Tableau Project Permissions
Overview of Basic Tableau Permissions
Each Tableau report consists of Data Source(s) that supply the basic data and the Workbook that holds the report in one or more tabs.
Tableau permissions must be granted for both the Data Source(s) and the Workbook (which is held in a Project folder).
User Groups are granted these permissions.
Permission Level | What it is | Notes |
Workbooks in a Project | The project’s permissions apply to all workbooks (reports) in a project | Recommended as simplest to maintain |
Individual workbooks | Each workbook (and/or each view) can have different permissions | For advanced users - otherwise not recommended |
Data Source | Only explicitly-permitted users can see the data supplied by each Data Source | Data Sources are in the <ClientName> Project |
Row Level Security | Additional data permission filtering, created within the data source, to limit the logged-in users to certain records.. | Optional. Typically for Salesreps and their managers to see only their own sales. |
Locked to Project
For simplicity, most projects should be Locked. This forces every workbook within it to conform to the Project’s permission setup.
A user publishing a new report does not need to contend with permission issues beyond publishing it to the appropriate Project.



Exceptions (not locked to project)
ClientName (holds data sources)
The project with the client name (that holds the data sources) needs to be kept Customizable, to allow each data source to be separately permissioned.
Not Implemented (as parent project)
The WIP project holds subprojects that will be individually Locked and permissioned.
Later, the whole subproject may be moved out to be a Top-Level project, or may have selected workbooks copied into other projects.
Default (not used)
The Default project settings are the default for any new projects. Except that if set as Locked To Project, the Locked status does not carry over to the new project.
User Groups

Apply Groups to Individual Data Sources

All data sources should be
All Users group - removed
All Access group - View rights
XX Allow group - View rights
GL DENY group - Denied rights (GL only)
Site Admins will still retain full rights because of their role.
Row Level Security
Row Level Security can exclude even Admin users from viewing the Data Source’s data.
_ Analytics Project as All Users
Leave the _ Analytics project as All Users with Publish access.
Project Permissions by User Group
Permissions for each Project that contains reports
Why
Giving (or not giving) users permissions for the data sources is basically adequate, though potentially they would still be able to see some information in a workbook’s thumbnail even if their lack of permission for that data source did not allow them to read the full reports.
Allowing users access to selected projects declutters their display.
Projects tab

All Users group - removed
All Access group - Publish rights
XX Allow group - Publish rights
GL DENY group - Denied rights (GL only)
DS Cloud can be ignored. It is DataSelf’s user used to create the Tableau site and does not affect the end users' rights
(Individual user's Role will later limit who can publish.)
Workbooks tab

Tableau Permission Help Page
https://help.tableau.com/current/server/en-us/permissions.htm#set-permissions