Permissions, Site Roles, and Licenses

Adding a user to a Tableau Server requires a license. (Users can also be added as unlicensed and configured so they will consume a license only when they first sign in. For more information, see Grant License on Sign In.) For each site the user belongs to they have exactly one site role, restricted by their license. A user has permissions for content on the site, restricted by what their site role allows.

Licenses and site roles apply to users. Permission capabilities apply to content.

Licenses are assigned to a user when they are created (or sign in for the first time) on the Tableau Server or Tableau Online site. Users are licensed as a Creator, Explorer, or Viewer.

  • License levels are consumed based on the maximum site role a user can have on that server.
    • Server Administrator, Site Administrator Creator, and Creator site roles use a Creator license.
    • Site Administrator Explorer, Explorer (can publish), and Explorer site roles use at least an Explorer license.
    • Viewer site role uses at least a Viewer license.
    • An unlicensed user can exist on the server but they cannot log in unless they were added with grant site role on sign in.
  • For Tableau Online, a user consumes a license per site and has only one site role.

Site roles are assigned to a user for each site they are a member of.

  • Site roles determine the maximum capabilities a user can have in that site. (For example, a user with a site role of Viewer will never be able to download a data source even if that capability is explicitly granted to them on a specific data source.)
  • Site roles do not inherently grant any capabilities in and of themselves—with the exception of the administrator site roles. Administrators always have all capabilities applicable to their license level.

Permissions consist of capabilities, like the ability to save to a project, web edit a workbook, connect to a data source, etc. They apply to group or user on a specific piece of content (project, data source, workbook, view, or flow).

  • Permission capabilities are not given to a group or user in a vacuum but rather in the context of content. A user can have different capabilities for different content assets.
  • Permissions are evaluated based on the interplay of a user’s site role and the permission rules for that user or any groups they are members of.
  • Some actions such as web authoring might require combinations of capabilities. For more information, see Permission settings for specific scenarios.

Site roles and their maximum capabilities

These tables indicates what capabilities are available to each site role. There may be other ways for a user with a site role to perform a similar action. For example, although Viewers can’t be given the Share Customized capability to make their custom views visible to others on the workbook, they can share custom views by copying the view URL. See General capabilities allowed with each site role for more information on what each site role can do.

Projects

Capability Creator Explorer (can publish) Explorer Viewer
View
Publish

Workbooks

Capability Creator Explorer (can publish) Explorer Viewer
View
Filter
View Comments
Add Comments
Download Image/PDF
Download Summary Data
Share Customized
Download Full Data
Web Edit
Download Workbook/Save a Copy
Overwrite
Move *
Delete
Set Permissions

Data Sources

Capability Creator Explorer (can publish) Explorer Viewer
View
Connect
Download Data Source
Overwrite
Delete
Set Permissions

Data Roles

Capability Creator Explorer (can publish) Explorer Viewer
View
Overwrite
Move *
Delete
Set Permissions

Flows

Note that Flows are part of the Data Management Add-on .

Capability Creator Explorer (can publish) Explorer Viewer
View
Download Flow
Run Flow
Overwrite
Move *
Delete
Set Permissions

Ask Data Lenses

Capability Creator Explorer (can publish) Explorer Viewer
View
Overwrite
Move *
Delete
Set Permissions

Metrics

Capability Creator Explorer (can publish) Explorer Viewer
View
Overwrite
Move *
Delete
Set Permissions

Collections

Capability Creator Explorer (can publish) Explorer Viewer
View

 

*Although the Explorer role can be given the Move capability, they can’t have the Publish capability on a project and therefore there is no place for them to move content to. The Move capability should therefore be considered not possible for Explorer site roles.

Thanks for your feedback!