The Tableau REST API let’s you programmatically set any permissions, and the functionality has been built into the tableau_rest_api library for a long time now . The link is definitely recommended reading to start, but I’ll do a quick run through here as well.
Permissions on an object (project, workbook, or data source) for a given User or Group are represented by XML tags named GranteeCapabilities. Because of this, there is an GranteeCapabilities object in the tableau_rest_api library which represents the single permissions for one User or Group. You can assign a whole set of GranteeCapabilities to a server object at once; to do this in tableau_rest_api, you create a list of GranteeCapabilities objects. Here’s a quick example (t is a TableauRestApi object created earlier)
group1_luid = t.query_group_luid_by_name(u'Group 1') caps1 = GranteeCapabilities(u'group', group1_luid) caps1.set_capability(u'View', u'Allow') caps1.set_capability(u'Filter', u'Allow') group2_luid = t.query_group_luid_by_name(u'Group 2') caps2 = GranteeCapabilities(u'group', group2_luid) caps2.set_capability(u'View', u'Allow') caps2.set_capability(u'Filter', u'Deny') gcaps_list = [caps1, caps2] project_luid = t.query_project_luid_by_name(u'My Project') t.add_permissions_by_gcap_obj_list(u'project', project_luid, gcaps_list)
You may notice something that is a pain — you have to set all the capabilities for each group and user one by one. Starting in tableau_rest_api 1.5.1, there is a new method called set_capabilities_to_match_role(role_name) which lets you specify the same role names that are available in the Tableau Server UI (Viewer, Interactor, Editor, etc.) This sets the capabilities to match exactly what would be available if you selected it in the UI. You can then customize from there by using the set_capability method. There are also set_all_to_allow and set_all_to_deny methods which are self explanatory.
So instead of the previous you might do
group1_luid = t.query_group_luid_by_name(u'Group 1') caps1 = GranteeCapabilities(u'group', group1_luid) caps1.set_capabilities_to_match_role(u"Interactor") caps1.set_capability(u'Web Edit', u'Deny') gcaps_list = [caps1, ] # Syntax for creating list with 1 item project_luid = t.query_project_luid_by_name(u'My Project') t.add_permissions_by_gcap_obj_list(u'project', project_luid, gcaps_list)