Thursday, September 4, 2014
A Better Tableau Server Permissions Resolution Explanation
image/svg+xml
http://onlinehelp.tableausoftware.com/current/server/en-us/help.htm#license_permissions_backgrnd.htm
When resolving the permissions in place for a Dashboard or Worksheet (both are 'views'),
the object used to evaluate the permissions is either the view or the Workbook the view
is contained in.
So, when when evaluating the Permissions for a View this is the first step:
Yes
No
Was the Workbook published showing sheets as tabs?
Workbook
View's
Once the source of Permissions has been determined, this process resolves whether or not
the User is granted the Permission:
Also see:
use the Permissions of the
use the
the view is in
How Tableau Server Resolves Permissions At Runtime
else if
the
User
is in a
Group
for which the Permission is
Deny
then
Deny
else
Deny
"Not granted by any permission for..."
the Permission is configured for the
User
If
as configured
then
Deny
or
Allow
else if
the
User
is in a
Group
for which the Permission is
Allow
then
Allow
The evaluation here is across
ALL the Groups for which the
User is a member,
if the Permission is Deny for any
of them the User's Permission is
Deny.
Only if none of the User's Groups'
Permissions is 'Deny' is the check
for 'Allow' made.
If a Permission is set directly
for a User, it doesn't matter if
the Permission is also set for
any Group that the User is a
member of.
the Permission has not been
configured, so it's Denied and
is shown by Tableau Server
with this message.
What happened to?
Roles
Roles are prominent in Tableau Server
and Tableau's documentation, but as
implemented and presented by Tableau Server
they are more of a hinderance to understanding
how Permissions work than they're worth.
There are too many problems to document here.
Look for an in depth ctitique at Tableau Friction.
If the ability to create and manage true
custom Roles existed they could be useful.
Inherited
"Inherited" is an unfortunate name.
"Not configured here" is better.
As shown above, if a Permission is not specifically
configured as "Allow" or "Deny", it defaults to "Deny"
and there's no need to consider "Inherited".
Semantically, "Inherited" is a problem because it
indicates a positive situation where one does not
necessarily exist, leading to a cognitive conflict in
the person trying to interpret the actual Permission
state.
Not recognizing this situation
is a common source of
frustration when trying to
puzzle out why a User's
access and abilities to a
Dashboard (or worksheet)
aren't what they're expected
to be.
Yes
Permissions
Permissions are associated with Projects, Workbooks, Dashboards, Worksheets, and Data Sources.
Which Permissions are evaluated when assessing User capabilities?
Whenever a User accesses Tableau Server that User's Permissions are evaluated by Tableau Server
to determine which objects the User can see, and what s/he can do with them.
Tableau Server does this by evaluating the Permissions configured for the diferent objects vis-a-vis
the User, either associated directly to the User or to Group(s) the User is a member of.
This seems like a straightforward situation - the object's Permissions should be used, but it's not that simple.
For
Projects
,
Workbooks
, and
Data Sources
, their configured Permissions are used.
But for
Dashboards
and
Worksheets
, it depends...
This is not clear in Tableau's documentation:
Copyright (c) 2009, 2014 Chris Gerrard
http://onlinehelp.tableausoftware.com/current/server/en-us/help.htm#license_permissions_backgrnd.htm
When resolving the permissions in place for a Dashboard or Worksheet (both are 'views'),
the object used to evaluate the permissions is either the view or the Workbook the view
is contained in.
So, when when evaluating the Permissions for a View this is the first step:
Yes
No
Was the Workbook published showing sheets as tabs?
Workbook
View's
Once the source of Permissions has been determined, this process resolves whether or not
the User is granted the Permission:
Also see:
use the Permissions of the
use the
the view is in
How Tableau Server Resolves Permissions At Runtime
else if
the
User
is in a
Group
for which the Permission is
Deny
then
Deny
else
Deny
"Not granted by any permission for..."
the Permission is configured for the
User
If
as configured
then
Deny
or
Allow
else if
the
User
is in a
Group
for which the Permission is
Allow
then
Allow
The evaluation here is across
ALL the Groups for which the
User is a member,
if the Permission is Deny for any
of them the User's Permission is
Deny.
Only if none of the User's Groups'
Permissions is 'Deny' is the check
for 'Allow' made.
If a Permission is set directly
for a User, it doesn't matter if
the Permission is also set for
any Group that the User is a
member of.
the Permission has not been
configured, so it's Denied and
is shown by Tableau Server
with this message.
What happened to?
Roles
Roles are prominent in Tableau Server
and Tableau's documentation, but as
implemented and presented by Tableau Server
they are more of a hinderance to understanding
how Permissions work than they're worth.
There are too many problems to document here.
Look for an in depth ctitique at Tableau Friction.
If the ability to create and manage true
custom Roles existed they could be useful.
Inherited
"Inherited" is an unfortunate name.
"Not configured here" is better.
As shown above, if a Permission is not specifically
configured as "Allow" or "Deny", it defaults to "Deny"
and there's no need to consider "Inherited".
Semantically, "Inherited" is a problem because it
indicates a positive situation where one does not
necessarily exist, leading to a cognitive conflict in
the person trying to interpret the actual Permission
state.
Not recognizing this situation
is a common source of
frustration when trying to
puzzle out why a User's
access and abilities to a
Dashboard (or worksheet)
aren't what they're expected
to be.
Yes
Permissions
Permissions are associated with Projects, Workbooks, Dashboards, Worksheets, and Data Sources.
Which Permissions are evaluated when assessing User capabilities?
Whenever a User accesses Tableau Server that User's Permissions are evaluated by Tableau Server
to determine which objects the User can see, and what s/he can do with them.
Tableau Server does this by evaluating the Permissions configured for the diferent objects vis-a-vis
the User, either associated directly to the User or to Group(s) the User is a member of.
This seems like a straightforward situation - the object's Permissions should be used, but it's not that simple.
For
Projects
,
Workbooks
, and
Data Sources
, their configured Permissions are used.
But for
Dashboards
and
Worksheets
, it depends...
This is not clear in Tableau's documentation:
Copyright (c) 2009, 2014 Chris Gerrard
Download as PDF here.
No comments:
Post a Comment
Newer Post
Older Post
Home
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment