Audit Permissions Using the Activity Log

Permission auditing allows system administrators to monitor which users have modified access controls to Tableau content. There are two ways to modify access control: explicit changes (by changing permission capabilities on a project or content item) and effective changes (by changing user site roles, group membership, moving content, and so on). All of these changes are recorded, so administrators can certify that security and access controls are maintained.

For more information about how permission rules are evaluated, see Effective permissions.

Log format

Every action that modifies user or group access to content will get a log entry. Each log entry is structured in a JSON format, with specific keys representing different pieces of information. A log entry contains two parts:

  • Metadata: Contains information about when and where an action occurred and what user performed the action.

  • Action: Contains information about what piece of content had its permissions changed, what capabilities were changed, and to what values the capabilities were changed.

Note: Activity Log records changes made through the Permissions Dialog UI and REST API. For more information about API methods, see Permissions Methods(Link opens in a new window).

The Activity Log entries are not formatted, and the keys are not sorted in any particular order in the logs. When auditing permissions, you can combine Activity Log data with other data sources, such as Admin Insights, to link IDs to names and make the events easier to interpret.

Example

The following is an example log entry showing a group was allowed to connect to a data source.

{
event: {
actorUserId: 39872
actorUserLuid: “4e6b42bf-9040-4e60-b326-1c56a4fb96f8”
authorizableType: “DATASOURCE”
capabilityId: 32
capabilityValue: “connect”
contentId: 2099835
contentName: “Superstore ExtractNeal3”
eventTime: “2023-01-31T22:44:23.650058Z”
granteeId: 22
granteeLuid: “dae0717a-d524-436d-b469-fadeaa22a5dd”
granteeType: “Group”
granteeValue: “GROUP_ALLOW”
initiatingUserId: 39872
initiatingUserLuid: “4e6b42bf-9040-4e60-b326-1c56a4fb96f8”
isError: false
metadata: {
applicableToOnline: true
applicableToServer: true
comment: “Update Permissions”
customerAccessible: true
eventCategory: “security”
eventType: “update_permissions”
eventVersion: “1.0”
internalAccessible: false
}
permissionType: explicit”
siteLuid: “b45e272d-10c7-49d5-9037-e53ce47dbf4e”
}
traceUuid: “3a108a2f-c0ac-4ac7-a5f8-29zf7e064ae1”
}

The log entry captures essential information regarding the event, including:

  • eventType shows an update permissions event occurred

  • permissionType shows an explicit change to permissions

  • contentId shows the ID of the content that was modified

  • authorizableType shows the content type, in this case, a data source

  • capabilityValue shows the capability that was changed

  • granteeId shows the grantee that was affected

  • actorUserId shows the ID of the user who performed the change

  • eventTime shows the date and time of the change

Events

Log entries contain various event types for permissions changes, such as content_owner_change when the content owner changes or delete_permissions when an explicit permission rule is deleted on content. For more information about event types, attributes, and when they’re recorded, see Activity Log Event Type Reference.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!