Understanding Server for Dummies

tableau server site rolesThis is an update to the excellent blog post written by Chris Love on Tableau Server permissions. Some concepts in the Tableau Server permissions model have changed in version 9 and version 9.2, so let’s revisit Chris’s post to understand how permissions work now….

Tableau has a robust security model which can seem complex to understand, so let’s take a look at permissions in detail and some of the common problems people have.

What first confuses people looking at Tableau administration for the first time is the number of areas where permissions can apparently be set, there are six in total: Site, Project, Group, User, Workbook and Data Source and to understand how Tableau permissions work it is crucial to understand those different levels and how they interact.

Sites

Sites are at the top of the content hierarchy, and provide a way to partition your server into separate environments for users. Each site is administered separately and has its own Groups, Users, Projects, Workbooks and Data Sources. Immediately after installation a single Site will exist – the “Default” site. This site can be renamed but cannot be deleted as a Server must always have at least one Site.

A user with access to only some sites on a server will not be able to access resources on the other sites, nor will they be able to login or view any information on the sites they do not have access to. What you see and how you can control users and content on different sites depends on your permissions, and whether you have more than one site enabled on your server.

tableauserverlockpermissons“In a multi-site deployment, click the Server menu to control server-wide settings that you will use to configure, monitor, and maintain Tableau Server. As the server administrator, only you can access Server pages for status, sites, Server Users, schedules, tasks, and any settings that apply to the server as a whole. For single-site deployments, all of your server and site-related menus will be available without the Server menu.”

On a multi-site server, these are the Site menus a server administrator sees.

On a multi-site server, these are the Server menus a server administrator sees.

On a single-site server, these are the menus a server administrator sees. To create a site, click the Settings menu.

If a user has access to more than one site, they will be prompted to choose which site they want to enter when they login to the server.

Projects

Projects are the next level down in the content hierarchy. Projects exist within Sites, and are also used to separate content in the server. They can be thought of in much the same way as folders in an operating system file structure, e.g. Windows folders. Since projects share Groups and Users with the other Projects in the site, this is typically a way to split your content into logical groupings, for example around department, function, author, or even SDLC environment. For example, you may have Tableau users in Finance, Marketing, Sales and IT and wish to serve different content to each team, controlling access to each set of content accordingly; Projects provide an ideal way of doing this.tableaudesktopublish Immediately after installation a single Project will exist in the Default Site called “Default”, this cannot be renamed and cannot be deleted as a Site must always have a default Project.

A newly created project will take its permissions from the permissions set on the Default project in that site. Note: the default permissions for the default project is to allow all users access – my recommendation is to always remove all permissions from the default project immediately after installation, so any newly created projects start with no permissions until you explicitly add them.

Groups

Groups are collections of Users within a site. They help to organise and manage sets of users for administration purposes. Groups can either be manually created or imported from an Active Directory (and kept in sync), if available. Each Site has at least one Group called “All Users” – which, as the name suggests, is a set of all the Users on a Site.

Users

Users are the individual named users accessing a Site. Every user added to Tableau Server must have an associated site role, these roles are described in the image below. The site role is assigned by the administrator. The site role determines the levels of permissions allowed for a user, including whether a user can publish, interact with, or only view content published to the server. Administrators are also defined based on the site role.

tableauserverpermissions3One of the most common questions we get is regarding User and Group permissions that allow a User different access, who wins? Well firstly User takes precedence over Group, and Deny take precedence over Allow. As per the diagram below:

Note the end point of “Denied” – unless a permission is explicitly granted it will be denied.

Workbooks

New workbooks and data sources use the default permissions from their project. When content permissions are not locked, the individual workbook and data source permissions can be edited to differ from the defaults. This is the first, and most important, thing in understanding Tableau permissions: Unless permissions are locked, the publisher of the dashboard has final control over who sees their data when it is published.

You’ll see above we talked about the concept of locking permissions. This is a brand new feature in v9.2 and as an administrator or project leader, you can prevent users from changing the permissions for workbooks and data sources in a project. To do so, you can lock content permissions for that project.

Taking an excerpt from the Tableau Server user guide:

“When permissions are locked to the project, the default permission settings are applied to all workbooks, views, and data sources in a project and cannot be modified by users (including content owners). When permissions are managed by the owner (“unlocked”), content permissions remain the same as when the project was locked, but the permissions become editable.”

Publishers will see the difference between a locked and unlocked project when publishing content to Tableau Server from Tableau Desktop. Here is the publish dialog in Tableau Desktop for an unlocked project. Here, the user can customise the workbook permissions to their liking:

Here is what a locked project looks like in the publish dialog in Tableau Desktop. Here, the user has no control over the workbook permissions. Instead the workbook takes its permissions from the project:

Permissions can also be set at the individual view level, i.e. views within a workbook, once the workbook is published, but this leads to a very complex security structure and is to be avoided if at all possible.

KCD Bitcoin Vinyl Decal Sticker | Cars Trucks Vans Walls Laptops Cups | Black | 5 inches | KCD1311
Automotive Parts and Accessories (KCD)
  • This is a vinyl, die cut decalWAY better than a bumper sticker.
  • The material used is made to last 6 years on the outside of your vehicle but can be applied to most clean smooth surfaces.
  • This product applies to your surface similar to how you apply a temporary tattoo
  • dont worry, we provide in depth application instructions.
  • The transfer tape that we use on our products is clear, which makes for easy application
Bitcoin Coin Deluxe Collector’s Set | Featuring the Limited Edition Original Gold and Antique Copper Commemorative Tokens by CoinedBits® | Each Coin Comes w/ a Plastic Round Display Case
Toy (CoinedBits®)
  • Great gift for cryptocurrency fans. High quality actual physical coins with protective clear cases
  • Perfectly minted well crafted real tangible coins. Each= Diameter= 1.5 3 mm thick Weight= 1 oz
  • Beautiful souvenir novelty pieces. Perfect challenge coins, conversation starter or geocaching items
  • Must have memorabilia piece for every Bitcoin enthusiast. 100% Satisfaction Money Back Guarantee
  • CUSTOMERS SAY: Beautiful, clever designs!The PERFECT gift for my bitcoin budsClassy & solid.
Thailand Silicone Rolling Fondant Mat Cake Tools
Kitchen (Thailand)
  • Material: Silicone
  • Color: Color by random
  • Size: 26cmX29cm
  • Resistance temperature: - 40 deg.C to +220 deg.C
  • Package included: 1 pcs X Silicone Rolling Fondant Mat
Infinite Skills Using Microsoft SharePoint 2013 - Training DVD
Software (Infinite Skills)
  • Learn how to use Microsoft SharePoint 2013 from a professional trainer from your own desk.
  • Visual training method, offering users increased retention and accelerated learning.
  • Breaks even the most complex applications down into simplistic steps.
  • Comes with Extensive Working Files.
EC Technologies Microsoft SharePoint 2010 Quick Reference Guide - 101: Getting Started with SharePoint
Office Product (EC Technologies)
  • Part of a series of several quick reference guides for SharePoint 2010, each focusing on a set of specific and important topics such as SharePoint 2010-101: Getting...
  • A complete guide to learning SharePoint Server basics and beyond.
  • Using team sites and site navigation.
  • Working with document libraries and searching for content.
  • Our quick reference guides will help you learn what you want when you need it.

Related posts: