What are great permissions

Structure content - projects, groups, permissions

When your Tableau authors have updated their data sources and reports (Content) want to share it with others in Tableau Server, they need to know where to post that content so that the people they want to share it with can easily find it.

To publish or view content in Tableau Server, users must sign in to the server. After logging in, each user must have the appropriate permissions to work with the content.

As a Tableau administrator, as part of setting up your server, you'll need a Content management-Create a framework that fulfills the following goals:

  • It should make your authorization model predictable and scalable in order to grow with your Tableau community.

  • It is designed to help users help themselves.

Note: Although this article was written for Tableau Server administrators, permissions and projects work the same way on Tableau Online, so you can use most of these guidelines for your Tableau Online site as well.

Groups, projects and permissions: the basis of content management

To get Tableau Server content management up and running, you need to coordinate the following:

  • groups: Sets of users who need the same type of content access.

  • Projects: Containers for workbooks and data sources, each of which generally represents a category of content.

  • Permissions: Sets of functions that determine who on Which Can access content.

    Tableau comes with a few predefined Authorization roles. These are sets of functions for common uses of content. Managing the application of authorization roles is easier than manually granting or denying each function.

    Projects, data sources and workbooks each have their own selection of authorization roles. We'll use these later in this introduction.

Use groups to easily manage permissions

It is highly recommendedthat you organize users into groups. Then you can set group-level permissions to apply a set of functions to all users in the group. For new Tableau users, all you need to do is add them to the groups that give them the access they need.

Use projects to separate categories of content

While content is being published, the publisher must select the project in Tableau Server where the content will be placed. You use projects to keep related content together. For example, you can categorize content by target group (e.g. finance), role (e.g. administrators), or function (e.g. production versus sandbox).

Projects are a great way to help users help themselves. You can set it up so that the project names clearly indicate the type of content they contain and so that each user can only see the projects from the total list of projects they need to work with.

You can also create project hierarchies to further subdivide the content within the parent category. For more information, see Using Projects to Manage Access to Content (Link opens in a new window).

Project authorizations for function groups (example)

This example shows you how group permissions defined at the project level are coordinated with site-specific roles in order to determine who (which groups) can access which content in the project.

A best practice is to create groups based on functional categories - content creators, content viewers, data stewards. Function categories can also be combined with the respective department, such as B. Marketing viewers (content viewers) and marketing creators. The main thing is to create groups whose members use content in the same way. If you need to add a user to multiple groups, he or she will be given the permissions that apply to all of these groups.

The following image shows some groups for users who need different types of access to a project called Marketing.

For example, two groups cover three types of users:

  • Ashley and Adam need to be able to publish and manage workbooks. They are members of the Content Developers group and have been assigned the Creator site role.

  • Henry needs to be able to view and interact with workbooks. He belongs to the Content Viewers group and has been assigned the Explorer site role.

  • Susan needs to be able to view workbooks online (without further interaction). She also belongs to the Content Viewer group and has been assigned the Viewer site role.

Remember that site-specific roles set the maximum permissions and that you can assign a unique site role to each user on each site. In this example, you can add Susan and Henry to the same group and give that group Explorer permission.

In the introduction, we also explain how you can define suitable authorization roles for these three user types.

Introduction to the general approach to content management

To show you how projects and permissions work, we'll go through the following processes with you:

1. Defining standard authorizations in the "Standard" project

2. Create a new project for a hypothetical marketing department

3. Create groups based on what content users need

4. Create the temporary users for this exercise

5. Add the users to the groups

6. Assigning permissions to the groups at project level

7. Blocking project authorizations

You must be logged in to Tableau Server as an administrator to complete these steps.

1. Defining standard authorizations in the "Standard" project

Every site in Tableau Server has a project called Standard. The standard project serves as a template for new projects on the site and is helpful in creating a standard set of permissions.

  1. Sign in to Tableau Server as an administrator and select the Contents menu at the top of the page, then select Projects.

  2. Call up the authorizations for the standard project. From the Actions (...) menu, choose Permissions.

  3. Next to All Users (a default group) select the button . . . and then select the Edit option.

  4. Under Project, Workbooks, and Data Sources, select None.

  5. Click on Delete to apply the changes.

Which is why you get through life Remove some standard permissions can make it easier

The All Users group is particularly noteworthy because every site has an All Users group. Anyone added to a site becomes a member of the All Users group. Every new project you create contains permissions for the All Users group.

In very simple or specific scenarios, the All Users group can make your work a lot easier. The group has predefined permissions, i. H. every user on the site has a set of permissions from the start. The idea is that users can start posting and using content on the server even if they don't set any permissions.

In our example, however, we would like to show you how to assign each group only the permissions it needs. If users in these groups are also granted permissions through the Everyone group, it is difficult to tell exactly what they can do, and they may end up with permissions that you did not want to assign.

So if you decide to use this process in the future, remember to remove permissions from the All Users group, before You set any other permissions.

2. Create a new project for a hypothetical marketing department

As part of this introduction, you'll create a project called Marketing.

  1. From the menu at the top of the page, click Projects, then click New Projects.

  2. Name the project Marketing and click Create.

Plan your groups and permissions

It is recommended that later in reality, before creating groups and assigning permissions, you create a table or worksheet in which the groups for people who need access to the content and the actions / functions are listed that each group is allowed to carry out according to their ideas. You can refer to your authorization plan later if necessary.

3. Create groups based on what content users need

Next, you'll create two groups for these users. You can use the groups to assign permissions to users based on the activities that users need to perform in the marketing project. You create the following groups:

  • Marketing - Content Developer: This group is intended for users who can publish, edit, and manage workbooks, and connect to data sources.

  • Marketing - content viewer: This group is intended for users who can view content in a project and interact with the content from time to time, but cannot publish or save any content.

As with usernames, we will use detailed names for this in this introduction. However, we have added the functional role of the members (content developers).

Always use descriptive, meaningful names as group names.

  1. Select Groups from the menu at the top of the page.

  2. Click New Group, and then name the group Marketing - Content Developers.

  3. Repeat these steps to create the other group. When you're done with that, your group list should look like the list in the image below.

4. Create the temporary users for this exercise

For this introductory scenario, you will add four local users, all of which you can delete after completing this exercise.

What if you are using Active Directory?

If Tableau Server is already configured to use Active Directory, you could ask your Active Directory administrator to create these temporary users for you to use during this scenario. You will also need to import these into Tableau Server. After you have completed the introduction and you are ready to configure real users, you can delete the temporary users.

So that you can better identify the site-specific role and the project role of the users, give them a verbose name in the following format for these projects only in this introductory scenario (not for your own projects): <Name> – <Projektrolle> – <Site-spezifische Rolle>:

  • Ashley - Content Developer -

  • Adam - Data Analyst -

  • Henry - Content Viewer -

  • Susan - Content Viewer -

  1. Select Users from the menu at the top of the page.

  2. Click Add User.

  3. Click Local User, then enter the user details for Ashley. Use the verbose name under Display Name and enter the name under Username Ashley a. Skip the Email field and set Ashley's site role as described in Step 1 above.

  4. Repeat the steps to create the other three users and assign them the site-specific roles indicated in their verbose names.

    When you're done with that, you'll be presented with a list of users similar to the one in the image below.

5. Add the users to the groups

When you have set up your groups and added users to the server, you are now ready to add users to them.

  1. From the menu at the top of the page, click Users.

  2. Select Adam and Ashley, then on the Actions menu (...) click Group Membership.

  3. Select Marketing Content Developer, then click Save.

  4. Repeat the same steps to assign "Henry" and "Susan" to the Marketing - Content Viewers group.

6. Assigning permissions to the groups at project level

Now we can determine who can do what.

At the risk of repeating ourselves - we point individual users no Permissions too. The users receive their authorizations via the group to which they are assigned.

  1. In Tableau Server, navigate to Content> Projects.

  2. In the Marketing project, open the Actions menu (...), then select the Permissions option.

    The Permissions area shows the groups and users to whom you have assigned permissions. When you first set up a site, only the All Users group is listed. This group will remain even if you remove all permissions from it, as you did before.

  3. Click Add User or Group Rule and select the Marketing - Content Developers group.

    If you can't see the group names, make sure Group is selected from the drop-down list on the right.

    Here you create a groupAuthorization ruleassigned to this project and its workbooks and data sources.

    The page refreshes so that you can select the permission roles under Project, Workbooks, and Data Sources.

    These are the permission roles that we referenced earlier that are pre-defined sets of features that make it easy to set up.

    If you select a role and then assign roles to determine what you want users to be able to do, the role appears with the status Custom. You should therefore avoid explicitly specifying functions as far as possible.

  4. Under Project, select the Publisher permission role.

    To see what functions this role can perform, click the expand icon next to Project.

    By selecting the publisher role, the view and save the project functions are set to Allowed, while the project manager function remains set to Not specified.

    Please also note that individual project functions are displayed in the form of symbols. Hover your mouse over the icon to see the name of the function. Alternatively, you can click on the link above the symbols to display the headings of the functions.

  5. Under Workbooks, select the Editor permission role.

  6. Under Data Sources, select Connector.

  7. Click Save to save the permission settings.

    The combination of permissions for this set of permission roles allows members of the Marketing - Content Developers group to create and manage workbooks on the site.

  8. Repeat the steps from step 3 of this procedure to add the Marketing - Content Viewers group and set their permissions. This time, use the following permission roles:

    • Project: Viewer

    • Workbooks: Interactor

    • Data sources: none

    The combination of permissions granted by this set of permission roles allows members of the Marketing - Content Viewers group, within the confines of their site roles, to view and interact with content on the site.

    Leave the Permissions pane open for the next section.

7. Blocking project authorizations

Now everything seems to be fine and you are done. There is a catch, however. During the publishing process, publishers have the option to set permissions for their content. With our preferred closed permissions model, you don't want to have well-meaning publishers messing up your beautiful, orderly server. So we're going to lock permissions on the project so that publishers don't have a way to set permissions even though they are the content owners.

  1. In the still open Permissions area above the matrix on the right, click Edit Content Permissions next to the text related to unlocked permissions.

  2. In the Content Permissions for Project dialog box, select Locked In Project, and then click Save.

If someone wants to publish something in the "Marketing" project, they cannot change the standard permissions you have set on the server.

How does locking or unlocking projects affect permissions?

Before we go any further, let's dig deeper into how standard permissions work.In a perfect world - that is, if content publishers were to exercise their authority during the publishing process - the content resources published in a project could inherit the permissions set at the project level. You can think of this as a permission stamp that a resource receives when it is added to the project.

But what happens if you change the standard permissions defined at project level? after this Workbooks and data sources have been published in the project?

  • If you have the standard permissions for a locked Edit project, the changes are automatically adopted for all content in the project when it is saved.

  • If you have the standard permissions in a unlocked If you edit a project, the new default values ​​will be applied to all workbooks and data sources published after the changes. However, the existing workbooks and data sources retain their original default permissions - unless you lock the project.

View and test your work

Now let's review your work. The following images show what you will see in the Permissions area when you have finished setting the permissions for your groups.

If you expand the Project area, you will see the following:

If you expand the Workbooks pane, you will see the following:

If you expand the Data Sources area, you will see the following:

Test permissions by publishing and interacting

If everything looks fine in the Permissions section, move on to the next test. Complete the tasks that users need to do. This ensures that users can do what they need or cannot do what you don't want them to do.

  1. Go back, log in to Tableau Desktop as one of the users at a time, and test that user's ability to publish workbooks.

  2. Return to the Tableau Server browser environment, log in as one of the users, and see how well you can edit and save workbooks, interact with views, change ownership, and set permissions.

    You should only be able to set permissions if you are logged in as a server or site administrator.

The next level of content management

You have now reached the end of the example scenario. You held out until the end!

You are now ready to try this out in your real-world authorization scenarios. You should now have enough information to start setting permissions on your own, but there is still something to learn.

Here are some links to information in Tableau Server Help on a number of nondescript settings that can have a significant impact on your workflow:

Last but not least, when you're ready to go down the road and become a Zen master of content management, start here: Managing Content Access (Link opens in a new window).

Go to the Connecting to Data Sources section.