How do you deal with project ambiguities

Configure projects, groups, and permissions for managed self-service

Tableau Online and Tableau Server each include an environment for easy open publishing and collaborative analysis of visualizations created in Tableau Desktop or through web authoring. With this flexibility comes the task of ensuring that the right Content for people who trust it in their work is easy to find. Likewise, it is important to ensure that the allowed access does not cause any problems with site performance or administration.

To accomplish these tasks, many administrators set up their Tableau sites for something called the managed self-service a. This is just a sign of the fact that the site allows areas for open collaboration and web editing in addition to areas where access to data and reports is more controlled. As the site administrator, you establish guidelines to help users determine where to do their work.

To get started with a managed self-service approach, the following sections explain how you, as a site administrator, can:

  • Create projects on the Tableau Server or Tableau Online site to align work with the content.
    • For example, some projects are open to collaboration by all users, while others are only visible to authorized publishers.
  • Create user groups based on the type of access users need to the content.
  • Create a clear and scalable authorization strategy.

Note: The information provided here is adapted and simplified in terms of the practices of existing Tableau grandmasters and customers who have shared their experiences. Links to the respective conversations are available at the bottom of this page.

Creation of a project team and definition of the authorization strategy

Changing the project structure on your site after your users post content is not impossible, but it is difficult and a real challenge. Before making any final decisions or taking steps with long-term effects on your Tableau site, it is a good idea to assemble users from different areas of your Tableau users into a project team that covers a wide range of uses for your Tableau content.

The permissions strategy helps scale your environment as you add new Tableau users. Make sure it includes two important practices: managing permissions for groups only and setting permissions at the project level only. Setting permissions at the individual user level and for individual content resources quickly makes them unmanageable. If you have to deviate from this method, be sure to share your strategy with other administrators and project leaders.

Important: It is highly recommended that you familiarize yourself with Tableau permissions before proceeding.

Steps to coordinate projects and groups

In order for projects and authorizations (content) to be combined with groups (people) in a self-managed environment, the following steps are usually necessary:

  1. 1. Plan your permissions: Find common topics about the type of access users need. This helps in identifying projects and groups.
  2. 2. Remove permissions that create ambiguity
  3. 3. Create groups
  4. 4. Assigning permissions to groups
  5. 5. Create projects and adjust permissions
  6. 6. Blocking authorizations in the individual projects

If you want to follow the guidelines outlined here, consider automating your work with groups and projects.

1. Plan your permissions.

Before you create groups and begin assigning permissions, make a list of people who need access to content. Arrange them in groups based on the tasks to be performed.

Someone who makes publications or a data source in a project with certified For example, moving content requires a different level of access than someone who only reads published reports. (The term "certified" is used here to mean "trusted" - these are the data sources or reports that your Tableau community can expect to be a reliable data source for your organization.)

Also note that you can set permissions differently for each project. A user with the role of data officer for the operations department may therefore not have equivalent access to marketing content.

This task, done outside of the Tableau environment, can be the hardest part of setting up a site.

Use a closed permissions model for managed content

The basic models for setting permissions are open or closed. In an open model, users are given a high level of access and you explicitly revoke permissions to functions. This model can work if your organization is very small and everyone has a similar level of responsibility.

In a closed model, users are only given as much access as they need to perform their tasks. This is the preferred model for security professionals, and the examples in this article are intended to illustrate this.

2. Remove permissions that create ambiguity

Each site has a default project and an All Users group. Any user added to the server automatically becomes a member of the All Users group. The default project serves as a template for new projects on the site and cannot be deleted. However, you can change the permissions. By creating groups and defining basic permissions at this point, you can know exactly and control who receives which access level for all new projects.

In the context of managed self-service, when basic permissions are set, the permissions are taken from the All users groupawayso that permissions are enabled only for groups that you create and over which you have control.

  1. Click the Content tab to view your site's parent projects.
  2. Select Permissions in the Actions menu of the Standard project.
  3. Next to the group name, select All Users ... and then select Edit.
  4. For the Project, Workbooks, and Data Sources tabs, use the Templates drop-down menu and select None.
  5. Select Save to apply your changes.

3. Create groups

Groups are created to match the task of users with a content set. In this case, a "content set" refers to the workbooks and data sources in a project.

When creating your groups, use descriptive names that make sense for your organization. For example, a possible group sentence could be as follows:

  • Project Manager. You can think of a project manager as an administrator at the project level. Users who can perform all functions available to data sources, except for setting permissions to do so. People in this group can be site administrators or users whose job it is to approve or certify data models or reports. To grant administrator roles at the project level, you can assign the Project Leader setting to users who have appropriate site-specific roles. For more information, see Permissions.
  • Analysts / Publishers. This group is designed for users who publish workbooks for production and other open projects, who use web editing for some projects, and who can connect to data sources that have been certified by the data officers. This group is not allowed to set permissions for content or move content between projects.
  • Business users. This group is likely to include people who don't use Tableau Desktop but who use data to answer questions and make business decisions. They can only view and interact with workbooks in specific projects, and cannot publish, edit, save, or delete anything.
  • Administrators. Depending on the size of your deployment, managing site or server administrators can help you keep track of who has what level of access.

    Note: Users with the Server Administrator or Site Administrator Creator site role have access to all content on the site. It doesn't matter which groups you add them to.

If you have multiple Tableau roles per department, creating the appropriate groups manually can be very labor intensive. For information on alternatives, see Automating Working with Groups and Projects later in this article.

Additional Information:Create a group and add users to that group

4. Assigning permissions to groups

After you've created groups, you can assign permissions in one of the following ways:

  • Apply a main set of permissions to the individual groups in the standard project, which remains more or less unchanged for all projects. You can then make minor adjustments in specific projects.
    Or
  • Keep the default project unchanged and only apply permissions to projects that you have created.

For more information, see Permissions.

For the example we are using, it makes more sense to define authorization templates in the standard project. You should generally reject some functions and then only allow them for some projects in which you want to allow more open access.

Creation of authorization rules

  1. With the standard project open, select the Permissions entry in the Actions (...) menu.
  2. Create an authorization rule for all groups as follows:
    1. Click Add Group / User Rule and enter the desired group or user in the search box.
    2. For each tab, choose an existing template from the drop-down menu or create a custom rule by clicking the features.
      1. Templates are predefined sets of functions that make setup easier.
      2. One click sets the function to Allowed, two clicks to Denied and a third click deletes the selection (not specified).
    3. Click Save when you're done.
  3. Lock permissions for the project.

Note that a role is only granted to a user if he has expressly allowed it. If a function is left on "No specification", it will be denied. For more information, see Permissions.

example

For the groups defined above, here is a method for setting default permissions.

Project tabWorkbooks tabData Sources tab
"Project Leader" groupPermissions
Analyst / Editor GroupPublish templatePublish templatePublish template
Business Users Group"View" template

Examine template

Set Web Editing and Download Full Data to Not Specified *.

Examine Template

* This assumes that you only want to allow web editing and data downloading for selected projects. You can allow these functions for specific projects or workbooks.

5. Create projects and adjust permissions

After setting the default project with your custom permissions template, you can create projects that allow the content use cases you have identified. You can adjust the standard authorizations for each project accordingly.

Example project structure

A method for structuring projects could be the following use cases:

Workbooks shared for open collaboration on the server

Anyone in the department can publish to the open collaboration project while its content is in development. Colleagues can collaborate using web editing on the server. This is sometimes referred to as sandbox, staging, and so on. In this project you can allow web editing, saving, downloading etc.

At this point, in addition to enabling collaboration, you want input and feedback from people outside of Tableau Desktop.

Shared reports that cannot be edited

This could be a project where the people who create workbooks and data sources (analysts and data officers) publish when they want business users to see content and make sure their work is not "checked out" or modified can.

For this type of project, you would deny any functionality that would allow the data to be edited or retrieved from the server for reuse. You should allow viewing functions.

Validated data sources that analysts can connect to

At this point, data officers would publish the data sources that meet all of your data needs and become the reliable data source for your organization. Project leaders for this project can review these data sources to rank them higher in search results and to include them in the recommended data sources.

You would allow authorized analysts (that is, the group of publishers described earlier) to connect their workbooks to data sources in this project. However, you would not be able to download or edit them. You would deny the Business Users group viewing functionality for this project so that users would not even be able to see this project.

Inactive content

Another option is to separate workbooks and data sources that, according to the administrative views of the site, have not been used for a period of time. You could set a time limit for the owners of the content before their content is removed from the server.

Your organization depends on whether you proceed in this way or delete it directly in the work projects. In an active environment, you can deliberately remove unused content.

Source for workbook templates

This is a project that users download content from, but cannot post or save content to. Authorized publishers or project managers provide workbook templates. Templates with your organization's approved fonts, colors, images, and even built-in data connections can be a great time saver for authors and ensure a consistent design of your reports.

Support the project manager in content management and the user in searching for content

  • Develop a scalable project naming scheme that makes sense in your organization.

    The basic structure could be <Abteilung> – <Inhaltsverwendung> read, e.g. B. Operation - production.

  • Use the Description project field.

    The description that you enter when creating a project appears when you hover over the project thumbnail, as well as on the project details page.

6. Blocking of authorizations in the individual projects

After you have specified the functions for the individual groups in a project, you can lock the authorizations of the project, either for the project itself or for all projects in the hierarchy. Carry out this process for the standard project as well.

How to configure the Content permissions:

  1. You must be logged in to the site as an administrator, project owner, or project leader.
  2. Open the permissions dialog for a project.
  3. Click the link in the top left Edit content permissions, and in the Content Permissions dialog box, select the option you want.

Locking permissions prevents publishers from explicitly setting permissions as part of the publishing process in Tableau Desktop. Instead, the content inherits the set permissions of the project it is published to, and permissions can only be set by administrators and project leaders.

For more information, see Permissions.

Automate work with groups and projects

Creating multiple groups and projects with manual setting of permissions can be very tedious.To automate these processes so that they can be repeated with future updates, you can perform these tasks with the commands of the REST API (Link opens in a new window).

The tabcmd commands allow you to perform tasks such as adding or deleting individual projects or groups, and adding users, but cannot set permissions.

Next Steps

In addition to projects, groups, and permissions, other data control topics include the following:

User training

Help all Help your Tableau users become good data officers. The most successful Tableau organizations create Tableau user groups, hold regular training sessions, and so on.

For a general approach to orienting users on the site, see Dashboard-Based Custom Portals.

For tips on publishing and data certification, see the following topics:

Optimize extract update and subscription activity

If you're using Tableau Server, create extract update policies and subscription schedules to keep them from dominating the site. The Wells Fargo and Sprint TC customer presentations cover this issue in detail. Refer also to the topics under Performance Adjustment.

If you are using Tableau Online, review the following topics to familiarize yourself with the methods for updating extracts:

Monitor

Use administrative views to keep track of site performance and content application.

Administrative views

Learn how Tableau and some of our customers are using control and self-service

The following list contains links to data security and Center of Excellence (COE) presentations given at the Tableau Conference over the past few years. Even if the Tableau versions have evolved in the meantime, the principles remain unchanged. You can search the playlists for more videos about the COE and how to manage Tableau on demand.

Creation of a Center of Excellence in Tableau (Link opens in a new window) (TC Europa 2018)

Server administrators: Don't be afraid of web authoring (Link opens in a new window) (Sprint, TC16)

Past, present and future at Charles Schwab (Link opens in a new window) (TC 17)

Content strategies in Tableau (Link opens in a new window) (TC 17)