Tableau roles and permissions

The lineage harvester uses the Tableau Rest APIs and Tableau Metadata API to ingest the Tableau metadata. You need at least minimum permissions in Tableau to enable the lineage harvester to access the Tableau metadata and ingest it in Data Catalog.

Permissions on metadata

Permissions control who is allowed to see and manage external assets and which metadata (for both Tableau content and external assets) is shown through lineage.

If Tableau Online or Tableau Server is not licensed with the Data Management Add-on, then by default, only administrators can see database and table metadata through the Tableau Metadata API. You can turn on "derived permissions", to allow users to see metadata on external assets for the content that they own, or for the content that is published to a project for which they are a project leader or project owner. However, we cannot guarantee that this will work. We recommend using an Administrator role or the Explorer role with the Data Management Add-on, as identified in Tableau ingestion results. For complete information, see the Tableau documentation.

Minimum roles and permissions in Tableau

You need to following minimum roles and permissions to harvest Tableau metadata:

  • You have a View permission on Tableau projects, workbooks and data sources you want to ingest.
  • You have a Viewer or Explorer (can publish) role with access to the Tableau REST API.

Recommended roles and permissions in Tableau

For a full ingestion, we recommend the following roles and permissions in Tableau:

  • You have at least a View permission on Tableau projects, workbooks and data sources you want to ingest.
  • You have the Explorer role with the Data Management Add-on.

If you use the Explorer role, ensure that the lineage harvester can access all of the lineage information. Specifically, as a Tableau administrator, click Settings > General, and ensure that the following options are selected:

  • Automatically grant authorized users access to metadata about databases and tables
  • Show complete lineage (default)

If you use the Explorer role and you have access to a subproject, but not the parent project, the parent project is ingested with the Tableau UUID, to maintain the hierarchy of assets.

For complete information on ingestion results based on your Tableau permissions, see Tableau ingestion results.

Tip Tableau users with a Server Administrator role have access to the entire Tableau Server. Tableau users with a Site Administrator role can only be assigned to specific Tableau sites. As a result, if you have the Site Administrator role, only metadata from specific Tableau sites can be ingested in Data Catalog.