Audit Permissions Using the Activity Log

Permission auditing allows system administrators to monitor which users have modified access controls to Tableau content. There are two ways to modify access control: explicit changes (by changing permission capabilities on a project or content item) and effective changes (by changing user site roles, group membership, moving content, and so on). All of these changes are recorded, so administrators can certify that security and access controls are maintained.

For more information about how permission rules are evaluated, see Effective permissions.

Log format

Every action that modifies user or group access to content will get a log entry. Each log entry is structured in a JSON format, with specific keys representing different pieces of information. A log entry contains two parts:

  • Metadata: Contains information about when and where an action occurred and what user performed the action.

  • Action: Contains information about what piece of content had its permissions changed, what capabilities were changed, and to what values the capabilities were changed.

Note: Activity Log records changes made through the Permissions Dialog UI and REST API. For more information about API methods, see Permissions Methods(Link opens in a new window).

The Activity Log entries are not formatted, and the keys are not sorted in any particular order in the logs. When auditing permissions, you can combine Activity Log data with other data sources, such as Admin Insights, to link IDs to names and make the events easier to interpret.


The following is an example log entry showing a group was allowed to connect to a data source.

event: {
actorUserId: 39872
actorUserLuid: “4e6b42bf-9040-4e60-b326-1c56a4fb96f8”
authorizableType: “DATASOURCE”
capabilityId: 32
capabilityValue: “connect”
contentId: 2099835
contentName: “Superstore ExtractNeal3”
eventTime: “2023-01-31T22:44:23.650058Z”
granteeId: 22
granteeLuid: “dae0717a-d524-436d-b469-fadeaa22a5dd”
granteeType: “Group”
granteeValue: “GROUP_ALLOW”
initiatingUserId: 39872
initiatingUserLuid: “4e6b42bf-9040-4e60-b326-1c56a4fb96f8”
isError: false
metadata: {
applicableToOnline: true
applicableToServer: true
comment: “Update Permissions”
customerAccessible: true
eventCategory: “security”
eventType: “update_permissions”
eventVersion: “1.0”
internalAccessible: false
permissionType: explicit”
siteLuid: “b45e272d-10c7-49d5-9037-e53ce47dbf4e”
traceUuid: “3a108a2f-c0ac-4ac7-a5f8-29zf7e064ae1”

The log entry captures essential information regarding the event, including:

  • eventType shows an update permissions event occurred

  • permissionType shows an explicit change to permissions

  • contentId shows the ID of the content that was modified

  • authorizableType shows the content type, in this case, a data source

  • capabilityValue shows the capability that was changed

  • granteeId shows the grantee that was affected

  • actorUserId shows the ID of the user who performed the change

  • eventTime shows the date and time of the change


Log entries contain various event types for permissions changes. The following table lists each event type and when they’re recorded. For more information about event types and their attributes, see Activity Log Event Type Reference.

Event type Description
add_delete_user_to_group Logged when a user is added or removed from a group
content_owner_change Logged when the content owner changes
create_delete_group Logged when a group is created or deleted
create_permissions Logged when a new explicit permission rule is created
delete_all_permissions Logged when all explicit permission rules for content are deleted, typically when content is deleted
delete_permissions_grantee Logged when all explicit permission rules for a user are deleted, typically when the user is deleted
delete_permissions Logged when an explicit permission rule is deleted on content
display_sheet_tabs Logged when the "Tabbed Views" value is updated on a workbook
move_content Logged when content is moved
project_lock_unlock Logged when project permissions are locked or unlocked
update_permissions Logged when an explicit permission rule is updated for a content item
update_permissions_template Logged when a permission template for a project is updated
user_create_delete Logged when a user is created or deleted
Thanks for your feedback!