Permission Capabilities and Templates

Permissions are made up of capabilities, or the ability to perform a given action on a piece of content, such as view, filter, download, or delete. Each row in the Permission Rules area of the dialog is a permission rule. Permission rules are the setting for each capability (allowed, denied, or unspecified) for the group or user in that row. Permission rules have templates available that make it easier to assign capabilities quickly. Permission rules can also be copied and pasted.

Note: In the permission dialog for projects, there are tabs for each content type (Projects, Workbooks, Data Sources, Ask Data Lenses, Metrics and—if you have the Data Management Add-on—Data Roles and Flows). When a permission rule is added, the default for all capabilities across all content types is Unspecified. To allow or deny capabilities for each content type, you must go to each tab in turn. In the permission dialog for a specific piece of content, there are no tabs and the permission rules only apply to that piece of content.

Templates

Templates group sets of capabilities that are often assigned together based on common user scenarios, View, Explore, Publish, and Administer. Assigning a template sets its included capabilities to Allowed, with the rest left as Unspecified. The templates are cumulative, so the Explore template includes everything from the View template plus additional capabilities. All content also has a template for None (which sets all capabilities to unspecified) and Denied (which sets all capabilities to denied).

Templates are meant to be a starting point and can be adjusted after they are applied. Capabilities can also be granted or denied without using a template at all. In both cases, the template column will then show Custom.

Copy and paste permissions

If there is a permission rule that needs to be assigned to multiple groups or users, you can copy and paste from one rule to another. You can’t copy from or paste onto a rule that involves Project Leader status.

  1. Open the action menu (...) for the existing rule you want to copy from and select Copy Permissions. This will only be available when the rule is not in edit mode.
  2. Select an existing rule you want to paste over. You can also create a new rule by clicking + Add Group/User Rule and selecting a group or user.
  3. Open the action menu (...) and select Paste Permissions.

Capabilities

Each content type has specific capabilities:

Projects

Projects have only two capabilities and two templates. Prior to 2020.1, Project Leader was treated as a permission capability rather than a setting. For more information about project leaders and how to assign them in 2020.1 and later, see Project administration.

View template

View allows a user to see the project. If a user hasn’t been granted the view capability, the project won’t be visible to them. Granting the view capability for a project does not mean a user can see any content in the project, just the existence of the project itself.

Publish template

Publish allows a user to publish content to the project from Tableau Desktop or Tableau Prep Builder. The publish capability is also required to move content into the project or save content to the project from web authoring. Prior to 2020.1, this capability was called Save.

Workbooks

View template

View allows a user to see the workbook or view. If a user hasn’t been granted the view capability, the workbook won’t be visible to them.

Filter allows a user to interact with filters in the view, including keep only and exclude filters. Users lacking this capability won’t see filter controls in the view.

View Comments allows a user to view the comments associated with the views in a workbook.

Add Comments allows a user to add comments to views in a workbook.

Download Image/PDF allows a user to download each view as a PNG, PDF, or PowerPoint.

Download Summary Data allows a user to view the aggregated data in a view, or in the marks they’ve selected, and download that data (as a CSV).

Run Explain Data allows a user to run Explain Data on marks in editing and viewing mode. Note that for Explain Data to be displayed as an option when a user selects a mark in a workbook, the feature must also be enabled as a site setting. To make Explain Data available in viewing mode, the feature must also be allowed by the author from within a workbook in Explain Data settings. For more information, see Control Access to Explain Data.

Explore template

Share Customized allows users to add their custom views to the list of “Other Views” visible on a workbook. When this capability is denied, users won’t see the “Make visible to others” option when they create a custom view. For more information, see Use Custom Views(Link opens in a new window). This capability doesn’t impact the ability to share a custom view with the share dialog or by copying the link.

Download Full Data allows a user to view the underlying data in a view, or in the marks they’ve selected, and download that data (as a CSV).

Web Edit allows a user to edit the view in a browser-based authoring environment.

Publish template

Download Workbook/Save a Copy allows a user to download a packaged workbook (as a TWBX). Allows a user to save (publish) a copy from the web edit interface as a new workbook. Prior to 2020.1, this capability was called Download Workbook/Save As.

Overwrite allows a user to overwrite (save) the content asset on the server. Prior to 2020.1, this capability was called Save.

  • When allowed, the user can re-publish a workbook, data source, or flow, or save a workbook or flow in web authoring, thereby becoming the owner and gaining access to all permissions. Subsequently, the original owner’s access to the workbook is determined by their permissions just like any other user.

Create/Refresh Metrics allows a user to create metrics on the views in a workbook and allows any metrics that a user creates from those views to refresh. For more information, see Create and Troubleshoot Metrics.

Administer template

Move allows a user to move workbooks between projects. For more information, see Move content.

Delete allows a user to delete the workbook.

Set Permissions allows a user to create permission rules for the workbook.

Views

In a workbook that is not in a locked project and does not show sheets as tabs for navigation, views (sheets, dashboards, stories) inherit the workbook permissions at publication, but any changes to permission rules must be made on individual views. View capabilities are the same as those for workbooks, except for Overwrite, Download Workbook/Save a Copy, and Move which are only available at the workbook level. We recommend showing navigational sheet tabs whenever possible so views continue to inherit their permissions from the workbook.

Data Sources

View template

View allows a user to see the data source on the server.

Connect allows a user to connect to a data source in Tableau Desktop, Tableau Prep Builder, Ask Data, or web editing.

  • If a workbook author embeds their credentials to a published data source in a published workbook, they are essentially embedding their Connect capability. Therefore, users can see the data in the workbook regardless of their own Connect capability for that data source. If the workbook author doesn’t embed their credentials to the published data source, the user needs their own Connect capability to the data source in order to consume the workbook. For more information, see Data access for published Tableau data sources.
  • A user must have the Connect capability for a data source in order to use Ask Data and to create Ask Data lenses. For more information, see Enable Ask Data for Sites and Data Sources.

Explore template

Download Data Source allows a user to download the data source from the server (as a TDSX)

  • Cube data sources, like those for Microsoft Analysis Services or Oracle Essbase connections, must be used locally. To download the published data source to Tableau Desktop, the user must have the Download capability. For more information, see Cube Data Sources.

Publish template

Overwrite allows a user to publish a data source to the server and overwrite the data source on the server. Prior to 2020.1, this capability was called Save.

Administer template

Delete allows a user to delete the data source

Set Permissions allows a user to create and edit permission rules for the data source

Ask Data Lenses

View template

View allows a user to see the lens.

Publish template

Overwrite allows a user to edit the lens.

  • By default, users with a site role of Explorer (can publish) and Creator have the Overwrite capability for lenses. This means that any user with the appropriate role can edit the name, description, fields, synonyms, and suggested questions for a lens.
  • To limit who can edit a lens, deny the Overwrite capability for specific users or entire groups. To limit all lenses in a project, deny the Overwrite capability for lenses at the project level and lock the content permissions for the project.

Administer template

Move allows a user to move the lens between projects.

Delete allows a user to delete the lens.

Set Permissions allows a user to create permission rules for the lens.

 

Other content types

  View template Explore template Publish template Administer template
Flows View allows a user to view the flow. Download flow allows a user to download the flow (as a TFLX).

Run allows a user to run the flow.

Overwrite* allows a user to publish a flow and overwrite the published flow.

Move allows a user to move content between projects. For more information, see Move content.

Delete allows a user to delete the content.

Set Permissions allows a user to create permission rules for the content.

 

Data Roles View allows a user to view data roles. n/a Overwrite* allows a user to publish data roles, overwrite published data roles, and edit a published data roles' synonyms.
Metrics View allows a user to view metrics. n/a Overwrite* allows a user to overwrite a metric and edit a metric's details.
Collections View allows a user to view collections. n/a n/a n/a

*Prior to 2020.1, the Overwrite capability was called Save.

Thanks for your feedback!