Was this page helpful?
Yes No
Tableau Help > Tableau Server for Windows Help > 

View or Edit Permission Rules and User Permissions

When you specify permissions for a project, workbook, view, or data source, you use a permission rule to express who is allowed to work with that resource. Permission rules are the explicit capabilities that can be set for an individual user, or for a group—for each resource.

You work with these rules in the Permissions window, described in the steps below. You define permission rules in the upper section. The User Permissions section below it shows the effective, or resulting, permissions after Tableau evaluates your rule.

View or edit a permission rule for a selected content resource

  1. On the Content page for a site, select Projects, Workbooks, Views, or Data Sources to display all items of that content type.

  2. Select the check box for the item, and then select Actions > Permissions.

    This shows the current permission rules.

  3. To edit a rule, do the following:

    1. Select the actions menu (. . .) next to the rule name, and then select Edit.

    2. Click a capability in the rule to set it to Allowed or Denied, or Unspecified.

      See How the permission rules settings work together below for more information.

    3. Click Save.

  4. To see the resulting permissions for the selected group or user, do the following:

    1. In the permission rules area, select the group or user name.

    2. In the User Permissions area, hover over a capability box to show a tooltip that indicates the capability name, its resulting setting, and how the result was determined.

      The following image shows permissions on a selected workbook for Andrew Allen in the Finance group. The tooltip indicates that a rule assigned to a group he is a member of denies the web edit capability.

How the permission rules settings work together

The sections shown in the Permissions Rules area depend on the type of content you select. The settings described here are those that appear when you select a workbook or view. (Some of these settings are not available until you open a rule for editing, as described in the steps above.) To learn how to set permission rules at the project level, see Set Default Permissions at the Project Level.

  • User / Group: Lists users or groups that a rule applies to. If the permissions are not locked at the project level, you can click Add a user or group rule to configure permissions for those users on the selected content.

  • Permissions: Lists available permission-role templates for the selected content element. Each template contains a predefined set of capabilities for the rule. If the capabilities selected for the user or group do not match a predefined template, the template name changes to Custom. The word Custom appears regardless of how the capabilities are modified.

  • View / Interact / Edit: These are categories for the groups of capabilities that you can set to Allowed, Denied, or Unspecified. Setting Unspecified evaluates to Denied if no other permissions are specified for a user or group on the content.

    Although some of the names here are the same as or similar to site or permission role names, the categories here are independent of those things, and they only indicate groups of capabilities that are typically configured as a set.

User Permissions

Effective user permissions for a content resource are determined by the following:

  • The maximum capabilities allowed for a user's site role. The site role acts as the "ceiling" for what permissions are allowed. For more information, see Set Users’ Site Roles.

  • Whether the user owns the content item

  • The evaluation of each user or group permission rule that applies to that user for that content item

For example, if a user is granted Editor-level permissions for a workbook (which allows all available capabilities), but has the site role of Viewer and does not own the workbook, the user will only be allowed the capabilities of View, Export Image, Summary Data, View Comments, Add Comments, and Save.

In the following example, a permission rule has been created for the Finance group. The permission role template of Editor was initially applied to the group, which granted all capabilities. The administrator then set the Save capability to Denied, so the name for the set of permissions applied to the group became Custom. The User Permissions section for the Finance group shows that most of the users in the group have all capabilities, except for the Save capability. One user has even fewer capabilities because that user has a site role of Viewer.

Note that the All Users group permission rule in this example has been set to None, which leaves all of the permissions as Unspecified for the All Users group. This approach requires the administrator to specifically assign permissions for only the groups or users that should see the content.