A guest post by Darth Flashypants in honor of the “The Force Awakens” trailer.
A long time ago in a galaxy far, far away, the original Tableau Jedi Master discovered that one could create a matrix of User-Tableau object permissions with some fancy SQL against the PostgreSQL database of Tableau Sever. It required much SQL and some blending, but it worked.
Master Rueter shared his knowledge (“The Holy Grail”) with fellow Jedi. Since the tables necessary to do this work were locked down and not accessible via the “tableau” user, the discovery was interesting – but not something that could be unleashed on the world. The galaxy was at peace.
One of the young Jedi discovered Master Rueter’s work, and became rather obsessed with it. This young one improved the queries, making them stronger. He packed the queries into views and even wrote a command-line app that would inject them into the PostgreSQL database in order to allow easy access to this forbidden knowledge. The dark “Permissions Bomb” tool lay hidden ever since, waiting for the day it would be put to use.
[Queue foreboding Sith music]
With the release of 8.2.5, all the power that is the PostgreSQL catalog can be utilized by mere mortals. You may use said power for good, or…ahem…do this.
Standard Sith Warning: SithCorp and its subsidiaries will not be held responsible for irresponsible or irrational use of the following information. The queries which drive the workbook will pound your PostgreSQL database. You should create extracts for each one of the data sources and refresh them during off hours. Don’t you dare call Tableau support about these or I’ll send an Inquisitor out to take your head.
- Use at your own risk
- This Sith is busy slaying Jedi and won’t modify the SQL for you or explain how it all works in depth. Roll up your sleeves, use Tableau’s fine data dictionary and figure it out yourself. That’s what I did, and that’s how you get good with Tableau.
It allows you to see all the stuff (views, workbooks, data sources, etc.) in your Tableau sever and what user permissions are on all that stuff. You can view permissions as they were set by an admin or the effective permissions of a user on content after group membership / administrator / project manager status has been taken into account.
Here you can see the permissions that our guest user has (or doesn’t have) on various data sources on my server:
Here are permissions on views for guest. Note how they look (generally) different between sites.
And finally effective permissions for guest – this is the viz I use most often as it rolls up inheritance and admin permissions to give me a “final view” in terms of what people can and can’t do.
The Permissions Bomb uses three blended data sources:
Universe of possible permissions: This query is intentionally unwieldy as it needs to create a “matrix” of all potential permissions and objects that can be represented in Tableau. Even if a certain permission isn’t actually USED by an administrator, we still need to be aware that it exists and that it is NOT set…This query does the heavy lifting of setting up that framework
Current Permissions: The current permissions data source executes SQL which determines what permissions have actually been set for an object or objects
Who are Administrators: Does what you think it would – this query returns a list of admin-ish type folks. We need this information when it comes time to figure out effective permissions.
Here, silly goose. Edit the connection so it points to your instance of PostgreSQL. If you need help connecting to PostgreSQL, use this help topic. Make sure to enable the “readonly” user, too. More info here.
Have fun, but please use extracts. Not even a Sith wants you beating your Tableau Server to death with big, ugly queries.