As the publisher of a workbook/data source, you may set permissions as part of the publishing process. Permissions allow/deny other users access to published content on Tableau Server or Tableau Online. For instance, who can interact with views in a workbook, download a copy of a data source, and so on.
Note that permissions are different from access to the data source. Accessing some data types requires signing in with a database name and password or embedding database credentials into the connection.
When it is possible, it is best to use the default permission rules for the project to publish your content. If you are publishing a locked project, you will not be able to modify the permissions. However, if you publish content into a customizable project, your content should have unique permissions; you can also set permission rules during publishing.
Setting permissions during publishing:
When you have started the publishing process, the dialog box shows all the permissions that will be applied. By default, it follows the permission rules of the project you are publishing.
When you change the permissions in the publishing dialog box, you are setting unique permission rules for publishing content. This means that changes to the permission rules for the project will not affect your content. Depending on the environment, this might be as you intend, or it may conflict with the guidelines your administrator has set and may have unintended consequences.
How to set permissions during publishing?
- In the dialog box publishing, next to the summary that indicates the current settings, click on Edit.
- In the popup that appears, perform one of the following:
- To set the custom capabilities or assign a role explicitly, select an existing user or group, click on Edit, or click Add.
- In the Add/Edit Permissions dialog box, perform your changes.
- Click on Apply to save changes and keep the dialog box open to configure another user/group. Click OK to close the dialog box.
- For removing a permission rule, select the user or group, and then click on Remove.
Assign permission templates:
When you publish the content, you can assign any of the following templates to a selected user or group:
- View: It allows the user basic access to the content, such as filtering a workbook or connecting to a data source.
- Explore: It allows the user all capabilities from the View template and additional functionality like downloading a data source or web editing a workbook.
- Publish: It allows the user to overwrite the content and also give them ownership of the content.
- Administer: It allows the user to manage the content, such as deleting it and setting permissions.
Set Credentials for Accessing Your Published Data:
While you publish a workbook to Tableau Online/Tableau Server, you can publish the data source it connects to as part of a workbook or as a separate, standalone data source. If the data source you are publishing requires an authentication, you can customize how credentials are obtained.
The type of authentication in your data source is independent of how people sign-in to your Tableau Online/Tableau Server site. For instance, to give people direct access to the data in a workbook, you would embed the database user’s credentials into the data source’s connection. However, anyone viewing the workbook would still need to be able to sign-in to the site on Tableau Online/Tableau Server to open your workbook.
How to set the authentication type?
For many types of connections, you can embed a database user’s name and password or use single sign on (SSO).
The below steps describe how to set authentication as part of publishing a data source or workbook. You can also do this for each connection in the data source.
- In the dialog box Publish Workbook, go to the Data Sources area, which lists the workbook’s connections, and select Edit.
- After you have decided whether to publish the data source separately or as part of the Tableau workbook, select the authentication type for each connection in the data source in the Manage Data Sources popup. The available authentication types depends on the connection type, and they can include one or more of the following:
- Prompt user: Users need to enter their own database credentials to access the published data when the view or workbook loads.
- Embedded password: The credentials you have used to connect to the data will be saved with the connection and will be used by everyone who accesses the data source/workbook you publish.
- Server run as account: The single Kerberos service account is used to authenticate the user. In Windows, this is the account that Tableau Server runs as. In Linux, it can be any Kerberos account.
- Viewer credentials: The credentials of the viewer are passed through to the database using SSO.
- Impersonate with an embedded account or Impersonate with server Run As service account: Impersonation using the embedded credentials connects with embedded credentials and switches to the viewer’s identity. Impersonation using Run As service account is same to the above but connects with the Kerberos service account before switching to the identity of the viewer.
- Refresh not enabled or Allow refresh access: The following options only appear when you publish an extract of the cloud data such as from Salesforce, and database credentials are required to access the underlying data. It allows refresh access to embed the credentials in the connection so that you can set up refreshes of that extract in a regular schedule. Setting Refresh not enabled will prompt users when they open the workbook.
Workbook connections to Tableau data sources:
When you have published a workbook that connects to a Tableau Online/Tableau Server data source, rather than setting the credentials for accessing the underlying data, you can set whether the workbook can access the published data source or not. Regardless of the data type, the choice for server data sources is always Embedded password or Prompt users.
If you have selected to prompt users, a user who opens the workbook must have a View and Connect permissions available on the data source for seeing the data. If you have selected embed password, users can see the workbook’s information even if they do not have View or Connect permissions.