Manage Permissions for External Assets
Tableau Cloud and Tableau Server provide a space for accessing and managing published content. When Tableau Cloud or Tableau Server is licensed with Data Management, you have access to Tableau Catalogue. Tableau Catalogue adds a complementary space and a set of features across your site to track and manage metadata and lineage of external assets used by the content published to your site.
Tableau Catalogue indexes content and assets
Catalog discovers, tracks and stores metadata from the content that you publish to Tableau Cloud or Tableau Server.
Catalogue indexes metadata for the following:
Tableau content: Workbooks, data sources, flows, projects, metrics, virtual connections, virtual connection tables, users and sites. (The legacy Metrics feature was retired in February 2024 for Tableau Cloud and in Tableau Server version 2024.2. For more information, see Create and Troubleshoot Metrics (Retired).)
External assets: databases and tables associated with Tableau content
Catalogue classifies the metadata of any data that comes from outside the Tableau environment as external assets. The data that comes from outside the Tableau environment is stored in many different formats, such as a database server or a local .json file.
Catalogue tracks only the metadata of the external data and does not track the underlying data in any form (raw or aggregated).
Catalogue metadata includes the following:
Lineage information or the relationship between items. For example, the Sales table has a relationship with both the Superstore data source and the Superstore Sample workbook.
- Schema information. Some examples include:
- Table names, column names, and column types. For example, Table A contains Columns A, B and C, which are types INT, VARCHAR and VARCHAR.
- Database name and server location. For example, Database_1 is a SQL Server database at http://example.net.
- Data source name, and the names and types of the fields the data source contains. For example, Superstore data source has fields AA, BB and CC. Field CC is a calculated field that refers back to both field AA and field BB.
User curated, added, or managed information. For example, item descriptions, certifications, user contacts, data quality warnings and more.
How does Tableau Catalogue work?
Tableau Catalog indexes all content published to Tableau Cloud or Tableau Server to track lineage and schema metadata. For example, the metadata comes from workbooks, packaged workbooks, data sources and the Tableau Server or Tableau Cloud repository.
As part of the indexing process, lineage and schema metadata about external assets (databases, tables and other objects) used by the published content are also indexed.
Note: In addition to accessing Catalog from Tableau Cloud or Tableau Server, indexed metadata can also be accessed from the Tableau Metadata API and Tableau Server REST API. For more information about the Tableau Metadata API or metadata methods in the REST API, see Tableau Metadata API(Link opens in a new window) and Metadata Methods in the Tableau Server REST API, respectively.
Permissions on metadata
Permissions control who is allowed to see and manage external assets and what metadata is shown through lineage.
Note: If Tableau Cloud or Tableau Server is not licensed with Data Management, then by default, only admins can see database and table metadata through the Tableau Metadata API. This default can be changed to use "derived permissions", as described below.
Access metadata
The permissions used to access metadata through Catalog (or Metadata API) work similarly to permissions for accessing content through Tableau Cloud or Tableau Server, with some additional considerations for sensitive data that can be exposed through lineage and the capabilities granted on external assets.
Permissions on Tableau content
Catalogue follows the view and manage capabilities that are already in place on existing Tableau content to control the metadata that you can see and manage on Tableau content. For more general information on these capabilities, see Permissions.
Permissions on external assets using derived permissions
When Tableau Cloud or Tableau Server is licensed with Data Management, by default Catalogue uses derived permissions to automatically grant you capabilities to external assets in the following scenarios:
For View capability:
If you are the owner of a workbook, data source or flow, you can see the database and table metadata used directly by that workbook, data source or flow. See Additional notes about lineage.
If you are a project owner or project leader, you can see all the database and table metadata used by the content published to your project.
Embedded files use the permissions of the source content (such as the workbook, data source or flow), rather than the derived permissions of the external asset (the database or table). For example, if you can see a workbook with an embedded file, you can see the embedded file and its metadata used by that workbook.
For both Overwrite and Set Permissions capabilities:
If you are the owner of a flow, you can edit and manage permissions for the database and table metadata used by the flow output.
Note: In the case of flows, the capabilities mentioned above apply only after the flow has been run successfully at least once under the current owner of the flow.
Check permissions
As an admin or someone who has been given the capability to set permissions for an asset, you can validate who has derived permissions by following the steps below.
- Sign in to Tableau Cloud or Tableau Server.
From the left navigation pane, click External Assets.
From the drop-down menu, select Databases and Files or Tables and Objects.
Note: Local files, like .json or .csv files are grouped as external assets under Databases.Tick the box next to the database or table whose permissions you want to modify, and then select Actions > Permissions.
In the Permissions dialog box, click + Add Group/User Rule and start typing to search for a group or user.
Validate the permissions by clicking a group name or username in the permission rules to see the effective permissions below.
Order of precedence for derived permissions on external assets
When derived permissions are configured for your Tableau Cloud site or Tableau Server, each user's level of access to external assets depends on the associated Tableau content and the order of precedence of rules that Tableau uses for its content.
Tableau follows the rules below, continuing on to the next rule, only if the current rule evaluates to "denied". If any rule evaluates to "allowed", the capability is allowed and Tableau stops evaluating. This rules list is based on the Permissions.
For View capability:
- Admin role
- Licence
- Project leader (Tableau content)
- Project owner (Tableau content)
- Content owner (Tableau content)
- Derived permissions (applies only to external assets and the View capability)
- Admin role
- Licence
- Project leader (external assets)
- Project owner (external assets)
- Content owner (external assets)
- Explicit permissions
For Overwrite and Set Permissions capabilities:
- Admin role
- Licence
- Project leader (Tableau content)
- Project owner (Tableau content)
- Content owner (Tableau content)
- Explicit permissions (Tableau content)
- Derived permissions (applies only to external assets and the Overwrite and Set Permissions capabilities for flow outputs)
- Admin role
- Licence
- Project leader (external assets)
- Project owner (external assets)
- Content owner (external assets)
As an admin, you can turn off the derived permissions default setting for a site in favour of manually granting explicit permissions to databases and tables.
- Sign in to Tableau Cloud or Tableau Server as an admin.
- From the left navigation pane, click Settings.
- On the General tab, under Automatic Access to Metadata about Databases and Tables, clear the Automatically grant authorised users access to metadata about databases and tables tick box.
Note: Data quality warning messages on databases and tables that are visible to users though derived permissions remain visible to those users even when the box is not ticked.
Set permissions on individual external assets
In order to grant additional users permissions to view, edit (overwrite) and manage external assets, an admin can grant those capabilities explicitly on individual databases or tables for users or groups.
Starting with Tableau Server 2022.3 and Tableau Cloud September 2022, you can organise external assets in projects. Permissions inheritance for external assets works in the same way as it does for Tableau content, as described in the Permissions topic and can simplify permissions management.
Summary of permissions capabilities
The following table shows the capabilities you can set for external assets:
Capability | Description | Template |
---|---|---|
View | See the database or table asset. | View |
Overwrite | Add or edit data quality warnings and descriptions of the database or table asset. Prior to version 2020.1, the Overwrite capability was called Save. | Publish |
Move | Move the database or table asset. | Administer |
Set Permissions | Grant or deny permissions for the database or table asset. | Administer |
Set permissions on a database or table
To set permissions on databases or tables, use the following procedure.
- Sign in to Tableau Cloud or Tableau Server as an admin or someone who has been granted the "Set Permissions" capability.
Find the database or table. You can do this through Explore (starting with Tableau Server 2022.3 and Tableau Cloud September 2022) if you know the current location of the database or table, or through External Assets to see a list of all databases, tables and files.
Explore - From the left navigation pane, click Explore and locate the project the database or table is in.
External Assets - From the left navigation pane, click External Assets. From the drop-down menu, select Databases and Files or Tables and Objects (Note: Local files, like .json or .csv files are grouped as external assets under Databases.)
Tick the box next to the database or table whose permissions you want to modify, and then select Actions > Permissions.
In the Permissions dialog box, click + Add Group/User Rule and start typing to search for a group or user.
Select a permission role template to apply an initial set of capability for the group or user, and then click Save. Available templates are: View, Publish, Administer, None and Denied.
To further customise the rule, click a capability in the rule to set it to Allowed or Denied, or leave it unspecified. Click save when you are done.
Configure any additional rules you want for other groups or users.
Validate the permissions by clicking a group name or username in the permission rules to see the effective permissions below.
External assets that are not in projects
There are some scenarios in which an external asset is not in a project:
- External assets that Catalogue discovered before the External Assets Default Project existed (Tableau Cloud December 2022/Server 2023.1) will not be in a project unless they’ve been moved into one since then.
- External assets that had their project deleted before the External Assets Default Project existed (Tableau Cloud December 2022/Server 2023.1) will not be in a project unless they’ve been moved into one since then.
- In Tableau Server 2022.1 and earlier, external assets cannot be moved to projects at all.
If an external asset is not in a project, permissions for external assets work as they did in Tableau Server 2022.1 and Tableau Cloud June 2022 and earlier. That is, database and table permissions are controlled independently of content in projects, and table permissions can be managed through database permissions. When permissions are set at the database level in this way, those permissions can serve as a template for any newly discovered and indexed child tables of that database. Furthermore, database permissions can also be locked so that the child tables will always use the permissions set at the database level.
Note: You cannot lock (or unlock) permissions to a database if the database is in a project.
To lock (or unlock) permissions to the database, use the following procedure:
- Sign in to Tableau Cloud or Tableau Server as an admin or someone who has been granted the "Set Permissions" capability.
From the left navigation pane, click External Assets. By default, the External Assets page shows a list of databases and files.
Tick the box next to the database whose permissions you want to lock, select Actions > Permissions, and then click the Table Permissions Edit link.
In the Table Permissions in Database dialog box, select Locked and click Save.
To unlock permissions, click Edit again, and select Customised.
Access lineage information
Catalogue (and the Metadata API) can expose relationship and dependencies metadata, also referred to as lineage, among the Tableau content and external assets on Tableau Cloud or Tableau Server. Lineage shows three primary things:
- How items relate to each other, either directly or indirectly
- How many of those items relate to each other
- With the appropriate permissions, shows sensitive data about items in the lineage
In some cases, lineage can contain sensitive data, such as data quality warning messages, content or asset names or related items and metadata.
By default, complete lineage information displays for all users while its sensitive data is blocked from specific users who don’t have the appropriate View capabilities. The concept of blocking sensitive data is called obfuscation.
Obfuscation allows all metadata in the lineage to be visible while keeping its sensitive data blocked from specific users who don’t have the appropriate View capabilities. This default enables workflows that rely on a complete impact analysis.
If obfuscating sensitive data in the lineage is not enough for your organisation, certain parts of the lineage, including its sensitive data, can be filtered.
Filtering omits certain parts of the lineage (and lineage-related areas like data details) for specific users who don't have the appropriate View capabilities for its sensitive data. Because filtering omits parts of lineage, it prevents workflows that rely on a complete impact analysis.
To change how sensitive data is handled, do the following:
- Sign in to Tableau Cloud or Tableau Server as an admin.
- From the left navigation pane, click Settings.
- On the General tab, under Sensitive Lineage Information, select the radio button that best handles lineage information for all users on your Tableau Cloud site or Tableau Server.
Additional notes about lineage
If you have the View capability on related assets, you can see when and what assets and content are related to each other, and their sensitive metadata.
For example, you can see 1) the names, data quality warnings and total number of related upstream databases and tables and 2) the combined number of sheets (visible and hidden) in the lineage of the downstream workbook of the asset you are evaluating.
If you don't have the View capability on related assets, you can always see when assets relate to each other.
For example, you can see 1) whether related upstream databases and tables exist in the lineage and 2) the total number of databases or total number of tables that are related to the asset you are evaluating.
However, you can't see the metadata associated with those assets when you don't have the view capability for them. When metadata is blocked because of limited permissions, or the asset is in a Personal Space, you see Permissions Required.
If you don't have the View capability on related assets, you can always see whether the assets are certified.
However, if you don't have View capability, you can't see sensitive information related to the certification, like the names of the related databases and tables. When metadata is blocked because of limited permissions, or the asset is in a Personal Space, you see Permissions Required.
For more information about lineage see Use Lineage for Impact Analysis.
Additional notes about tags discoverable through lineage data
In addition to Tableau content, external assets can also be tagged. Although tags are always visible, tagged items that you see through lineage data can either be obfuscated (default) or filtered as described earlier in this topic.
When tagged items are obfuscated:
If you have the View capability for tagged items, you can see the tagged items and related tagged items, and all metadata.
If you don’t have the View capability for tagged items:
You can see the type of tagged and related tagged items but you can't see sensitive metadata about the items. For example, suppose you use a tag filter to see items with the tag “Noteworthy”. Although you can see that there are database items tagged with "Noteworthy", you can’t see the names of the tagged databases.
You can see how many related tagged items there are. For example, suppose you do a tag query on “Noteworthy”. Your query returns five tagged databases.
When tagged items are filtered, the tagged and related tagged items you see are limited to only the items that you have the View capability for.
For more information about tags, see Tagged Items(Link opens in a new window) in the Tableau User Help.
Potential mismatch between asset results and content results
When Catalogue shows lineage information, it provides information about Tableau content and external assets. Catalogue lineage always shows the true count or result of associated items. However, in other areas of the site, you might see fewer items. This could be because of your View capabilities. Outside of Catalogue, you see only the content that your permissions allow.
For example, suppose you're looking at the Superstore data source. The lineage for the Superstore data source shows how many upstream underlying tables the data source connects to and how many downstream workbooks rely on the data source. However, because you might not have permissions to see all of those downstream workbooks, the number of related workbooks in the Catalogue lineage (actual total) might be greater than the number of workbooks in the Connected Workbooks tab (what you have permission to see).
There might be other reasons, unrelated to permissions, why you might see a mismatch between asset counts and content counts. For more information, see Use Lineage for Impact Analysis.
Who can do this
The following information summarises the types of users who can do the tasks described in this topic.
Data Management | Capability | Requirements |
---|---|---|
Licensed | See assets and their metadata | None |
Edit assets and their metadata | None | |
Change permission on assets and their metadata | None | |
Grant users ability to see assets and their metadata | Default: When “derived permissions” is on, your users can see metadata on external assets for the content that they own, or for the content that is published to a project that they are a project leader or project owner of. Ad-hoc: You can configure explicit View permissions on a specified external asset. | |
Grant users ability to edit assets and their metadata | You can configure explicit "write" or Overwrite permissions on a specified external asset (if not automatically granted because the user is a flow owner) . | |
Grant users ability to change permissions on assets and their metadata | You can configure explicit "edit" or Set Permissions on a specified external asset (if not automatically granted because the user is a flow owner) . | |
Not licensed | See all assets and their metadata | Applies to Metadata API only |
Edit assets and their metadata | Requires Data Management | |
Change permission on assets and their metadata | Requires Data Management | |
Grant users ability to see assets and their metadata | Applies to Metadata API only: You can turn on derived permissions as described above. If “derived permissions” is on, your users can see metadata on external assets for the content that they own, or for the content that is published to a project that they are a project leader or project owner of. | |
Grant users ability to edit assets and their metadata | Requires Data Management | |
Grant users ability to change permissions on assets and their metadata | Requires Data Management |
Data Management | Capability | Requirements |
---|---|---|
Licensed | See assets and their metadata | Default: When "derived permissions" is enabled by your Tableau Cloud site admin or Tableau Server admin, you can see metadata on external assets for the content that you own, or for the content that is published to a project that you are a project leader or project owner of. Ad-hoc: You can see metadata on external assets that you have been granted explicit View permissions to. |
Edit assets and their metadata | You can edit metadata on an external asset that you have been granted explicit "write" or Overwrite permissions to(if not automatically granted because the user is a flow owner). | |
Change permissions on assets and their metadata | You can change permissions on an external asset that you have been granted explicit "edit" or Set Permissions to ((if not automatically granted because the user is a flow owner). | |
Grant other users permissions to see assets and their metadata | You can change permissions on an external asset that you have been granted explicit "edit" or Set Permissions to ((if not automatically granted because the user is a flow owner). | |
Not licensed | See assets and their metadata | Applies to Metadata API only: If “derived permissions” is enabled by your Tableau Cloud site admin or Tableau Server admin, you can see metadata on external assets for the content that you own, or for the content that is published to a project that you are a project leader or project owner of. |
Edit assets and their metadata |
Requires Data Management | |
Change permissions on assets and their metadata | ||
Grant other users permissions to see assets and their metadata |