Saturday, November 16, 2013

Resolving Tableau Server Permissions

Do you find puzzling out Tableau Server permissions confusing and mysterious? You're not alone.

I put this post together to help me figure out the process of how Tableau Server determines a User's permissions for a particular Workbook, Dashboard, or Worksheet. To my mind, the Tableau documentation is a bit twisty and hard to trace. It also doesn't surface the critical part that it's not always the view's permissions that are used, but those of the view's Workbook.

It's a work in progress. I plan on improving it as I work through the factors, interactions, dependencies, etc.

Factors affecting Permissions

License Level
see reference: Tableau Server Admin guide online

Unlicensed
users cannot connect per the TS doc
? should it therefore be impossible to assign permissions to an unlicensed user?
Viewers
cannot be assigned permissions other than 'View', 'Add Comments', and 'View comments'
Interactors
can be assigned any permissions
Guests
'users without an account on the server see and interact with an embedded view. When enabled, the user can load a webpage containing an embedded visualization without logging in. This option is only available with a core-based server.'
from the TS Admin Guide | About Enable Guest & Enable Automatic Login: "Enable Guest is a setting on the Maintenance page that can be selected if you have a core-based server license... users click a link and they go directly to the view with no login... no authentication is performed. The Tableau Server Guest User account is used to access the server, but as long as Enable Guest is selected, anyone can use it. Administrators often limit the capabilities of the Guest User account. For example, they might edit the permissions of certain views so that Guest User is denied access.

User Rights
see reference: Tableau Server Admin guide online

There are two distinct but inter-related 'things' Tableau lumps together as User Rights.

Publish
if designated as a Publisher, the user can: "connect to Tableau Server from Tableau Desktop in order to publish and download workbooks and data sources."

There are two configuration options for Publish:

Allow
provides the User the ability noted above, although the online doc doesn't explicitly enumerate this.
NOTE: as of TSv8.1b7 it's possible to assign "Allow" for an unlicensed Site user.
AND: this unlicensed user with Publish rights CAN successfully publish to Tableau Server.
Deny
similarly, although not explicitly in the doc, presumably when Publish is denied the User cannot publish or download Workbooks and Data Sources.
? If Publish is set to 'Deny', can the User be assigned any of the download permissions on individual objects, and if so, what would be the result?

Admin
Prerequisites in order for a user to be an admin s/he must be an Interactor with Publish granted.

Site Admin
"Can manage groups, projects, workbooks, and data connections. By default, site administrators can also add users and assign user rights and license levels but a system administrator can disable that (see Editing Sites)"
Server Admin
"all the rights of a site administrator, plus they can license unlicensed users, control whether site administrators can add users, create additional system administrators, and they can administer the server itself. This includes handling maintenance, settings, schedules, and the search index"
None
the user is not an admin.

There is an interesting asymmetry in the mechanisms of assigning User Rights. In my testing with Tableau Server v8.1 beta 7, when adding a new User I try to make it an Interactor and the Interactor license level isn't granted because the # of licensed users has been reached:

when checking the "Publish" User Right right, and that user subsequently becomes licensed as an Interactor the Publishing right is preserved;

however, when checking "Site Administrator", subsequently licensing the user as an Interactor doesn't preserve the "Site Adminstrator" in the same manner as was "Publish".

User Identity
see references in the Tableau Server Admin Guide (online):
Set Permissions for a Project
Set Permissions for Workbooks and Views
Set Permissions for a Data Source

Things get really conplicated with the introduction of User Identity. There are three distinct facets to a User's identity vis-a-vis Permissions:

The Individual
The User, identified by their User id. Permissions are always resolved to the User; how they get resolved is the question.
Roles
are bundles of permissions that can be associated with Users and Groups for specific Tableau Server assets (which begs the question: what's a Tableau Server asset?)
Groups
Users can have membership in zero, one, or more Groups. Asset Permissions may be individually associated to Groups, or Roles may associate bundles of Permissions.

One of the big complicating factors in determining whether a given permission is granted or denied to a particular User for a particular Tableau Server asset is the different relationships between the structural and permission-resolution relationships between Users, Roles, and Groups.

Users may belong to one or more Groups at the Site level.

Users and Groups may be associated with zero or one Role for a particular asset.

When Tableau Server determines individual Permissions' status for a user for a particular asset it assesses, in order, the Permissions' status for:
— the User;
— any Role the User is associated with for that asset;
— the permission status for that asset for any Groups to which the User belongs.

How Permissions Are Set – The Tableau Server Admin Guide Flowchart
redrawn for consistent Yes/No sequence and highlighting of Roles and Groups influence.

image/svg+xml UserDenied? Yes Denied No User inAllowed? Yes No User in Denied? Yes Denied No User in Allowed? Yes No Role Group Group Denied http://onlinehelp.tableausoftware.com/v8.0/server/en-us/help.htm#license_permissions_backgrnd.htm When resolving the permissions in place for a Dashboard or Worksheet (view), the object usedto evaluate the permissions is either the view or the Workbook the view is contained in. If the Workbook was published to show the its as tabs, the Workbook's permissions are used.If the Workbook was not published to show the its as tabs, the view's permissions are used. Yes No Was the Workbook published showing sheets as tabs? Workbook View Once the source of Permissions (Workbook or View) has been determined, this process resolves whether or not the User is granted the permission: Note: this chart does not represent the situation where a User has been explicitly grantedthe "Allow" permission. Source: use the use the the view is in

The permissions chart above is in SVG and was created using Inkscape.

No comments:

Post a Comment