A user’s assigned permissions are a combination of their effective permissions.
Can someone explain this to me please, also, what if the example below was just all combining "share permissions" what would happen, and also what if the example below combined just the "NTFS" PERMISSIONS. WHAT THEN HAPPENS. Show
18. You share a folder on your computer and you assigned the share permission Change
to Everyone. John, a user from the Sales department, has been granted Full Control NTFS permission to the folder. John is also a member of the Sales group, which has been assigned Read NTFS permissions. Answer(s): c. Change Explanation: Permissions determine how users can interact with content such as workbooks and data sources. Permissions are set in the permission dialog or via the REST API(Link opens in a new window). At the top of the dialog, permission rules configure capabilities for groups or users. Below, the permissions grid displays the effective permissions for users.
There are several interrelated topics that discuss how to think about, set, and manage permissions. The main topics are:
Additionally, if Data Management is licensed, permissions for external assets have additional considerations. For more information, see Manage Permissions for External Assets. Permissions fundamentalsProjects and groups Tableau sites use projects to organize content and groups to organize users. Managing permissions is easier when permission rules are:
Permissions can only be established for users, groups, projects, or assets that already exist. For more information about creating users and groups, creating projects, and publishing content, see Manage Users and Groups, Use Projects to Manage Content Access , and Publish Data Sources and Workbooks(Link opens in a new window). Capabilities and permission rules Permissions are made up of capabilities—the ability to perform actions like view content, web edit, download data sources, or delete content. Permission rules establish what capabilities are allowed or denied for a user or group on an asset. For more information about capabilities and permission rule templates, see Permission Capabilities and Templates. Note: When talking about permissions in general, it’s common to see a phrase like "a user must have the delete permission." This is easy to understand in a broad context. However, when working with permissions at a technical level like in this article, it’s more accurate to say "the delete capability." In this topic we’ll use the more precise term capability, but you should be aware that you might see permission in other places.
For a breakdown of the capability icons and their meanings, see Permission Capabilities and Templates. The interplay between license level, site role, and potentially multiple permission rules factor into the final determination of what a user can or can’t do. For each user this becomes their effective permissions. For more information, see Effective permissions. Some tasks such as creating new workbooks from a browser (web authoring) or moving content might require specific configurations of several capabilities rather than being captured in a single capability. For more information, see Permission settings for specific scenarios. Permission rules are set differently at the project level, at the content level, or when publishing content from Tableau Desktop. Note: The phrase "project permissions" can have two meanings. There are the permission capabilities for a project itself—View and Publish—that control how a user can interact with a project. There is also the concept of project-level permission rules for other content types. In this article “project-level permissions” means permission rules for workbooks, data sources, and the other assets that are configured in the permission dialog for a project. This is in contrast to “content-level” permission rules that can be set on a specific workbook, data source, etc. For administrators, project owners, and project leaders To set permissions at the project level:
One click sets the capability to Allowed, two clicks sets it to Denied, and a third click clears the selection (Unspecified). Set project permissions for all content typesRemember that the permissions dialog for a project contains tabs for each type of content. You must set permissions for each type of content at the project level or users will be denied access to that content type. A capability is only granted to a user if they’re expressly allowed it. Leaving a capability as Unspecified will result in it being denied. Tip: Every time you create a permission rule at the project level, make sure you look through all the content type tabs. Configure the asset permissions settingPermission rules set at the project level act as a default for content saved in that project and any nested projects it contains. Whether those project-level default rules are kept uniform or are able to be edited depends on the Asset permissions setting. This setting can be configured in two ways, either Locked or Customizable. For more information, see Lock asset permissions. For administrators, project leaders, and content owners If project Asset permissions are Customizable, permissions for individual assets can be modified. The information below isn’t relevant to assets in locked projects. For more information, see Lock asset permissions. Tip: While it is possible to set permissions on individual assets in Customizable projects, we recommend managing permissions at the project level. Set permissions on assets
One click sets the capability to Allowed, two clicks sets it to Denied, and a third click clears the selection (Unspecified). Set permissions on a viewTip: While it’s possible to set view-level permissions within a workbook, we strongly recommend managing permissions at the project (or, if necessary, workbook) level. If a workbook is published with Show Sheets as Tabs checked, the views in that workbook will inherit all permissions set for the workbook. The permission dialog for a view will be read-only. In some situations, it may be valuable to specify permissions on a view independently from the workbook that contains it. If the workbook is published with Show Sheets as Tabs unchecked (sheet tabs hidden), the views will start with the workbook permissions but will be independent thereafter and can be set independently. Note that this means if the permission rules are modified for the workbook, those changes won’t be applied to the views—each view’s permissions will need to be managed individually. See Show or Hide Sheet Tabs for more information. For content publishers If project Asset permissions are Customizable, permissions for individual assets can be set when publishing from Tableau Desktop. The information below isn’t relevant for content in locked projects. For more information, see Lock asset permissions. Tip: While it’s possible to set permissions on individual assets in Customizable projects, we recommend managing permissions at the project level.
Note: Permissions can’t be set while publishing flows from Tableau Prep Builder. To set permissions on a flow, refer to the steps for Project-level permissions or Content-level permissions. Clean up the All Users groupBy default, all users are added to an "All Users" group that has basic permissions for content. To start with a clean slate when building your own permission rules, we recommend that you delete the rule entirely or edit the rule for All Users to remove any permissions (set the permission role template to None). This helps prevent any ambiguity down the road by reducing the number of rules that applies to any given user and therefore making effective permissions easier to understand. Permission settings for specific scenariosCertain actions require combinations of permission capabilities and possibly site roles. The following are some common scenarios and their necessary permission configurations Saving, publishing, and overwritingIn the context of permissions, saving is essentially publishing. As such, the Overwrite and Save a Copy capabilities can only be given to users with a site role that allows publishing: Administrator, Creator, or Explorer (can publish). Explorer or Viewer site roles can’t publish, overwrite, or save a copy.
It’s important to note that users aren’t able to Save or Save As a piece of content unless they’ve the Publish capability for at least one project, because all content must be published into a project. Without the Publish capability at the project level, the content can’t be published. In web editing, the Save option in the File menu only appears to the content owner. If a user who isn’t the owner has the Overwrite capability (allowing them to save the content), they must use File > Save As and name the workbook the exact same name. This prompts a warning that they’re about to overwrite the existing content, which they can do. Conversely, a user with only the Save a Copy capability trying to use the same name gets an error stating they don’t have permission to overwrite the existing content. If a user who isn’t the content owner overwrites content, they become the owner, with all the permissions that entails. The original owner’s access to the content is then determined by their permissions as a user rather than the owner. Note: Download Workbook/Save a Copy is a joint capability for workbooks. Explorers can be given this capability but they’re only able to download the workbook, not save a copy. Giving the capability to Explorer (can publish), Creator, or Administrator site roles gives them both the ability to download workbooks and save a copy. Web editing and web authoring allows users to edit or create workbooks directly in the browser. The permission capability is called Web Edit and the site setting is called Web Authoring. This section refers to any web-based editing or publishing action as web authoring. To enable this functionality, there are several requirements.
Required Permission Capability Settings
Optional indicates this capability isn’t involved in the desired functionality Data access for published Tableau data sourcesData sources published to a Tableau site can have native authentication as well as permissions within the Tableau environment. When the data source is published to the Tableau site, the publisher can choose how to Set Credentials for Accessing Your Published Data, which addresses how data source credentials are handled (such as requiring users to log into a database or enter their credentials for Google Sheets). This authentication is controlled by whatever technology holds the data. This can be embedded when the data source is published, or the data source publisher can choose to prompt the user for their credentials to the data source. For more information, see Publish a Data Source. There are also data source capabilities that allow or deny users the ability to see (View) and connect to the published data source (Connect) in the context of Tableau. These capabilities are set like any other permissions in Tableau. When a workbook is published that uses a published data source, the author can control how the Tableau authentication behaves for someone consuming the workbook. The author sets the workbook’s access to the published data source, either as Embed password (using the author’s Connect access to the data source) or Prompt users (using the Connect access of the person viewing the workbook), which may require data source authentication as well.
Note that this applies to consuming a workbook, not web editing. To web edit, the user must have their own Connect capability. For information on embedding passwords when you publish Tableau content such as a data source or workbook that uses a virtual connection, see Virtual connections(Link opens in a new window) in the Tableau Server help. Move contentTo move an item, open its Action menu (...) and click Move. Select the new project for the item, then click Move Assets. If Move is unavailable or there are no available destination projects, verify the appropriate conditions are met:
When moving a database with its tables, the user must have the Move capability for both the database and its tables. For information about how permissions are handled when moving content and projects, see Move projects and content. MetricsMetrics are created from views in published workbooks. Users can create metrics if they:
For more information, see Create and Troubleshoot Metrics and Set Up for Metrics. Note: Prior to 2021.3, the ability to create a metric on a view was controlled by the Download Full Data capability. Because metrics are independent assets, it’s important to note that the permissions for metrics are managed independently from the view they were created from. (This is unlike data-driven alerts and subscriptions, where the content of the alert or subscription can only be seen if the user has the correct permissions for the view itself.) Although the capabilities for metrics are straightforward, the View capability should be considered carefully. It may be possible for a workbook with restricted permissions to be the basis for a metric with more open permissions. To protect sensitive data, you might want to deny metric creation for specific workbooks. Metrics display data from their owner’s perspectiveWhen you create a metric, you capture your perspective of the data from that view. This means that any users who can access your metric will see the data as it appears to you. If the data in the view is filtered based on your credentials, the data you see might be different from what other users see when they access the same view. Limit the View capability for your metric if you're concerned about exposing your perspective of the data. Show or Hide Sheet TabsIn the context of published content, sheet tabs (also referred to as tabbed views) is a distinct concept from sheet tabs in Tableau Desktop. Showing and hiding sheet tabs in Tableau Desktop refers to hiding sheets in the authoring environment. For more information, see Manage Sheets in Dashboards and Stories. Showing and hiding sheet tabs (turning tabbed views on or off) for published content refers to navigation in a published workbook. When sheet tabs are shown, published content has navigational sheet tabs along the top of each view.
This setting also impacts how permissions function and may have security implications (see note). Note: It’s possible to have the View capability for a view without the View capability for the workbook or project that contain it. Normally if a user lacks the View capability for a project and workbook, they wouldn’t know those assets exist. If they have the View capability for a view, however, a user may be able to see the project and workbook name when looking at the view, such as in the navigational breadcrumb. This is expected and accepted behavior. Turn off tabbed views to allow independent view permissionsAlthough it isn’t recommended as a general practice, there are times when it can be useful to set permissions on views independently of the workbook that contains them. To do so, three conditions must be met:
When a workbook shows sheets as tabs, all views inherit the workbook permissions and any changes to the workbook permissions affect all of its views. When a workbook in a customizable project doesn’t show tabbed views, all views assume the workbook permissions upon publication, but any subsequent changes to the workbook’s permission rules won’t be inherited by the views. Changing the configuration of sheets as tabs on a published workbook will also impact the permission model. Show Tabs overrides any existing view-level permissions and reinstate the workbook-level permissions for all views. Hide Tabs breaks the relationship between the workbook and its views.
Important: In a customizable project, any modifications to the workbook-level permissions won’t be applied if navigational sheet tabs are hidden (aka tabbed views are off). Changes to permissions must be made on individual views. CollectionsUnlike projects, which contain content, a collection can be thought of as a list of links to content. Project permissions can be inherited by the content in the project, but permissions for a collection have no effect on the content added to the collection. This means that different users might see different numbers of items in a collection, depending on which items they have permission to view. To make sure that users can see all items in a collection, adjust the permissions for those items individually. Permissions for a collection can be changed either by using the permissions dialog or by granting access upon sharing a collection, if you’re an administrator or the collection owner. For more information, see Manage Collection Permissions. Private collectionsWhen a collection is created, it’s private by default. A private collection appears on the owner’s My Collections page, but it doesn't appear in the list of all collections on a site. Private collections are simply collections with no permission rules added. Unlike other types of content, collections don't have the “All Users” group added by default. When you add permission rules to a collection, it’s no longer flagged as private. To return a collection to a private state, remove the permission rules. Private collections can be viewed by the collection owner as well as by administrators, whose site role gives them effective permissions to view all collections. Explain DataWhen Explain Data is available, a user can select a mark in a view and click Run Explain Data in the mark’s Tooltip menu. A combination of settings must be enabled to make Explain Data available in editing mode and viewing mode. Requirements for authors to run Explain Data or edit Explain Data settings in editing mode:
Note: The Download Full Data capability for a Creator or Explorer (can publish) controls whether they see the View Full Data option in Extreme Values explanations. Viewers are always denied the Download Full Data capability. However, all users can see record-level details when the Extreme Values explanation type is enabled in Explain Data settings. Requirements for all users to run Explain Data in viewing mode:
Ask Data LensesBy default, users with a site role of Explorer (can publish) and Creator have the Overwrite capability for lenses. This means that any user with the appropriate role can edit the name, description, fields, synonyms, and suggested questions for a lens. To limit who can edit a lens, deny the Overwrite capability for specific users or entire groups. To limit all lenses in a project, deny the Overwrite capability for lenses at the project level. What is the user's effective permissions?What is an Effective Permission anyways? AWS defines effective permissions as “the permissions that are granted by all the policies that affect the user or role.” Simply put, it is the true picture of what your identity can do and what it can access.
How are effective permissions determined?If the user is a member of more than one group, effective permissions are calculated by taking all the groups' membership into account and the approximating them. Effective permissions for groups do not involve group membership. It shows only the explicitly assigned permissions in the ACL.
What are effective permissions on NTFS files and folders?What is NTFS Effective Permissions? NTFS effective permissions are the resultant permissions of a file or folder for a user or group. It is the combination of explicit and inherited permissions on an object. In other words, its the permissions a user or group has to a file or folder.
Where can you check the effective permissions for a user to a share?Right-click the file or folder, click Properties, and then click the Security tab. Click Advanced, click the Effective Permissions tab, and then click Select. In Enter the object name to select (examples), enter the name of a user or group, and then click OK.
|