In Tableau Server, permissions control who can work with what content.
Who means users and groups of users in your site. We briefly talked about groups in Creating Users. In this chapter we’ll show you how groups can help you manage permissions efficiently.
What means projects, workbooks, and data sources in your site—in other words, the content that your users will publish and share using Tableau Server.
Open and closed permissions models
Two general approaches for setting permissions are the open and closed models. In an open model, users get a high level of access—for example, all users can publish, and if necessary, you explicitly deny capabilities. This model can work when your organization is very small, and everyone has a similar level of responsibility.
In a closed model, users get only the access they need to do their jobs. This is the model security professionals advocate and the one we’ll use in this guide.
About permissions and capabilities
Every type of content supports a set of capabilities. Each capability represents an action that a user might perform on that content. For example, you can specify who can view, add comments to, or save a workbook, or connect to a data source.
You can set capabilities to Allowed, Unspecified, or Denied. If a capability is set to Unspecified for a particular group, users in that group cannot perform the associated task. We refer to this as an implicit deny. Permission for a workbook’s Save capability unspecified? Sorry, you can’t save that workbook.