Audit Permissions Using the Activity Log
Permission auditing allows system administrators to monitor which users have modified access controls to Tableau content. There are two ways to modify access control: explicit changes (by changing permission capabilities on a project or content item) and effective changes (by changing user site roles, group membership, moving content, and so on). All of these changes are recorded, so administrators can certify that security and access controls are maintained.
For more information about how permission rules are evaluated, see Effective permissions.
Log format
Every action that modifies user or group access to content will get a log entry. Each log entry is structured in a JSON format, with specific keys representing different pieces of information. A log entry contains two parts:
-
Metadata: Contains information about when and where an action occurred and what user performed the action.
-
Action: Contains information about what piece of content had its permissions changed, what capabilities were changed, and to what values the capabilities were changed.
Note: Activity Log records changes made through the Permissions Dialog UI and REST API. For more information about API methods, see Permissions Methods(Link opens in a new window).
The Activity Log entries are not formatted, and the keys are not sorted in any particular order in the logs. When auditing permissions, you can combine Activity Log data with other data sources
Example
The following is an example log entry showing a group was allowed to connect to a data source.
{
event: {
actorUserId: 39872
actorUserLuid: “4e6b42bf-9040-4e60-b326-1c56a4fb96f8”
authorizableType: “DATASOURCE”
capabilityId: 32
capabilityValue: “connect”
contentId: 2099835
contentName: “Superstore ExtractNeal3”
eventTime: “2023-01-31T22:44:23.650058Z”
granteeId: 22
granteeLuid: “dae0717a-d524-436d-b469-fadeaa22a5dd”
granteeType: “Group”
granteeValue: “GROUP_ALLOW”
initiatingUserId: 39872
initiatingUserLuid: “4e6b42bf-9040-4e60-b326-1c56a4fb96f8”
isError: false
metadata: {
applicableToOnline: true
applicableToServer: true
comment: “Update Permissions”
customerAccessible: true
eventCategory: “security”
eventType: “update_permissions”
eventVersion: “1.0”
internalAccessible: false
}
permissionType: explicit”
siteLuid: “b45e272d-10c7-49d5-9037-e53ce47dbf4e”
}
traceUuid: “3a108a2f-c0ac-4ac7-a5f8-29zf7e064ae1”
}
The log entry captures essential information regarding the event, including:
-
eventType
shows an update permissions event occurred -
permissionType
shows an explicit change to permissions -
contentId
shows the ID of the content that was modified -
authorizableType
shows the content type, in this case, a data source -
capabilityValue
shows the capability that was changed -
granteeId
shows the grantee that was affected -
actorUserId
shows the ID of the user who performed the change -
eventTime
shows the date and time of the change
Events
Log entries contain various event types for permissions changes. The following table lists each event type and when they’re recorded. For more information about event types and their attributes, see Activity Log Event Type Reference.
Event type | Description |
---|---|
add_delete_user_to_group | Logged when a user is added or removed from a group |
content_owner_change | Logged when the content owner changes |
create_delete_group | Logged when a group is created or deleted |
create_permissions | Logged when a new explicit permission rule is created |
delete_all_permissions | Logged when all explicit permission rules for content are deleted, typically when content is deleted |
delete_permissions_grantee | Logged when all explicit permission rules for a user are deleted, typically when the user is deleted |
delete_permissions | Logged when an explicit permission rule is deleted on content |
display_sheet_tabs | Logged when the "Tabbed Views" value is updated on a workbook |
move_content | Logged when content is moved |
project_lock_unlock | Logged when project permissions are locked or unlocked |
update_permissions | Logged when an explicit permission rule is updated for a content item |
update_permissions_template | Logged when a permission template for a project is updated |
user_create_delete | Logged when a user is created or deleted |