Permission Capabilities and Templates
Permissions are made up of capabilities, or the ability to perform a given action on a piece of content, such as view, filter, download or delete. Each row in the Permission Rules area of the dialog is a permission rule. Permission rules are the setting for each capability (allowed, denied or unspecified) for the group or user in that row. Permission rules have templates available that make it easier to assign capabilities quickly. Permission rules can also be copied and pasted.
Note: In the permission dialog for projects, there are tabs for each content type: Projects, Workbooks, Data Sources, Data Roles, Flows, Ask Data Lenses, Metrics and – if you have the Data Management – Virtual Connections, Databases and Tables. (Virtual connections were added in Tableau Server 2021.4 and Tableau Cloud December 2021. Databases and tables were added in Tableau Server 2022.3 and Tableau Cloud October 2022.) When a permission rule is added, the default for all capabilities across all content types is Unspecified. To allow or deny capabilities for each content type, you must go to each tab in turn. In the permission dialog for a specific piece of content, there are no tabs and the permission rules only apply to that piece of content.
Templates
Templates group sets of capabilities that are often assigned together based on common user scenarios, View, Explore, Publish and Administer. When you assign a template, its included capabilities are set to Allowed, with the rest left as Unspecified. The templates are cumulative, so the Explore template includes everything from the View template plus additional capabilities. All content also has a template for None (which sets all capabilities to unspecified) and Denied (which sets all capabilities to denied).
Templates are meant to be a starting point and can be adjusted after they are applied. Capabilities can also be granted or denied without using a template at all. In both cases, the template column then shows Custom.
Copy and paste permissions
If there is a permission rule that needs to be assigned to multiple groups or users, you can copy and paste from one rule to another. You can’t copy from or paste onto a rule that involves Project Leader status.
- Open the action menu (...) for the existing rule you want to copy from and select Copy Permissions. This is available only when the rule is not in edit mode.
- Select an existing rule you want to paste over. You can also create a new rule by clicking + Add Group/User Rule and selecting a group or user.
- Open the action menu (...) and select Paste Permissions.
Capabilities
Each content type has specific capabilities:
Projects
Projects have only two capabilities and two templates. For more information about project leaders and how to assign them, see Project administration.
View template
View lets a user see the project. If a user hasn’t been granted the view capability, the project won’t be visible to them. Granting the view capability for a project does not mean a user can see any content in the project, just the existence of the project itself.
Publish template
Publish lets a user publish content to the project from Tableau Desktop or Tableau Prep Builder. The publish capability is also required to move content into the project or save content to the project from web authoring.
Workbooks
View template
View lets a user see the workbook or view. If a user hasn’t been granted the view capability, the workbook won’t be visible to them.
Filter lets a user interact with filters in the view, including keep-only and exclude filters. Users lacking this capability won’t see filter controls in the view.
View Comments lets a user view the comments associated with the views in a workbook.
Add Comments lets a user add comments to views in a workbook.
Download Image/PDF lets a user download each view as a PNG, PDF or PowerPoint.
Download Summary Data lets a user view the aggregated data in a view, or in the marks they’ve selected, and download that data (as a CSV).
Explore template
Share Customised lets users add their custom views to the list of “Other Views” visible on a workbook.
- When this capability is denied, users won’t see the “Make visible to others” option when they create a custom view. For more information, see Use Custom Views(Link opens in a new window). This capability doesn’t impact the ability to share a custom view with the share dialog or by copying the link.
Download Full Data lets a user view the underlying data in a view, or in the marks they’ve selected, and download that data (as a CSV).
Web Edit lets a user edit the view in a browser-based authoring environment.
- Note that creating new content in the browser or saving views from the web edit interface requires a specific combination of capabilities. For more information, see Web Editing and Web Authoring.
- The Web Editing feature must also be enabled for the entire site or even users with this capability allowed won’t be able to web edit. For more information, see Set a Site's Web Authoring Access(Link opens in a new window).
Run Explain Data lets a user run Explain Data on marks in editing and viewing mode.
- Note that for Explain Data to be displayed as an option when a user selects a mark in a workbook, the feature must also be enabled as a site setting. To make Explain Data available in viewing mode, the feature must also be allowed by the author from within a workbook in Explain Data settings. For more information, see Control Access to Explain Data.
Publish template
Download Workbook/Save a Copy lets a user download a packaged workbook (as a TWBX). Lets a user save (publish) a copy from the web edit interface as a new workbook.
Overwrite lets a user overwrite (save) the content or asset on the server.
- When allowed, the user can re-publish a workbook, data source or flow, or save a workbook or flow in web authoring, thereby becoming the owner and gaining access to all permissions. After this change in ownership, the original owner’s access to the workbook is determined by their permissions just like any other user.
Create/Refresh Metrics let a user create metrics on the views in a workbook and let any metrics that a user creates from those views refresh. The legacy Metrics feature was retired in February 2024 for Tableau Cloud and in Tableau Server version 2024.2. For more information, see Create and Troubleshoot Metrics (Retired).
Administer template
Move lets a user move workbooks between projects. For more information, see Move content.
Delete lets a user delete the workbook.
Set Permissions lets a user create permission rules for the workbook.
Views
In a workbook that is not in a locked project and does not show sheets as tabs for navigation, views (sheets, dashboards, stories) inherit the workbook permissions at publication, but any changes to permission rules must be made on individual views. View capabilities are the same as those for workbooks, except for Overwrite, Download Workbook/Save a Copy and Move which are only available at the workbook level.
We recommend showing navigational sheet tabs whenever possible so views continue to inherit their permissions from the workbook.
Data Sources
View template
View lets a user see the data source on the server.
Connect lets a user connect to a data source in Tableau Desktop, Tableau Prep Builder, Ask Data or web editing.
- If a workbook author embeds their credentials to a published data source in a published workbook, they are essentially embedding their Connect capability. Therefore, users can see the data in the workbook regardless of their own Connect capability for that data source. If the workbook author doesn’t embed their credentials to the published data source, the user needs their own Connect capability to the data source to consume the workbook. For more information, see Data access for published Tableau data sources.
- A user must have the Connect capability for a data source to use Ask Data and to create Ask Data lenses. For more information, see Enable Ask Data for Sites and Data Sources.
Explore template
Download Data Source lets a user download the data source from the server (as a TDSX).
- Cube data sources, like those for Microsoft Analysis Services or Oracle Essbase connections, must be used locally. To download the published data source to Tableau Desktop, the user must have the Download capability. For more information, see Cube Data Sources.
Publish template
Overwrite lets a user publish a data source to the server and overwrite the data source on the server.
Administer template
Delete lets a user delete the data source.
Set Permissions lets a user create and edit permission rules for the data source.
Other types of assets
View template | Explore template | Publish template | Administer template | |
Flows | View lets a user view the flow. | Download flow lets a user download the flow (as a TFLX). | Run lets a user run the flow. Overwrite lets a user publish a flow and overwrite the published flow. | Move lets a user move assets between projects. For more information, see Move content. Delete lets a user delete the asset. Set Permissions lets a user create permission rules for the asset.
|
Data Roles | View lets a user view data roles. | n/a | Overwrite lets a user publish data roles, overwrite published data roles and edit published data roles' synonyms. | |
Metrics (retired) | View lets a user view metrics. | n/a | Overwrite lets a user overwrite a metric and edit a metric's details. | |
Ask Data Lenses | View lets a user see the lens. | n/a | Overwrite lets a user edit the lens. | |
Virtual Connections | View lets a user see the virtual connection. Connect* lets a user connect to data using a virtual connection. | n/a | Overwrite lets a user edit the virtual connection. | |
Databases | View lets a user see the database. | n/a | Overwrite lets a user edit the metadata for the database. | |
Tables | View lets a user see the table. | n/a | Overwrite lets a user edit the metadata for the table. | |
Collections | View lets a user view collections. | n/a | n/a | n/a |
*By default, virtual connections have a Custom template that sets the View capability to Allowed but not the Connect capability. Be sure to set the Connect capability to Allowed so that users can connect using the virtual connection.