Was this page helpful?
Yes No
Tableau Help > Tableau Server on Windows Help > 

View or Edit Permissions

When you specify permissions for a project, workbook, view, or data source, you use a permissions rule to express who is allowed to work with that resource. Permissions rules are the explicit capabilities that can be set for an individual user, or for a group—for each resource.

You work with these rules in the Permissions window, described in the steps below. You define permissions rules in the upper section. The User Permissions section below it shows the effective, or resulting, permissions after Tableau evaluates your rule.

View or edit a permissions rule for a selected content resource

  1. On the Content page for a site, select Projects, Workbooks, Views, or Data Sources to display all items of that content type.

  2. Select the check box for the item, and then select Actions > Permissions.

    This shows the current permissions rules.

  3. To edit a rule, do the following:

    1. Select the actions menu (. . .) next to the rule name, and then select Edit.

    2. Select a permissions role to assign a set of capabilities and leave the rest unspecified.

      See How the permissions rules settings work together below for more information.

    3. Select an individual capability to cycle through Allowed or Denied, or Unspecified settings.

    4. Click Save.

  4. To see the resulting permissions for the selected group or user, do the following:

    1. In the permissions rules area, select the group or user name.

    2. In the User Permissions area, hover over a capability box to show a tooltip that indicates the capability name, its resulting setting, and how the result was determined.

      The following image shows permissions on a selected workbook for Andrew Allen in the Finance group. The tooltip indicates that a rule assigned to a group he is a member of denies the web edit capability.

How the permissions rules settings work together

In the Permissions window, the settings that appear depend on the type of content you select, and some are not available until you edit the rule, as described earlier in this article.

The following settings apply to permissions on projects. Data sources and workbooks show similar sections:

  • User / Group: Lists users or groups that a rule applies to. If the permissions are not locked to the top-level project, you can select Add a user or group rule to configure permissions on the selected project, which then become default settings for this project’s child projects.

  • Project: Lists available permissions-role templates for projects. Each template contains a predefined set of capabilities for the rule.

  • Workbooks / Data Sources: Similar to Project, lists the permissions-role templates for assigning predefined sets of capabilities for workbooks or data sources.

  • View / Interact / Edit: These are categories of capabilities that you can set to Allowed, Denied, or Unspecified. Setting Unspecified evaluates to Denied if no other permissions are specified for a user or group on the content.

    Although some of the permissions-role names are the same as or similar to site role names, the permissions roles are separate, and they indicate groups of capabilities that are typically configured as a set.

What determines users’ effective permissions

Effective user permissions for a content resource are determined by the following:

  • The maximum capabilities allowed for a user’s site role. The site role acts as the “ceiling” for what permissions are allowed. For more information, see Set Users’ Site Roles.

  • Whether the user is a project leader for a project hierarchy or is shown as the owner of a content asset.

  • The evaluation of each permissions rule that applies to that user, or a group the user is a member of, for the selected content type or content item.

For example, if a user is granted the Editor permissions role for workbooks in a project (which allows all available workbook capabilities), but has the site role of Viewer and does not own any workbooks, the user will be allowed only the capabilities of View, Download Image, Download Summary Data, View Comments, and Add Comments.

In the following example, a permissions rule has been created for the Finance group. Initially, the administrator applied the Editor permissions role to the group. This granted all capabilities. Then the admin set the Save capability to Denied. This changed the name of the permissions role to Custom. The User Permissions (effective permissions) section for the Finance group reflects these actions. You can also see that one user has fewer capabilities, because that user has a site role of Viewer.

Tip: The All Users group permissions rule in this example has been set to None, which leaves all of the permissions as Unspecified for the All Users group. This approach requires the administrator to specifically assign permissions only to the groups or users that should have access to content assets, which makes for more predictable effective permissions. For more information, see 2. Remove permissions that will cause ambiguities in the topic Configure Projects, Groups, and Permissions for Managed Self-Service.