Permissions, Site Roles and Licences

Adding a user to Tableau Cloud requires an available licence. (Users can also be added as unlicensed and configured so they will consume a licence only when they first sign in. For more information, see Grant Licence on Sign-in.) For each site the user belongs to they have exactly one site role, restricted by their licence. A user has permissions for content on the site, restricted by what their site role allows.

Licences and site roles apply to users. Permission capabilities apply to content.

Licences are assigned to a user when they are created (or sign in for the first time) on the Tableau Server or Tableau Cloud site. Users are licensed as a Creator, Explorer or Viewer.

  • Licence levels are consumed based on the maximum site role a user can have on that server.
    • Server Administrator, Site Administrator Creator and Creator site roles use a Creator licence.
    • Site Administrator Explorer, Explorer (can publish) and Explorer site roles use at least an Explorer licence.
    • Viewer site role uses at least a Viewer licence.
    • An unlicensed user can exist on the site, but they cannot sign in unless they were added with grant site role on sign-in.
  • For Tableau Server, a user consumes only one licence per server, even if they are a member of multiple sites. If a user is a member of multiple sites, their required licence level is determined by their highest site role. (For example, if a user has a Creator site role in one site and a Viewer site role in two others, they consume a Creator licence.)

Site roles are assigned to a user for each site they are a member of.

  • Site roles determine the maximum capabilities a user can have in that site. (For example, a user with a site role of Viewer will never be able to download a data source even if that capability is explicitly granted to them on a specific data source.)
  • Site roles do not inherently grant any capabilities in and of themselves – with the exception of the administrator site roles. Administrators always have all capabilities applicable to their licence level.

Permissions consist of capabilities, like the ability to save to a project, web edit a workbook, connect to a data source, etc. They apply to group or user on a specific piece of content (project, data source, workbook, view or flow).

  • Permission capabilities are not given to a group or user in a vacuum but rather in the context of content. A user can have different capabilities for different content assets.
  • Permissions are evaluated based on the interplay of a user’s site role and the permission rules for that user or any groups they are members of.
  • Some actions such as web authoring might require combinations of capabilities. For more information, see Permission settings for specific scenarios.

Site roles and their maximum capabilities

These tables indicate what capabilities are available for a site role. There may be other ways for a user with a site role to perform a similar action. For example, although Viewers can’t be given the Share Customised capability to make their custom views visible to others on the workbook, they can share custom views by copying the view URL. See General capabilities allowed with each site role for more information on what each site role can do.

Projects

CapabilityCreatorExplorer (can publish)ExplorerViewer
View
Publish

Workbooks

CapabilityCreatorExplorer (can publish)ExplorerViewer
View
Filter
View Comments
Add Comments
Download Image/PDF
Download Summary Data
Run Explain Data
Share Customised
Download Full Data
Web Edit
Download Workbook/Save a Copy
Overwrite
Create/Refresh Metrics
Move*
Delete
Set Permissions

† Prior to Tableau 2021.3, the availability of Explain Data was controlled at the server level only using the tsm configuration set option ExplainDataEnabled. In 2021.3 and later, availability of Explain Data can be controlled in site settings and in a workbook using the Run Explain Data capability. The availability of Explain Data in viewing mode is controlled in a workbook in the Explain Data Settings dialog box.

‡ Prior to Tableau 2021.3, the Create/Refresh Metrics capability was controlled by the Download Full Data capability.

Data Sources

CapabilityCreatorExplorer (can publish)ExplorerViewer
View
Connect
Download Data Source
Overwrite
Delete
Set Permissions

Data Roles

CapabilityCreatorExplorer (can publish)ExplorerViewer
View
Overwrite
Move*
Delete
Set Permissions

Flows

To run flows on a schedule, you must have a Data Management licence. For information about configuring flow settings, see Create and Interact with Flows on the Web. Explorer licence users can run flows on Tableau Cloud.

CapabilityCreatorExplorer (can publish)ExplorerViewer
View
Download Flow
Web Edit
Run Flow
Overwrite
Move*
Delete
Set Permissions

Ask Data Lenses

CapabilityCreatorExplorer (can publish)ExplorerViewer
View
Overwrite
Move*
Delete
Set Permissions

Metrics

Retirement of the legacy metrics feature

Tableau's legacy metrics feature was retired in Tableau Cloud in February 2024 and in Tableau Server version 2024.2. In October 2023, Tableau retired the ability to embed legacy metrics in Tableau Cloud and in Tableau Server version 2023.3. With Tableau Pulse, we've developed an improved experience to track metrics and ask questions of your data. For more information, see Create Metrics with Tableau Pulse to learn about the new experience and Create and Troubleshoot Metrics (Retired) for the retired feature.

CapabilityCreatorExplorer (can publish)ExplorerViewer
View
Overwrite
Move*
Delete
Set Permissions

Collections

CapabilityCreatorExplorer (can publish)ExplorerViewer
View

Virtual Connections

Virtual connections require a Data Management licence. See About Data Management for details.

CapabilityCreatorExplorer (can publish)ExplorerViewer
View
Connect******
Overwrite
Move*
Delete
Set Permissions

* Although the Explorer role can be given the Move capability, they can’t have the Publish capability on a project, and therefore there is no place for them to move content to. The Move capability should therefore be considered not possible for Explorer site roles.

** Although the Explorer (can publish) role can be given the Connect capability for Virtual Connections, the ability to create a new data source of any kind, including Virtual Connections, is only available for users with a Creator site role. Similarly, Explorer and Viewer role users can't access the UI to connect to new or existing data sources. The Connect capability should be considered impossible for any role but Creator.

 

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!