Authorization refers to how and what users can access on Tableau Server after authentication has been verified. Authorization includes:
- What users are allowed to do with content hosted on Tableau Server, including projects, sites, workbooks, and views.
- What users are allowed to do with the data sources that are managed by Tableau Server.
- What tasks users are allowed to perform to administer Tableau Server, such as configuring server settings, runing command line tools, creating sites, and other tasks.
Authorization for these actions is managed by Tableau Server and determined by a combination of the user's site role and permissions associated with specific entities such as workbooks and data sources.
Site roles are permission sets that are assigned to a user, such as System Administrator, Publisher, or Viewer. The site roles define collections of capabilities (delete, save, view, and others) that can be granted to users or groups on Tableau Server.
Site roles define who is an administrator. Administrators can be assigned at the site or server level. Site roles also determine whether non-admin users are allowed to publish to the server from Tableau Desktop. In general, site roles determine the maximum capabilities that can be granted for each non-admin user. For example, if a user's site role is Interactor, the user cannot publish to the server, no matter what other permissions the user has, because the Interactor role denies permission to publish.
For more information about site roles, see Set Users’ Site Roles.
Permissions determine whether a given user is allowed or denied to perform a specific action on a specific resource.
As an administrator setting up Tableau Server, it’s important that you understand how permissions are evaluated. Understanding the Tableau permissions process will enable you to set up and configure permissions on sites, projects, and other resources so that you can control how content and data is shared, published, viewed, extracted, and imported.
Four important concepts to understand about permissions in Tableau are:
- Permissions are resource-based. Permissions are assigned to individual resources and are granted to users or groups. Permissions are evaluated for projects, workbooks, views, and data sources.
- Permissions are implicitly denied, and non-admin users must explicitly be allowed to access resources. The process by which Tableau Server determines the “allow” or “deny” permission is explained in detail in the topic, How Permissions are Evaluated.
- Permissions inheritance exists only in locked projects and in workbooks with tabbed views. When content permissions are locked to the project, its workbooks, views, and data sources will always use the default permissions in the project. In the case of workbooks saved with the option Show sheets as tabs, views will use the workbook permissions. For more information, see Content Permissions and Ownership.
- In a project that is not locked, initial permissions are a one-time copy of the container item's permissions. A workbook, view, or data source will start with the default permissions, but authorized users can subsequently edit permissions on those resources. For more information on default permissions and projects, see Set Project Default Permissions and Lock the Project.
Tableau Server provides a flexible permissions infrastructure that allows you to manage access to all content for countless scenarios. See Content Permissions and Ownership for more detailed information.
Data Access and External Authorization
There are scenarios where Tableau Server and Desktop rely on external authorization to enable access to data. For example:
- Users connecting to external data sources may require authorization that is outside the scope of Tableau Server’s authority. If users publish an external data source, then Tableau Server will manage access and capabilities of data source. But if users embed an external data source in a workbook, then it’s up to the users who publishes the workbook to determine how other users who open the workbook will authenticate with the data source.
- Running Tableau Server in an organization with Active Directory where Tableau has been configured with a Run As user account results in a dependency on Active Directory and NTFS for authorization. For example, if you configure Tableau Server to use the Run As account to impersonate users connecting to SQL, then object-level authorization is reliant on NTFS and Active Directory.
- How users authenticate and are authorized by specific database solutions may differ. As noted, Tableau Server can be configured to provide access authorization when a data source is configured, but some databases will authorize access according to their own authentication scheme.
Server Administration: Authorization for Configuring Tableau Server
One or more users must have Windows local admin permissions to configure Tableau Server and to run tabadmin set options commands.