Permissions, Site Roles, and Licenses
Adding a user to Tableau Cloud requires an available license. (Users can also be added as unlicensed and configured so they will consume a license only when they first sign in. For more information, see Grant License on Sign In.) For each site the user belongs to they have exactly one site role, restricted by their license. A user has permissions for content on the site, restricted by what their site role allows.
Licenses and site roles apply to users. Permission capabilities apply to content.
Licenses are assigned to a user when they are created (or sign in for the first time) on the Tableau Server or Tableau Cloud site. Users are licensed as a Creator, Explorer, or Viewer.
- License levels are consumed based on the maximum site role a user can have on that server.
- Server Administrator, Site Administrator Creator, and Creator site roles use a Creator license.
- Site Administrator Explorer, Explorer (can publish), and Explorer site roles use at least an Explorer license.
- Viewer site role uses at least a Viewer license.
- An unlicensed user can exist on the site, but they cannot sign in unless they were added with grant site role on sign in.
- For Tableau Server, a user consumes only one license per server, even if they are a member of multiple sites. If a user is a member of multiple sites, their required license level is determined by their highest site role. (For example, if a user has a Creator site role in one site and a Viewer site role in two others, they consume a Creator license.)
Site roles are assigned to a user for each site they are a member of.
- Site roles determine the maximum capabilities a user can have in that site. (For example, a user with a site role of Viewer will never be able to download a data source even if that capability is explicitly granted to them on a specific data source.)
- Site roles do not inherently grant any capabilities in and of themselves—with the exception of the administrator site roles. Administrators always have all capabilities applicable to their license level.
Permissions consist of capabilities, like the ability to save to a project, web edit a workbook, connect to a data source, etc. They apply to group or user on a specific piece of content (project, data source, workbook, view, or flow).
- Permission capabilities are not given to a group or user in a vacuum but rather in the context of content. A user can have different capabilities for different content assets.
- Permissions are evaluated based on the interplay of a user’s site role and the permission rules for that user or any groups they are members of.
- Some actions such as web authoring might require combinations of capabilities. For more information, see Permission settings for specific scenarios.
Site roles and their maximum capabilities
These tables indicate what capabilities are available for a site role. There may be other ways for a user with a site role to perform a similar action. For example, although Viewers can’t be given the Share Customized capability to make their custom views visible to others on the workbook, they can share custom views by copying the view URL. See General capabilities allowed with each site role for more information on what each site role can do.
Projects
Capability | Creator | Explorer (can publish) | Explorer | Viewer |
View | ||||
Publish |
Workbooks
Capability | Creator | Explorer (can publish) | Explorer | Viewer |
View | ||||
Filter | ||||
View Comments | ||||
Add Comments | ||||
Download Image/PDF | ||||
Download Summary Data | ||||
Run Explain Data † | ||||
Share Customized | ||||
Download Full Data | ||||
Web Edit | ||||
Download Workbook/Save a Copy | ||||
Overwrite | ||||
Create/Refresh Metrics ‡ | ||||
Move | * | |||
Delete | ||||
Set Permissions |
† Prior to Tableau 2021.3, the availability of Explain Data was controlled at the server level only using the tsm configuration set option ExplainDataEnabled. In 2021.3 and later, availability of Explain Data can be controlled in site settings and in a workbook using the Run Explain Data capability. The availability of Explain Data in viewing mode is controlled in a workbook in the Explain Data Settings dialog box.
‡ Prior to Tableau 2021.3, the Create/Refresh Metrics capability was controlled by the Download Full Data capability.
Data Sources
Capability | Creator | Explorer (can publish) | Explorer | Viewer |
View | ||||
Connect | ||||
Download Data Source | ||||
Overwrite | ||||
Delete | ||||
Set Permissions |
Data Roles
Capability | Creator | Explorer (can publish) | Explorer | Viewer |
View | ||||
Overwrite | ||||
Move | * | |||
Delete | ||||
Set Permissions |
Flows
To run flows on a schedule, you must have a Data Management license. For information about configuring flow settings, see Create and Interact with Flows on the Web. Explorer license users can run flows on Tableau Cloud.
Capability | Creator | Explorer (can publish) | Explorer | Viewer |
View | ||||
Download Flow | ||||
Web Edit | ||||
Run Flow | ||||
Overwrite | ||||
Move | * | |||
Delete | ||||
Set Permissions |
Ask Data Lenses
Capability | Creator | Explorer (can publish) | Explorer | Viewer |
View | ||||
Overwrite | ||||
Move | * | |||
Delete | ||||
Set Permissions |
Metrics
Retirement of the legacy metrics feature
Tableau's legacy metrics feature was retired in Tableau Cloud in February 2024 and in Tableau Server version 2024.2. In October 2023, Tableau retired the ability to embed legacy metrics in Tableau Cloud and in Tableau Server version 2023.3. With Tableau Pulse, we've developed an improved experience to track metrics and ask questions of your data. For more information, see Create Metrics with Tableau Pulse to learn about the new experience and Create and Troubleshoot Metrics (Retired) for the retired feature.
Capability | Creator | Explorer (can publish) | Explorer | Viewer |
View | ||||
Overwrite | ||||
Move | * | |||
Delete | ||||
Set Permissions |
Collections
Capability | Creator | Explorer (can publish) | Explorer | Viewer |
View |
Virtual Connections
Virtual connections require a Data Management license. See About Data Management for details.
Capability | Creator | Explorer (can publish) | Explorer | Viewer |
View | ||||
Connect | ** | ** | ** | |
Overwrite | ||||
Move | * | |||
Delete | ||||
Set Permissions |
* Although the Explorer role can be given the Move capability, they can’t have the Publish capability on a project and therefore there is no place for them to move content to. The Move capability should therefore be considered not possible for Explorer site roles.
** Although the Explorer (can publish) role can be given the Connect capability for Virtual Connections, the ability to create a new data source of any kind, including Virtual Connections, is only available for users with a Creator site role. Similarly, Explorer and Viewer role users can't access the UI to connect to new or existing data sources. The Connect capability should be considered not possible for any role but Creator.