Tableau Server Permissions Best Practice

//

Tableau Server permissions offer a lot of flexibility.

Permissions can be assigned all the way down to the dashboard (view)  level.

However, in medium to large Tableau environments ongoing maintenance should be a key consideration.

Use Top-Down Permissions to simplify Tableau permissions maintenance

Tableau Server permissions work at many levels – i.e. view => workbook => project.

However, if you assign permissions at the workbook or view level, the maintenance becomes increasingly complicated.

Therefore the most efficient way to assign permissions is from the top down: project => workbook => view. I’ll explain the reasons later in the article.

How to assign permissions to an object

To add permissions to an object simply select it and click Permissions.

You can select your groups/users and assign their permissions. This is where it can start to get painful should you have many to add. Each group/user needs to be added individually.

Another thing to note is, generally by default, that permissions don’t automatically apply to objects within the project.

For example, when adding permissions to a Project, the workbooks don’t automatically inherit the same permissions.

There is a Project setting to have the project “Locked” or “Managed By Owner” / “Customisable”.

Locking the project means the objects within that project automatically inherit the same permissions as the project. “Customisable” / “Managed By Owner” means permissions need manually setting on each object.

Manage permissions by Project and Lock the projects

It is far more efficient to manage Tableau Server permissions at the Project level and using Tableau Server Groups.

Locking the Project so all objects inherit the permissions is far more maintainable.

There will be far fewer projects than workbooks to manage, and this can be managed centrally by a site administrator.

Using Tableau Groups for permissions means bulk-managing the permissions of many users who share a role. Far more efficient than managing on an individual basis.

This is especially the case within large organisations, with many people moving jobs / changing role.

Synchronise with Active Directory Groups

Synchronising Tableau Groups with Active Directory groups is even more efficient when relevant AD groups exist.

Particularly in large global organisations, for a Tableau Site administrator to know the names and roles of all users is impossible.

Therefore accurately maintaining permissions is a significant challenge. Valid AD groups can assist this ongoing maintenance.

Trying to manage at the workbook / view level would become almost impossible once there are more than 100 users on the Tableau Site.

Therefore better to start correctly and set up an appropriate Project structure to allow a much larger scaling out of your Tableau operations.

Leave a Comment