Authorization refers to how and what users can access on Tableau Server after authentication has been verified. Authorization includes:
- What users are allowed to do with content hosted on Tableau Server, including projects, sites, workbooks, and views.
- What users are allowed to do with the data sources that are managed by Tableau Server.
- What tasks users are allowed to perform to administer Tableau Server, such as configuring server settings, runing command line tools, creating sites, and other tasks.
Authorization for these actions is managed by Tableau Server and determined by a combination of the user's site role and permissions associated with specific entities such as workbooks and data sources.
Site roles define who is an administrator. Administrators can be assigned at the site or server level. For non-admins, site roles indicate the maximum level of access a user can have on a given site, subject to permissions set on content assets. For example, if one user is assigned the Viewer site role, and another the
For more information about site roles, see Set Users’ Site Roles.
Permissions determine whether a given user is allowed or denied to perform a specific action on a specific content asset.
As an administrator setting up Tableau Server, it’s important that you understand how permissions are evaluated. Understanding the Tableau permissions process will enable you to set up and configure permissions on sites, projects, and other assets so that you can control how content and data is shared, published, viewed, extracted, and imported.
Four important concepts to understand about permissions in Tableau are:
- Permissions are asset-based. Permissions are assigned to individual content assets (projects, data sources, workbooks) and are granted to users or groups.
- Permissions are implicitly denied, and non-admin users must explicitly be allowed to access content. The process by which Tableau Server determines the “allow” or “deny” permission is explained in detail in Permissions.
- Permissions inheritance exists only in locked projects and in workbooks with tabbed views. When content permissions are locked to the top-level project, workbooks, views, and data sources in the entire project hierarchy will use the default permissions set at the top-level project. In workbooks saved with the option Show sheets as tabs, views inside those workbooks use the workbook permissions. For more information, see Permissions.
- In a project that is not locked, initial permissions are a one-time copy of the container item's permissions. A data source or workbook starts with the default permissions, but authorized users can subsequently edit permissions on those assets. For more information on default permissions and projects, see Permissions.
Tableau Server provides a flexible permissions infrastructure that allows you to manage access to all content for countless scenarios. For more detailed information, see Permissions.
Data access and external authorization
There are scenarios where Tableau Server and Desktop rely on external authorization to enable access to data. For example:
- Users connecting to external data sources might require authorization that is outside the scope of Tableau Server’s authority. If users publish an external data source, Tableau Server will manage access and capabilities of that data source. But if users embed an external data source in a workbook, it’s up to the user who publishes the workbook to determine how other users who open the workbook will authenticate with the underlying data that the workbook connects to.
- Running Tableau Server in an organization with Active Directory, where Tableau has been configured with a Run As user account, results in a dependency on Active Directory and NTFS for authorization. For example, if you configure Tableau Server to use the Run As account to impersonate users connecting to SQL, then object-level authorization is reliant on NTFS and Active Directory.
- How users authenticate and are authorized by specific database solutions can differ. As noted, Tableau Server can be configured to provide access authorization when a data source is configured, but some databases will authorize access according to their own authentication scheme.