Thursday, September 4, 2014

A Better Tableau Server Permissions Resolution Explanation

image/svg+xml http://onlinehelp.tableausoftware.com/current/server/en-us/help.htm#license_permissions_backgrnd.htm When resolving the permissions in place for a Dashboard or Worksheet (both are 'views'), the object used to evaluate the permissions is either the view or the Workbook the view is contained in. So, when when evaluating the Permissions for a View this is the first step: Yes No Was the Workbook published showing sheets as tabs? Workbook View's Once the source of Permissions has been determined, this process resolves whether or not the User is granted the Permission: Also see: use the Permissions of the use the the view is in How Tableau Server Resolves Permissions At Runtime else if the User is in a Group for which the Permission is Deny then Deny else Deny "Not granted by any permission for..." the Permission is configured for the User If as configured then Deny or Allow else if the User is in a Group for which the Permission is Allow then Allow The evaluation here is acrossALL the Groups for which the User is a member,if the Permission is Deny for anyof them the User's Permission is Deny. Only if none of the User's Groups'Permissions is 'Deny' is the checkfor 'Allow' made. If a Permission is set directlyfor a User, it doesn't matter ifthe Permission is also set forany Group that the User is a member of. the Permission has not been configured, so it's Denied and is shown by Tableau Server with this message. What happened to? Roles Roles are prominent in Tableau Serverand Tableau's documentation, but asimplemented and presented by Tableau Serverthey are more of a hinderance to understandinghow Permissions work than they're worth.There are too many problems to document here.Look for an in depth ctitique at Tableau Friction.If the ability to create and manage true custom Roles existed they could be useful. Inherited "Inherited" is an unfortunate name."Not configured here" is better.As shown above, if a Permission is not specificallyconfigured as "Allow" or "Deny", it defaults to "Deny"and there's no need to consider "Inherited".Semantically, "Inherited" is a problem because itindicates a positive situation where one does notnecessarily exist, leading to a cognitive conflict inthe person trying to interpret the actual Permissionstate. Not recognizing this situationis a common source of frustration when trying to puzzle out why a User'saccess and abilities to aDashboard (or worksheet)aren't what they're expectedto be. Yes Permissions Permissions are associated with Projects, Workbooks, Dashboards, Worksheets, and Data Sources. Which Permissions are evaluated when assessing User capabilities? Whenever a User accesses Tableau Server that User's Permissions are evaluated by Tableau Serverto determine which objects the User can see, and what s/he can do with them.Tableau Server does this by evaluating the Permissions configured for the diferent objects vis-a-visthe User, either associated directly to the User or to Group(s) the User is a member of. This seems like a straightforward situation - the object's Permissions should be used, but it's not that simple.For Projects, Workbooks, and Data Sources, their configured Permissions are used.But for Dashboards and Worksheets, it depends... This is not clear in Tableau's documentation: Copyright (c) 2009, 2014 Chris Gerrard http://onlinehelp.tableausoftware.com/current/server/en-us/help.htm#license_permissions_backgrnd.htm When resolving the permissions in place for a Dashboard or Worksheet (both are 'views'), the object used to evaluate the permissions is either the view or the Workbook the view is contained in. So, when when evaluating the Permissions for a View this is the first step: Yes No Was the Workbook published showing sheets as tabs? Workbook View's Once the source of Permissions has been determined, this process resolves whether or not the User is granted the Permission: Also see: use the Permissions of the use the the view is in How Tableau Server Resolves Permissions At Runtime else if the User is in a Group for which the Permission is Deny then Deny else Deny "Not granted by any permission for..." the Permission is configured for the User If as configured then Deny or Allow else if the User is in a Group for which the Permission is Allow then Allow The evaluation here is acrossALL the Groups for which the User is a member,if the Permission is Deny for anyof them the User's Permission is Deny. Only if none of the User's Groups'Permissions is 'Deny' is the checkfor 'Allow' made. If a Permission is set directlyfor a User, it doesn't matter ifthe Permission is also set forany Group that the User is a member of. the Permission has not been configured, so it's Denied and is shown by Tableau Server with this message. What happened to? Roles Roles are prominent in Tableau Serverand Tableau's documentation, but asimplemented and presented by Tableau Serverthey are more of a hinderance to understandinghow Permissions work than they're worth.There are too many problems to document here.Look for an in depth ctitique at Tableau Friction.If the ability to create and manage true custom Roles existed they could be useful. Inherited "Inherited" is an unfortunate name."Not configured here" is better.As shown above, if a Permission is not specificallyconfigured as "Allow" or "Deny", it defaults to "Deny"and there's no need to consider "Inherited".Semantically, "Inherited" is a problem because itindicates a positive situation where one does notnecessarily exist, leading to a cognitive conflict inthe person trying to interpret the actual Permissionstate. Not recognizing this situationis a common source of frustration when trying to puzzle out why a User'saccess and abilities to aDashboard (or worksheet)aren't what they're expectedto be. Yes Permissions Permissions are associated with Projects, Workbooks, Dashboards, Worksheets, and Data Sources. Which Permissions are evaluated when assessing User capabilities? Whenever a User accesses Tableau Server that User's Permissions are evaluated by Tableau Serverto determine which objects the User can see, and what s/he can do with them.Tableau Server does this by evaluating the Permissions configured for the diferent objects vis-a-visthe User, either associated directly to the User or to Group(s) the User is a member of. This seems like a straightforward situation - the object's Permissions should be used, but it's not that simple.For Projects, Workbooks, and Data Sources, their configured Permissions are used.But for Dashboards and Worksheets, it depends... This is not clear in Tableau's documentation: Copyright (c) 2009, 2014 Chris Gerrard

Download as PDF here.

No comments:

Post a Comment