Do you find puzzling out Tableau Server permissions confusing and mysterious? You're not alone.
I put this post together to help me figure out the process of how Tableau Server determines a User's permissions for a particular Workbook, Dashboard, or Worksheet. To my mind, the Tableau documentation is a bit twisty and hard to trace. It also doesn't surface the critical part that it's not always the view's permissions that are used, but those of the view's Workbook.
It's a work in progress. I plan on improving it as I work through the factors, interactions, dependencies, etc.
Factors affecting Permissions
License Level
see reference: Tableau Server Admin guide online
? should it therefore be impossible to assign permissions to an unlicensed user?
from the TS Admin Guide | About Enable Guest & Enable Automatic Login: "Enable Guest is a setting on the Maintenance page that can be selected if you have a core-based server license... users click a link and they go directly to the view with no login... no authentication is performed. The Tableau Server Guest User account is used to access the server, but as long as Enable Guest is selected, anyone can use it. Administrators often limit the capabilities of the Guest User account. For example, they might edit the permissions of certain views so that Guest User is denied access.
User Rights
see reference: Tableau Server Admin guide online
There are two distinct but inter-related 'things' Tableau lumps together as User Rights.
Publish
if designated as a Publisher, the user can: "connect to Tableau Server from Tableau Desktop in order to publish and download workbooks and data sources."
There are two configuration options for Publish:
NOTE: as of TSv8.1b7 it's possible to assign "Allow" for an unlicensed Site user.
AND: this unlicensed user with Publish rights CAN successfully publish to Tableau Server.
? If Publish is set to 'Deny', can the User be assigned any of the download permissions on individual objects, and if so, what would be the result?
Admin
Prerequisites in order for a user to be an admin s/he must be an Interactor with Publish granted.
There is an interesting asymmetry in the mechanisms of assigning User Rights. In my testing with Tableau Server v8.1 beta 7, when adding a new User I try to make it an Interactor and the Interactor license level isn't granted because the # of licensed users has been reached:
when checking the "Publish" User Right right, and that user subsequently becomes licensed as an Interactor the Publishing right is preserved;
however, when checking "Site Administrator", subsequently licensing the user as an Interactor doesn't preserve the "Site Adminstrator" in the same manner as was "Publish".
User Identity
see references in the Tableau Server Admin Guide (online):
Set Permissions for a Project
Set Permissions for Workbooks and Views
Set Permissions for a Data Source
Things get really conplicated with the introduction of User Identity. There are three distinct facets to a User's identity vis-a-vis Permissions:
One of the big complicating factors in determining whether a given permission is granted or denied to a particular User for a particular Tableau Server asset is the different relationships between the structural and permission-resolution relationships between Users, Roles, and Groups.
Users may belong to one or more Groups at the Site level.
Users and Groups may be associated with zero or one Role for a particular asset.
When Tableau Server determines individual Permissions' status for a user for a particular asset it assesses, in order, the Permissions' status for:
— the User;
— any Role the User is associated with for that asset;
— the permission status for that asset for any Groups to which the User belongs.
How Permissions Are Set
– The Tableau Server Admin Guide Flowchart
redrawn for consistent Yes/No sequence and highlighting of Roles and Groups influence.
The permissions chart above is in SVG and was created using Inkscape.
No comments:
Post a Comment