Tableau roles, permissions, and mandatory settings
The lineage harvester uses the Tableau Rest APIs and Tableau Metadata API to ingest the Tableau metadata. You need at least the minimum permissions in Tableau to enable the lineage harvester to access the Tableau metadata and ingest it in Data Catalog.
In this topic
- First things first: A word about Data Management
- Permissions on metadata
- Roles in Tableau
- Minimum roles and permissions
- Recommended roles and permissions
- Mandatory settings in Tableau
- Best practice: Necessary permissions when using the Explorer role
First things first: A word about Data Management
Consider the following facts:
- To do just about anything with your data in Tableau, including access data objects and visualize lineage, you must have the Data Management add-on and it must be enabled for your Tableau Online account or Tableau Server.
- The Metadata API and Data Management are enabled together, so when you enable one, you automatically enable the other.
- The Metadata API must be enabled in Tableau to create a technical lineage and benefit from automatic stitching.
In short, to integrate Tableau and create a technical lineage, you must have Data Management enabled. Therefore, the following information is built on the assumption that you meet that requirement.
Permissions on metadata
Permissions control who is allowed to see and manage external assets and which metadata (for both Tableau content and external assets) is shown through lineage.
Tip In Tableau, the term "external asset" refers to databases, files and tables that act as Tableau data sources. You need to be able to access external assets if you want to ingest lineage information and benefit from stitching. If you only want to ingest Tableau assets and view the lineage between those assets, it is sufficient to have access only to data objects in Tableau.
No particular role or permissions are needed to allow the lineage harvester access to data objects in Tableau and external assets for which you are the owner. The lineage harvester can automatically access all such data.
Roles in Tableau
The different roles in Tableau allow for different levels of access to data objects in Tableau and external assets.
Viewer role
With the Viewer role, you cannot access external assets, regardless of any other factors, for example even if you are the Project Leader for the projects you want to ingest.
Tableau Data Attributes and Tableau Data Models are ingested as assets in Data Catalog and you can view the lineage for the ingested assets up until the table level only.
Explorer role
With the Explorer role, your access to external assets depends on the following combined factors:
- Whether or not you are a Project Leader for the projects you want to ingest.
- Whether or not derived permissions are turned on in Tableau.
Important If you use the Explorer role, ensure that you configure the mandatory settings in Tableau, as described further on in this topic.
Here are a few tested configurations for the Explorer role:
Combination of accessibility factors | You can access... |
---|---|
|
|
|
|
|
If you have manually granted permissions for all projects you want to ingest, on all levels, including databases and tables, you can access:
|
Note Data Management allows you (as the person running the lineage harvester) to view in Tableau the external assets for which you are the owner. Without Data Management, some databases, tables and even files might come through, but you can't see them. If you don't have Data Management, we highly recommend that you use a Tableau Server Administrator or Tableau Site Administrator role.
For complete information, see the Tableau documentation.
Tableau Server Administrator or Tableau Site Administrator
With either or these roles, you can access all Tableau data objects and external assets, regardless of any other factors. No permissions need to be configured.
Note Tableau users with a Server Administrator role have access to the entire Tableau Server. Tableau users with a Site Administrator role can only be assigned to specific Tableau sites. As a result, if you have the Site Administrator role, only metadata from specific Tableau sites can be ingested in Data Catalog.
Minimum roles and permissions
To harvest Tableau metadata, you need the following minimum roles and permissions in Tableau:
- You have a View permission on the Tableau projects, workbooks and data sources you want to ingest.
- You have a Viewer role with access to the Tableau REST API.
Important With the minimum roles and permissions, you can harvest Tableau metadata, ingest the corresponding Tableau assets and view the lineage between those assets. However, you cannot access external assets, meaning the databases, files and tables that act as Tableau data sources. Therefore, stitching is not possible.
Recommended roles and permissions
For a full ingestion, you have to be able to access the external assets. We recommend the following roles and permissions in Tableau:
- You have at least a View permission on the Tableau projects, workbooks, data sources, and external assets you want to ingest.
- You have an Administrator role or you have the Explorer role with a sufficient combination of accessibility factors, as previously described in Explorer role.
Mandatory settings in Tableau
If you use the Explorer role, you have to ensure that the lineage harvester can access all of the lineage information. Specifically, as a Tableau administrator, click Settings > General, and ensure that the following options are selected:
- Automatically grant authorized users access to metadata about databases and tables
- Show complete lineage (default)
You also have to select the Turn on Tableau Catalogue option, to:
- View lineage and external assets.
- Set permissions on external assets.
As shown in the following image, if you use the Explorer role and you have access to a subproject, but not the parent project, the parent project is ingested with the Tableau UUID, to maintain the hierarchy of assets.
In Collibra 2024.05, we launched a new user interface (UI) for Collibra Data Intelligence Platform! You can learn more about this latest UI in the UI overview.
Use the following options to see the documentation in the latest UI or in the previous, classic UI:
Best practice: Necessary permissions when using the Explorer role
In this section, we address the permissions you need to attain full lineage and automatic stitching when using the Explorer role in Tableau.
As with any Tableau role, you need to ensure that the mandatory Tableau settings are configured.
Option 1: Explorer role with Project Leader rights
Project Leaders have full administrative access to the project and its content. This option is better suited for big projects and projects in which the contents frequently change.
Benefits | Limitations |
---|---|
|
|
Project Leader status alone doesn't give you access to external assets, which you need to benefit from stitching.
-
If Data Management is enabled, you automatically have access to external assets.
- If Data Management is not enabed, you have to manually give the Explorer user access to the database and tables.
Option 2: Explorer role with View permissions
If you have the Explorer role, but you are not the Project Leader for the project you want to ingest, then ensure that you have access to the entire project hierarchy. For example, if you want to ingest a specific worksheet, make sure that you also have permissions to ingest the parent workbook, (sub)projects and related data sources. For each data source, ensure that you have derived permissions to the external assets.
This option is better suited for smaller projects and projects in which the contents don't change very frequently.
Benefits | Limitations |
---|---|
|
|
How to find the database and tables of a data source
If you don't have Data Management and you, therefore, have to manually give the user access to the database and tables, follow these steps to find the database and tables for a specific data source.
- Click the Tableau data source or workbook, to open it.
- Click the Lineage tab.
- Grant access to the database. View permissions are sufficient.
- Do one of the following:
- Grant access to all tables in the database.
- In the Lineage tab, click Tables to view the tables that are used in the data source and grant access only to the tables you want to ingest.