the available permission role templates vary depending on whether you are setting permissions for a workbook or a view. For information about capability definitions, see Permissions Reference.

Editing view-level permissions

When a Tableau Desktop author publishes a workbook with the Show Sheets as Tabs enabled, these tabbed views take on the workbook permissions rules. Changes you make to the workbook permissions affect all of its tabbed views.

To edit an individual view’s permissions, save the workbook again without tabs (or hide sheets). The default permissions are applied to the workbook, and you can then edit view permissions.

We recommend that you set view-level permissions sparingly, as an exception. Try to manage permissions at the project level as much as possible. When permissions are locked to a project, views in a workbook use the workbook permissions.

Permission role templates for workbooks and views

Template Applies to... Description




Allows the user or group to view the workbook or view on the server.




Allows the user or group to view the workbook or view on the server, edit workbook views, apply filters, view underlying data, export images, and export data. All other permissions are inherited from the user’s or group’s project permissions.




Sets all capabilities for the rule to Allowed.




Sets all capabilities for the rule to Unspecified.




Sets all capabilities for the rule to Denied.

Set permissions on a content resource

  1. In the Data Sources, Workbooks, or Views page, select the check boxes for each resource, and then select Actions > Permissions.

    The following image shows how this looks on the Data Sources page.

    Note: If you select multiple items and some of the items are read-only, you cannot view the permissions. Instead, select one item at a time.

  2. Click Add a user or group rule, select Group or User, and then select the group or user name from the list.

  3. Select a permission role template to apply an initial set of capabilities for the group or user, and then click Save.

  4. To further customize the rule, click the actions menu (. . .) next to the rule name, and then click Edit. Click a capability in the rule to set it to Allowed or Denied, or leave it unspecified. Click Save when you are done.

  5. Configure any additional rules you want for other users or groups.

  6. View the resulting permissions.

    Click a group name or user name in the permission rules to see the resulting permissions. Hover over a capability box to see a tooltip that shows whether a capability is allowed or denied, and what determined that result.

See also

How data access is evaluated for workbooks that connect to Tableau data sources