Manage Permissions for External Assets

Tableau Online and Tableau Server provide a space for accessing and managing published content. When Tableau Online or Tableau Server is licensed with the Data Management Add-on, you have access to Tableau Catalog. Tableau Catalog adds a complementary space and a set of features across your site to track and manage metadata and lineage of external assets used by the content published to your site.

Tableau Catalog indexes content and assets

Catalog discovers, tracks, and stores metadata from the content that you publish to Tableau Online or Tableau Server.

Catalog indexes metadata for the following:

  • Tableau content: workbooks, data sources, flows, projects, users, and sites

  • External assets: databases and tables associated with Tableau content

    Catalog classifies the metadata of any data that comes from outside the Tableau environment as external assets. The data that comes from outside the Tableau environment is stored in many different formats, such as a database server or a local .json file.

    Catalog tracks only the metadata of the external data and does not track the underlying data in any form (raw or aggregated).

Catalog metadata includes the following: 

  • Lineage information or the relationship between items. For example, the Sales table has a relationship with both the Superstore data source and the Superstore Sample workbook.

  • Schema information. Some examples include:
    • Table names, column names, and column types. For example, Table A contains Columns A, B, and C, which are types INT, VARCHAR, and VARCHAR.
    • Database name and server location. For example, Database_1 is a SQL Server database at http://example.net.
    • Data source name, and the names and types of the fields the data source contains. For example, Superstore data source has fields AA, BB, and CC. Field CC is a calculated field that refers back to both field AA and field BB.
  • User curated, added, or managed information. For example, item descriptions, certifications, user contacts, data quality warnings, and more.

How does Tableau Catalog work?

Tableau Catalog indexes all content published to Tableau Online or Tableau Server to track lineage and schema metadata. For example, the metadata comes from workbooks, packaged workbooks, data sources, and the Tableau Server or Tableau Online repository.

As part of the indexing process, lineage and schema metadata about external assets (databases and tables) used by the published content are also indexed.

Note: In addition to accessing Catalog from Tableau Online or Tableau Server, indexed metadata can also be accessed from the Tableau Metadata API and Tableau Server REST API. For more information about the Tableau Metadata API or metadata methods in the REST API, see Tableau Metadata API and Metadata Methods in the Tableau Server REST API, respectively.

Permissions on metadata

Permissions control who is allowed to see and manage external assets and what metadata (for both Tableau content and external assets) is shown through lineage.

Note: If Tableau Online or Tableau Server is not licensed with the Data Management Add-on, then by default, admins can see database and table metadata through the Tableau Metadata API. This default can be changed to use "derived permissions," as described below.

Access metadata

The permissions used to access metadata through Catalog (or Metadata API) work similarly to permissions for accessing content through Tableau Online or Tableau Server, with some additional considerations for sensitive data that can be exposed through lineage and the capabilities granted on external assets.

Permissions on Tableau content

Catalog uses the View capabilities that are already used by existing Tableau content to control the metadata that you can see on Tableau content. For more information on the View capability on content, see Permission capabilities.

Permissions on external assets using derived permissions

When Tableau Online or Tableau Server is licensed with the Data Management Add-on, by default Catalog uses derived permissions to automatically grant you the View capability to external assets in the following scenarios:

  • If you are the owner of a workbook, data source, or flow, you can see the database and table metadata used by that workbook, data source, or flow.

  • If you are a project owner or project leader, you can see all the database and table metadata used by the content published to your project.

Note: Derived permissions do not automatically grant you View capabilities to database or table metadata for flow outputs.

Check permissions

As a an admin or someone who has been given the capability to set permissions for an asset, you can validate who has derived permissions by following the steps below.

  1. Sign in to Tableau Online or Tableau Server.
  2. From the left navigation pane, click External Assets.

  3. From the drop-down menu, select Databases and Files or Tables.
    Note: Local files, like .json or .csv files are grouped as external assets under Databases.

  4. Select the check box next to the database or table whose permissions you want to modify, and then select Actions > Permissions.

  5. In the Permissions dialog box, click + Add Group/User Rule and start typing to search for a group or user.

  6. Validate the permissions by clicking a group name or user name in the permission rules to see the effective permissions below.

Order of precedence in which Tableau evaluates derived permissions for external assets

When derived permissions are configured for your Tableau Online site or Tableau Server, each user's level of access to external assets depends on the associated Tableau content and the order of precedence of rules Tableau uses for its content.

Tableau follows the rules below, continuing on to the next rule, only if the current rule evaluates to "denied." If any rule evaluates to "allowed," the capability is allowed and Tableau stops evaluating. This rules list is based on the Evaluate permission rules.

  1. Admin role
  2. License
  3. Project leader (Tableau content)
  4. Project owner (Tableau content)
  5. Content owner (Tableau content)
  6. Derived permissions (applies only to external assets and the View capability)
    1. Admin role
    2. License
    3. Project leader (external assets)
    4. Project owner (external assets)
    5. Content owner (external assets)
  7. Explicit permissions

Turn off derived permissions

As an admin, you can turn off the derived permissions default setting for a site in favor of manually granting explicit permissions to databases and tables.

  1. Sign in to Tableau Online or Tableau Server as an admin.
  2. From the left navigation pane, click Settings.
  3. On the General tab, under Automatic Access to Metadata about Databases and Tables, clear the Automatically grant authorized users access to metadata about databases and tables check box.

    Note: Data quality warning messages on databases and tables that are visible to users though derived permissions remain visible to those users even when the check box is not selected.

Set permissions on individual external assets

In order to grant additional users permissions to view, edit (overwrite), and manage external assets, an admin can grant those capabilities explicitly on individual databases or tables for users or groups.

Database permissions act as a permissions template

Database permissions function like Permission management. In other words, when permissions are set at the database level, those permissions can serve as a template for any newly discovered and indexed child tables of that database. Furthermore, database permissions can also be locked so that the child tables will always use the permissions set at the database level.

Granting permission at the database level can help create a scalable process for enabling permissions to tables.

Summary of permissions capabilities

The following table shows the capabilities you can set for external assets (databases and tables):

CapabilityDescriptionTemplate

View

See the database or table asset.

View

Overwrite

Add or edit data quality warnings and descriptions of the database or table asset. Prior to version 2020.1, the Overwrite capability was called Save.

Publish

Set Permissions

Grant or deny permissions for the database or table asset.

Administer

Set permissions on a database or table

To set permissions on databases or tables, use the following procedure.

  1. Sign in to Tableau Online or Tableau Server as an admin or someone who has been granted the "Set Permissions" capability.
  2. From the left navigation pane, click External Assets.

  3. From the drop-down menu, select Databases and Files or Tables.
    Note: Local files, like .json or .csv files are grouped as external assets under Databases.

  4. Select the check box next to the database or table whose permissions you want to modify, and then select Actions > Permissions.

  5. In the Permissions dialog box, click + Add Group/User Rule and start typing to search for a group or user.

  6. Select a permission role template to apply an initial set of capability for the group or user, and then click Save. Available templates are: View, Publish, Administer, None, and Denied.

  7. To further customize the rule, click a capability in the rule to set it to Allowed or Denied, or leave it unspecified. Click save when you are done.

  8. Configure any additional rules you want for other groups or users.

  9. Validate the permissions clicking a group name or user name in the permission rules to see the effective permissions below.

Lock permissions to the database

To lock (or unlock) permissions to the database, use the following procedure.

  1. Sign in to Tableau Online or Tableau Server as an admin or someone who has been granted the "Set Permissions" capability.
  2. From the left navigation pane, click External Assets. By default, the External Assets page shows a list of databases and files.

  3. Select the check box next to the database whose permissions you want to lock, select Actions > Permissions, and then click the Table Permissions Edit link .

  4. In the Table Permissions in Database dialog box, select Locked and click Save.

  5. To unlock permissions, click Edit again, and select Customized.

Access lineage information

Catalog (and the Metadata API) can expose relationship and dependencies metadata, also referred to as lineage, among the content and assets on Tableau Online or Tableau Server. Lineage can show three primary things:

  • How items relate to each other, either directly or indirectly
  • How many of those items relate to each other
  • With the appropriate permissions, shows sensitive data about items in the lineage

Sensitive lineage data

In some cases, lineage can contain sensitive data, such as data quality warning messages and content or asset names.

By default, complete lineage information displays for all users while its sensitive data is blocked from specific users who don’t have the appropriate View capabilities. The concept of blocking sensitive data is called obfuscation.

Obfuscation allows all metadata in the lineage to be visible while keeping its sensitive data blocked from specific users who don’t have the appropriate View capabilities. This default enables workflows that rely on a complete impact analysis.

If obfuscating sensitive data in the lineage is not enough for your organization, certain parts of the lineage, including its sensitive data, can be filtered.

Filtering omits certain parts of the lineage for specific users who don't have the appropriate View capabilities to its sensitive data. Because filtering omits parts of lineage, it prevents workflows that rely on a complete impact analysis.

To change how sensitive data in a lineage is handled, do the following:

  1. Sign in to Tableau Online or Tableau Server as an admin.
  2. From the left navigation pane, click Settings.
  3. On the General tab, under Sensitive Lineage Information, select the radio button that bests handles lineage information for all users on your Tableau Online site or Tableau Server.

Additional notes about lineage

  • If you don't have the View capability on related assets, you can always see when assets relate to each other.

    For example, you can see 1) whether related upstream databases and tables exist in the lineage and 2) the total number of databases or total number of tables that are related to the asset you are evaluating.

    However, you can't see the metadata associated with those assets when you don't have the view capability for them. When metadata is blocked because of limited permissions, you see Permissions Required.

  • If you don't have the View capability on related assets, you can always see whether the assets are certified.

    However, the level of detail that you can't see if you don't have View capability is the sensitive information related to the certification, like the names of the related databases and tables. When metadata is blocked because of limited permissions, you see Permissions Required.

  • If you have the View capability on related assets, you can see when and what assets and content are related to each other, and their sensitive metadata.

    For example, you can see 1) the names, data quality warnings, and total number of related upstream databases and tables and 2) the combined number of sheets (visible and hidden) in the lineage of the downstream workbook of the asset you are evaluating.

For more information about lineage see Use Lineage for Impact Analysis.

Potential mismatch between asset results and content results

When Catalog shows lineage information, it provides information between content and assets. Catalog lineage always shows the true count or result of associated items. However, elsewhere in Tableau Online or Tableau Server, you might see fewer number of items. One reason for this is because of your View capabilities. Outside of Catalog, or elsewhere in Tableau Online or Tableau Server, you see a filtered count or result of the content that you have access to according to your content permissions.

For example, suppose you're looking at the Superstore data source. The lineage for the Superstore data source can show how many upstream underlying tables the data source connects to and how many downstream workbooks rely on the data source. However, because you might not have the View capability on all of those downstream workbooks, the total number of related workbooks might be different when you're looking at Catalog lineage information versus the total number of workbooks represented in the Connected Workbooks tab.

There might be other reasons why, which are not related to permissions, you might see a mismatch between asset counts and content counts. For more information, see Use Lineage for Impact Analysis.

Thanks for your feedback! There was an error submitting your feedback. Try again or send us a message.