Manage Permissions for External Assets

Tableau Online and Tableau Server provide a space for accessing and managing published content. When Tableau Online or Tableau Server is licensed with the Data Management Add-on, you have access to Tableau Catalog. Tableau Catalog adds a complementary space and a set of features across your site to track and manage metadata and lineage of external assets used by the content published to your site.

Tableau Catalog indexes content and assets

Catalog discovers, tracks, and stores metadata from the content that you publish to Tableau Online or Tableau Server.

Catalog indexes metadata for the following:

  • Tableau content: workbooks, data sources, flows, projects, metrics, users, and sites

  • External assets: databases and tables associated with Tableau content

    Catalog classifies the metadata of any data that comes from outside the Tableau environment as external assets. The data that comes from outside the Tableau environment is stored in many different formats, such as a database server or a local .json file.

    Catalog tracks only the metadata of the external data and does not track the underlying data in any form (raw or aggregated).

Catalog metadata includes the following: 

  • Lineage information or the relationship between items. For example, the Sales table has a relationship with both the Superstore data source and the Superstore Sample workbook.

  • Schema information. Some examples include:
    • Table names, column names, and column types. For example, Table A contains Columns A, B, and C, which are types INT, VARCHAR, and VARCHAR.
    • Database name and server location. For example, Database_1 is a SQL Server database at http://example.net.
    • Data source name, and the names and types of the fields the data source contains. For example, Superstore data source has fields AA, BB, and CC. Field CC is a calculated field that refers back to both field AA and field BB.
  • User curated, added, or managed information. For example, item descriptions, certifications, user contacts, data quality warnings, and more.

How does Tableau Catalog work?

Tableau Catalog indexes all content published to Tableau Online or Tableau Server to track lineage and schema metadata. For example, the metadata comes from workbooks, packaged workbooks, data sources, and the Tableau Server or Tableau Online repository.

As part of the indexing process, lineage and schema metadata about external assets (databases and tables) used by the published content are also indexed.

Note: In addition to accessing Catalog from Tableau Online or Tableau Server, indexed metadata can also be accessed from the Tableau Metadata API and Tableau Server REST API. For more information about the Tableau Metadata API or metadata methods in the REST API, see Tableau Metadata API(Link opens in a new window) and Metadata Methods in the Tableau Server REST API, respectively.

Permissions on metadata

Permissions control who is allowed to see and manage external assets and what metadata (for both Tableau content and external assets) is shown through lineage.

Note: If Tableau Online or Tableau Server is not licensed with the Data Management Add-on, then by default, only admins can see database and table metadata through the Tableau Metadata API. This default can be changed to use "derived permissions," as described below.

Access metadata

The permissions used to access metadata through Catalog (or Metadata API) work similarly to permissions for accessing content through Tableau Online or Tableau Server, with some additional considerations for sensitive data that can be exposed through lineage and the capabilities granted on external assets.

Permissions on Tableau content

Catalog uses view and manage capabilities that are already used by existing Tableau content to control the metadata that you can see and manage on Tableau content. For more general information on these capabilities, see Permissions.

Permissions on external assets using derived permissions

When Tableau Online or Tableau Server is licensed with the Data Management Add-on, by default Catalog uses derived permissions to automatically grant you capabilities to external assets in the following scenarios:

For View capability:

  • If you are the owner of a workbook, data source, or flow, you can see the database and table metadata used directly by that workbook, data source, or flow. See Additional notes about lineage.

  • If you are a project owner or project leader, you can see all the database and table metadata used by the content published to your project.

  • Embedded files use the permissions of the source (such as the workbook, data source, or flow), rather than the derived permissions of the external asset (the database or table). For example, if you can see the workbook with an embedded file, you can see the embedded file and its metadata used by that workbook.

For both Overwrite and Set Permissions capabilities:

  • If you are the owner of a flow, you can edit and manage permissions for the database and table metadata used by the flow output.

Note: For the flow cases above, the capabilities apply only after there has been at least one successful flow run under the current owner of the flow.

Check permissions

As an admin or someone who has been given the capability to set permissions for an asset, you can validate who has derived permissions by following the steps below.

  1. Sign in to Tableau Online or Tableau Server.
  2. From the left navigation pane, click External Assets.

  3. From the drop-down menu, select Databases and Files or Tables.
    Note: Local files, like .json or .csv files are grouped as external assets under Databases.

  4. Select the check box next to the database or table whose permissions you want to modify, and then select Actions > Permissions.

  5. In the Permissions dialog box, click + Add Group/User Rule and start typing to search for a group or user.

  6. Validate the permissions by clicking a group name or user name in the permission rules to see the effective permissions below.

Order of precedence in which Tableau evaluates derived permissions for external assets

When derived permissions are configured for your Tableau Online site or Tableau Server, each user's level of access to external assets depends on the associated Tableau content and the order of precedence of rules Tableau uses for its content.

Tableau follows the rules below, continuing on to the next rule, only if the current rule evaluates to "denied." If any rule evaluates to "allowed," the capability is allowed and Tableau stops evaluating. This rules list is based on the Permissions.

For View capability:

  1. Admin role
  2. License
  3. Project leader (Tableau content)
  4. Project owner (Tableau content)
  5. Content owner (Tableau content)
  6. Derived permissions (applies only to external assets and the View capability)
    1. Admin role
    2. License
    3. Project leader (external assets)
    4. Project owner (external assets)
    5. Content owner (external assets)
  7. Explicit permissions

For Overwrite and Set Permissions capabilities: 

  1. Admin role
  2. License
  3. Project leader (Tableau content)
  4. Project owner (Tableau content)
  5. Content owner (Tableau content)
  6. Explicit permissions (Tableau content)
  7. Derived permissions (applies only to external assets and the Overwrite and Set Permissions capabilities for flow outputs)
    1. Admin role
    2. License
    3. Project leader (external assets)
    4. Project owner (external assets)
    5. Content owner (external assets)

Turn off derived permissions

As an admin, you can turn off the derived permissions default setting for a site in favor of manually granting explicit permissions to databases and tables.

  1. Sign in to Tableau Online or Tableau Server as an admin.
  2. From the left navigation pane, click Settings.
  3. On the General tab, under Automatic Access to Metadata about Databases and Tables, clear the Automatically grant authorized users access to metadata about databases and tables check box.

    Note: Data quality warning messages on databases and tables that are visible to users though derived permissions remain visible to those users even when the check box is not selected.

Set permissions on individual external assets

In order to grant additional users permissions to view, edit (overwrite), and manage external assets, an admin can grant those capabilities explicitly on individual databases or tables for users or groups.

Database permissions act as a permissions template

Database permissions function like Permissions. In other words, when permissions are set at the database level, those permissions can serve as a template for any newly discovered and indexed child tables of that database. Furthermore, database permissions can also be locked so that the child tables will always use the permissions set at the database level.

Granting permission at the database level can help create a scalable process for enabling permissions to tables.

Summary of permissions capabilities

The following table shows the capabilities you can set for external assets (databases and tables):

Capability Description Template

View

See the database or table asset.

View

Overwrite

Add or edit data quality warnings and descriptions of the database or table asset. Prior to version 2020.1, the Overwrite capability was called Save.

Publish

Set Permissions

Grant or deny permissions for the database or table asset.

Administer

Set permissions on a database or table

To set permissions on databases or tables, use the following procedure.

  1. Sign in to Tableau Online or Tableau Server as an admin or someone who has been granted the "Set Permissions" capability.
  2. From the left navigation pane, click External Assets.

  3. From the drop-down menu, select Databases and Files or Tables.
    Note: Local files, like .json or .csv files are grouped as external assets under Databases.

  4. Select the check box next to the database or table whose permissions you want to modify, and then select Actions > Permissions.

  5. In the Permissions dialog box, click + Add Group/User Rule and start typing to search for a group or user.

  6. Select a permission role template to apply an initial set of capability for the group or user, and then click Save. Available templates are: View, Publish, Administer, None, and Denied.

  7. To further customize the rule, click a capability in the rule to set it to Allowed or Denied, or leave it unspecified. Click save when you are done.

  8. Configure any additional rules you want for other groups or users.

  9. Validate the permissions clicking a group name or user name in the permission rules to see the effective permissions below.

Lock permissions to the database

To lock (or unlock) permissions to the database, use the following procedure.

  1. Sign in to Tableau Online or Tableau Server as an admin or someone who has been granted the "Set Permissions" capability.
  2. From the left navigation pane, click External Assets. By default, the External Assets page shows a list of databases and files.

  3. Select the check box next to the database whose permissions you want to lock, select Actions > Permissions, and then click the Table Permissions Edit link .

  4. In the Table Permissions in Database dialog box, select Locked and click Save.

  5. To unlock permissions, click Edit again, and select Customized.

Access lineage information

Catalog (and the Metadata API) can expose relationship and dependencies metadata, also referred to as lineage, among the content and assets on Tableau Online or Tableau Server. Lineage can show three primary things:

  • How items relate to each other, either directly or indirectly
  • How many of those items relate to each other
  • With the appropriate permissions, shows sensitive data about items in the lineage

Sensitive lineage data

In some cases, lineage can contain sensitive data, such as data quality warning messages, content or asset names, or related items and metadata.

By default, complete lineage information displays for all users while its sensitive data is blocked from specific users who don’t have the appropriate View capabilities. The concept of blocking sensitive data is called obfuscation.

Obfuscation allows all metadata in the lineage to be visible while keeping its sensitive data blocked from specific users who don’t have the appropriate View capabilities. This default enables workflows that rely on a complete impact analysis.

If obfuscating sensitive data in the lineage is not enough for your organization, certain parts of the lineage, including its sensitive data, can be filtered.

Filtering omits certain parts of the lineage (and lineage-related areas like data details) for specific users who don't have the appropriate View capabilities to its sensitive data. Because filtering omits parts of lineage, it prevents workflows that rely on a complete impact analysis.

To change how sensitive data is handled, do the following:

  1. Sign in to Tableau Online or Tableau Server as an admin.
  2. From the left navigation pane, click Settings.
  3. On the General tab, under Sensitive Lineage Information, select the radio button that best handles lineage information for all users on your Tableau Online site or Tableau Server.

Additional notes about lineage

  • If you have the View capability on related assets, you can see when and what assets and content are related to each other, and their sensitive metadata.

    For example, you can see 1) the names, data quality warnings, and total number of related upstream databases and tables and 2) the combined number of sheets (visible and hidden) in the lineage of the downstream workbook of the asset you are evaluating.

  • If you don't have the View capability on related assets, you can always see when assets relate to each other.

    For example, you can see 1) whether related upstream databases and tables exist in the lineage and 2) the total number of databases or total number of tables that are related to the asset you are evaluating.

    However, you can't see the metadata associated with those assets when you don't have the view capability for them. When metadata is blocked because of limited permissions, or the asset is in a Personal Space, you see Permissions Required.

  • If you don't have the View capability on related assets, you can always see whether the assets are certified.

    However, the level of detail that you can't see if you don't have View capability is the sensitive information related to the certification, like the names of the related databases and tables. When metadata is blocked because of limited permissions, or the asset is in a Personal Space, you see Permissions Required.

    For more information about lineage see Use Lineage for Impact Analysis.

Additional notes about tags discoverable through lineage data

In addition to Tableau content, external assets can also be tagged. Although tags are always visible, tagged items that you see through lineage data can either be obfuscated (default) or filtered as described earlier in this topic.

When tagged items are obfuscated:

  • If you have the View capability for tagged items, you can see the tagged items and related tagged items, and all metadata.

  • If you don’t have the View capability for tagged items:

    • You can see the type of tagged and related tagged items but you can't see sensitive metadata about the items. For example, suppose you use a tag filter to see items with the tag “Noteworthy.” Although you can see that there are database items tagged with "Noteworthy," you can’t see the names of the tagged databases.

    • You can see how many related tagged items there are. For example, suppose you do a tag query on “Noteworthy.” Your query returns five tagged databases.

When tagged items are filtered, the tagged and related tagged items you see are limited to only the items that you have the View capability for.

For more information about tags, see Tagged Items(Link opens in a new window) in the Tableau User Help.

Potential mismatch between asset results and content results

When Catalog shows lineage information, it provides information between content and assets. Catalog lineage always shows the true count or result of associated items. However, elsewhere in Tableau Online or Tableau Server, you might see fewer number of items. One reason for this is because of your View capabilities. Outside of Catalog, or elsewhere in Tableau Online or Tableau Server, you see a filtered count or result of the content that you have access to according to your content permissions.

For example, suppose you're looking at the Superstore data source. The lineage for the Superstore data source can show how many upstream underlying tables the data source connects to and how many downstream workbooks rely on the data source. However, because you might not have the View capability on all of those downstream workbooks, the total number of related workbooks might be different when you're looking at Catalog lineage information versus the total number of workbooks represented in the Connected Workbooks tab.

There might be other reasons why, which are not related to permissions, you might see a mismatch between asset counts and content counts. For more information, see Use Lineage for Impact Analysis.

Who can do this

The following information summarizes the types of users who can do the tasks described in this topic.

Tableau Online site or Tableau Server admin
Data Management Add-on Capability Requirements
Licensed See assets and their metadata None
Edit assets and their metadata None
Change permission on assets and their metadata None
Grant users ability to see assets and their metadata

Default: When “derived permissions” is on, your users can see metadata on external assets for the content that they own, or for the content that is published to a project that they are a project leader or project owner of.

Ad-hoc: You can configure explicit View permissions on a specified external asset.

Grant users ability to edit assets and their metadata You can configure explicit "write" or Overwrite permissions on a specified external asset (if not automatically granted because the user is a flow owner) .
Grant users ability to change permissions on assets and their metadata You can configure explicit "edit" or Set Permissions on a specified external asset (if not automatically granted because the user is a flow owner) .
Not licensed See all assets and their metadata Applies to Metadata API only
Edit assets and their metadata Requires the Data Management Add-on
Change permission on assets and their metadata Requires the Data Management Add-on
Grant users ability to see assets and their metadata

Applies to Metadata API only:

You can turn on derived permissions as described above. If “derived permissions” is on, your users can see metadata on external assets for the content that they own, or for the content that is published to a project that they are a project leader or project owner of.

Grant users ability to edit assets and their metadata Requires the Data Management Add-on
Grant users ability to change permissions on assets and their metadata Requires the Data Management Add-on
User with Creator or Explorer license
Data Management Add-on Capability Requirements
Licensed See assets and their metadata

Default: When "derived permissions" is enabled by your Tableau Online site admin or Tableau Server admin, you can see metadata on external assets for the content that you own, or for the content that is published to a project that you are a project leader or project owner of.

Ad-hoc: You can see metadata on external assets that you have been granted explicit View permissions to.

Edit assets and their metadata You can edit metadata on an external asset that you have been granted explicit "write" or Overwrite permissions to(if not automatically granted because the user is a flow owner).
Change permissions on assets and their metadata You can change permissions on an external asset that you have been granted explicit "edit" or Set Permissions to ((if not automatically granted because the user is a flow owner).
  Grant other users permissions to see assets and their metadata You can change permissions on an external asset that you have been granted explicit "edit" or Set Permissions to ((if not automatically granted because the user is a flow owner).
Not licensed See assets and their metadata

Applies to Metadata API only:

If “derived permissions” is enabled by your Tableau Online site admin or Tableau Server admin, you can see metadata on external assets for the content that you own, or for the content that is published to a project that you area project leader or project owner of.

Edit assets and their metadata

 

Requires the Data Management Add-on

Change permissions on assets and their metadata
Grant other users permissions to see assets and their metadata
Thanks for your feedback!