The combination of all your permissions determines your capabilities on Tableau Server. Your license is the maximum level of permission, and every user on Tableau Server requires one. As a user, you receive a single site role for each site that you belong to. This site role restricts what you can do with the content. Finally, content permissions are the lowest level of permissions. These permissions are applied at an individual user or group level to different object types (such as a project, workbook, view, or data source) on a site, but they are constrained by your license and site role. This means that when changes are made to your content permissions, it is possible that they might not impact any of your existing capabilities if your license or site role already restricts them.
Figure 1.4 provides a high-level overview of the three levels of permissions in a descending hierarchy:
Figure 1.4 – An overview of the License, Site Role, and Permissions hierarchy
All users on Tableau Server require a license. As a user, you will receive a single license. Your license type is at the top of your capability's hierarchy, as it determines the limits of your abilities across the server, which, in turn, determines the limits of your capabilities on every site within that server. Put simply, the license you are assigned represents the maximum number of site role capabilities you can have on that server. There are three license types: Creator, Explorer, and Viewer. In the next section, we will go over each of these licenses in detail.
For each site that you belong to as a user, you will have a single site role. Your site role is restricted by your license type. This just means that the license you receive will place constraints on your capabilities at a site level. You can't have any capabilities at a site level that exceed the abilities provided by your license. There are eight types of site roles: Server Administrator, Site Administrator Creator, Site Administrator Explorer, Creator, Explorer (can publish), Explorer, Viewer, and Unlicensed. We will go over each of these site roles, in detail, later in this chapter. Just remember that your site role will limit your capabilities at a site level.
You have permissions to the content (such as projects, workbooks, views, or data sources) on a site that is restricted by what your site role allows. The permission rules assigned to you as a user, or to a group that you are a part of, determine your capabilities in terms of what you can do with a piece of content.
Note
It is important to remember that licenses and site roles apply to users, whereas permissions apply to content.
We understand that this can be a little abstract and confusing to follow at first. Don't worry. We'll go over licenses, site roles, and permissions separately, and in greater detail, before we tie everything back together at the end of the chapter.
License types
In the previous section, we briefly touched on license types. As a reminder, licenses apply to users, not content. You will receive a single license on a server, regardless of how many sites exist on that server. The license you are assigned represents the maximum site role level a user can have on that server.
Figure 1.5 provides an example of the dynamics of each license type:
Figure 1.5 – An overview of the license types
Next, we'll review each of the three Tableau Server license types from the highest level of access to the lowest level of access:
Creator license: This is the highest license type available and is intended for people who make content. Making content includes everything from designing dashboards to developing data sources. As the name of the license suggests, individuals who receive this license will be responsible for the creation of most of the data sources and any other content utilized by your organization.
Explorer license: This license type is primarily intended for people who analyze content. Individuals who receive this license are able to access and examine content published to Tableau Server. Users with an Explorer license are likely to be accustomed to working with data and developing ad hoc reports to ask and answer questions.
As a user with an Explorer license, you can create, manage, and share your new workbooks and dashboards using data sources published to Tableau Server. Additionally, you can edit existing dashboards or make your visualizations via the Web Edit feature on Tableau Server using data sources created by other users for which you have been granted access. From a Tableau Server perspective, the only difference between an Explorer license and a Creator license is that with an Explorer license, you cannot create data sources.
Viewer license: This license type is primarily intended for individuals who want to view and interact with published content. Users with this license have the ability to interact and engage with dashboards and workbooks but not create them. In addition to this, users with a Viewer license can subscribe to dashboards to receive regular updates and set data-driven alerts.
Figure 1.6 provides a breakdown of the capabilities of each license type:
Figure 1.6 – Tableau license capabilities
Tip
Your license is at the top of the permissions hierarchy in Tableau Server, so make sure that the license you receive provides you with the permissions you will need. It's likely that your company has a limited number of Tableau licenses, so talk to your manager or Tableau Server Administrator if you believe that you should have a different one.
Site roles
Earlier in this chapter, we briefly discussed site roles. As a reminder, site roles apply to users, not content. You will have a single site role for each site to which you are a member, and your site role will be restricted based on the type of license you are assigned by your Server Administrator.
Let's review each of the eight Tableau Server site roles from the highest level of access to the lowest level of access:
- Server Administrator: This is the highest site role available and uses a Creator license. It allows complete access to Tableau Server, including access to all content. Server Administrators can add users and set their site roles. They have the ability to create projects and set permissions for all users. They also have full editing and saving rights to all workbooks. Additionally, they can create sites, add users to those sites, and assign Site Administrator site roles to users.
- Site Administrator Creator: This site role is assigned by a Server Administrator to a user with a Creator license to help delegate creating and managing the user and content framework of an individual site. These users can add server users to their site. Within their site, they can create groups, projects, assign permissions, schedule extract refreshes, and have full editing and saving rights to all workbooks on their site. Finally, this site role can also publish content to the server.
- Site Administrator Explorer: This site role is assigned by a Server Administrator to a user with an Explorer license to help delegate creating and managing the user and content framework of an individual site. These users can add server users to their site. Within their site, they can create groups, projects, assign permissions, schedule extract refreshes, and have full editing and saving rights to all workbooks on their site. Unlike the Site Administrator Creator site role, this site role cannot publish content to the server.
- Creator: This site role is assigned to users with a Creator license. The default permissions for these users can publish content to Tableau Server and edit, download, and save content on the server. These abilities represent the maximum level of access for Creators' permissions and can be changed by a Site Administrator.
- Explorer (can publish): Users with this site role possess, at the very least, an Explorer license. The default permissions for these users allow them to save changes made to content via the Web Edit feature; however, they cannot publish new data sources to Tableau Server from Web Edit. Again, these abilities can be restricted by a Site Administrator.
- Explorer: Users with this site role possess, at the very least, an Explorer license. This site role can open dashboards on Tableau Server using Web Edit. Users can analyze and explore the data by making edits and building new views; however, users cannot save these changes. Again, these abilities can be restricted by a Site Administrator.
- Viewer: Users with this site role possess, at the very least, a Viewer license. This site role allows users to view content in the format it was published. They can interact with dashboards, but they cannot access the Web Edit function.
- Unlicensed: Users with this site role cannot edit or view any content on Tableau Server. The purpose of the Unlicensed site role is largely for users who have left a company or changed departments. The user owns the content that they create and publish to a server. As a result, any content associated with a user will be removed when they are deleted from the server. This role type allows the accounts of ex-coworkers to still exist and for their content to continue to be accessed by other users.
In this section, you learned about site roles. We examined each available site role in detail. Next, we'll take a look at the different combinations of licenses and site roles that are available.
Take a look at the following link to view all license and site role combinations: https://help.tableau.com/current/server/en-us/users_site_roles.htm#tableau-site-roles-as-of-version-20181.
Figure 1.7 shows the capabilities of each license and site role combination:
Figure 1.7 – License and site role capabilities
Permissions
Permissions determine how users can interact with content (such as projects, workbooks, views, and data sources). The capability to filter, utilize Web Edits, delete, and download full data is granted to users or groups on a specific piece of content.
To make applying permissions rules quicker and easier, Tableau Server provides the ability to select several predefined permission templates. You can select permission templates for Administrator, Publish, Explore, and View. An example of the permissions provided by these predefined templates is shown in Figure 1.8:
Figure 1.8 – Predefined permissions templates
Permission rules determine the capabilities that you as a user or group member are allowed or denied access to on a piece of content. The predefined permissions templates have set permission rules. If you make and save any changes to a predefined permission template, it will change into a "Custom" role. In addition, you can create your own "Custom" roles from scratch. This is because there is always the option to manually assign specific capabilities to users or groups instead of using one of the predefined options. You can accomplish this by selecting each capability you want to grant or deny an individual or group on the Permission Rules page. In Chapter 7, What is in the More Actions (…) Menu, we dedicate an entire section to reviewing the fundamentals of permission settings.
Tip
Whenever it is possible, we recommend that you set permissions at the project level and use groups when assigning permissions. Managing permissions rules at a project level is much easier than at the content level. Additionally, setting permissions to all users within a group is much quicker and more efficient than assigning them per user. Also, when new users receive access to Tableau, you can easily add them to the group(s) that provide them with the proper access.
Finally, it's helpful to understand that individual permissions rank higher than groups in the hierarchy of permissions. This means that it is more important to have a capability granted or denied at an individual user level than at a group level. Finally, a user can be a member of many groups. If a user is a member of two or more groups being granted permissions on a piece of content and any of those groups are denied a capability, this user will be denied that capability.
In this section, you learned about permissions. We touched on predefined permissions, manually assigned permissions, and the dynamics of individual versus group permissions. Next, let's take a look at how licenses, site roles, and permissions tie together.
How licenses, site roles, and permissions tie together
To recap what we've discussed regarding licenses, site roles, and permissions, let's organize what we've learned in a hierarchy from the highest user capabilities to the lowest user capabilities:
- User license: Your license type is at the top of the hierarchy when determining your capabilities across the entire server.
- Site role: Your site role is below your license in the user capabilities hierarchy. You receive one site role per site. The site role that you receive will be restricted by your license type.
- Content owner/project leader: Owning a piece of content or project is next in the hierarchy below the license and role type. You become a Content Owner by publishing a piece of content to the server, having ownership transferred to you, or by being assigned a content owner role by a Server Administrator, Site Administrator, or Project Owner. As a content owner, you have full access to the content you publish to the server. If the Project Owner allows for content permissions to be customizable, then a content owner will have the ability to modify content permissions. A content owner becomes Project Leader the moment they publish an object to Tableau Server, but not every project leader is a content owner. This is because content published to the server can have many project leaders, but only one content owner.
- Content permissions locked or customizable: The content permissions setting can be set in two ways, either locked or customizable. To configure content permissions, you need to be logged into a site as an administrator, project owner, or project leader. Locked Content Permissions means that a content owner cannot modify the permission rules on their content. As a result, the content will reflect the permission rules of the project, and the content-level permissions cannot be modified. The project owner has control over the permissions for the project and all its underlying objects. Customizable Content Permissions means that a content owner can modify content permissions for users or groups.
- Individual permissions: These permissions are applied to a specific user, and they determine how that user can interact with the content (such as projects, workbooks, views, and data sources). Permissions assigned to an individual rank higher in the hierarchy of permissions than permissions assigned to a group.
- Group permissions: These permissions are applied to a group of users, and they determine how they can interact with the content (such as projects, workbooks, views, and data sources). A user can be a member of many groups. If a user is a member of two or more groups that are being granted permissions on a piece of content and any of those groups are denied a capability, it will result in that user being denied that capability.
Figure 1.9 visually presents the hierarchy of user object capabilities from the highest to the lowest, as we just discussed:
Figure 1.9 – Hierarchy of the user's object capability
In this section, you learned how licenses, site roles, and permissions interact with and impact one another on Tableau Server. We examined the different license types and site roles that are available and their possible combinations. Additionally, we examined permissions, their rules, predefined roles, and custom roles. Lastly, we looked at how all of these varying levels of permissions tie together.