Tableau’s behavior for saving content when using Web Edit follows these rules:
- If you are the Content Owner, you can Save or Save As
- If you are not the Content Owner, you can Save As
Save As is only allowed to Projects where you (or the groups you belong to) have a Save permission set to “Allow”.
Since a newly Saved Workbook will take the Default Permissions of the Project it saves into, if other people also have permissions for that same Project, they will also be able to access that content. This leads to several different strategies for controlling the privacy of content created through Save As.
Possible solutions:
- A Project Per Team / Group
- A Project Per User
- A REST API script that “fixes” Permissions
- Publishing a New Copy rather than Save As
A Project Per Team / Group
If it is okay for different people to see each other’s saved content, then you may only need to create a Project per grouping of those people.
A Project Per User
If you want every user to have full privacy on the content they have created, you can create a Project just for them. In later versions of Tableau Server, you can create a containing Project(for example, called “Sandboxes”) which then would contain all of the individual Projects for each user within.
To maintain this, you’ll want to use the REST API to create those all of these user-specific Projects. You might even go further and only create Projects for those customers who have Web Edit enabled (look at who are Explorers, for example).
A REST API script that “fixes” Permissions
While not truly “instantaneous”, you can use the Tableau Server REST API to monitor for newly published content in a Project, and then adjust its permissions. In this scenario, users would save into a Project that did not have “locked permissions”, so that individual workbooks can have their own permission sets. When the Save As happens, the content will take the Default Permissions of the Project. The REST API could be polling for newly publish content, and if it finds that content, it would send the appropriate Permissions updates so that the Workbook would only be accessible to the Content Owner (who did the initial Save As action)
You might still combine this with the “Project Per Customer / Group” solution to make sure that even in that brief window of time, no customer would ever have access to another customer’s workbooks.
Here’s an example script using tableau_tools with most of these pieces in place. You might specify a set of projects to search in rather than look at all workbooks as this does, but the basic components are here:
time_1_minute_back = datetime.datetime.now() - datetime.timedelta(minutes=1)
print(time_1_minute_back)
created_time_string = time_1_minute_back.strftime("%Y-%m-%dT%H:%M:%SZ")
publish_filter = UrlFilter28.create_created_at_filter(operator=u"gte", created_at_time=created_time_string)
t = TableauRestApiConnection26(server=u'http://yourServer', username=u'admin',
password=u'hackme', site_content_url=u'default')
t.signin()
t.enable_logging(logger)
wbs = t.query_workbooks(created_at_filter=publish_filter) # type: etree.Element
default_proj_obj = t.query_project(u'Default') # Query just to have an instantiated Project object
for wb in wbs:
print(wb.get(u'name'))
print(wb.get(u'createdAt'))
wb_luid = wb.get(u'id')
for e in wb:
if e.tag.find(u'project') != -1:
project_name = e.get(u'name')
print("Project " + project_name)
if e.tag.find(u'owner') != -1:
owner_luid = e.get(u'id')
# Get Published Workbook object
pub_wb = t.get_published_workbook_object(wb_luid) # type: Workbook
pub_wb.clear_all_permissions()
owner_perms = default_proj_obj.create_workbook_permissions_object_for_user(owner_luid, role='Editor')
pub_wb.set_permissions_by_permissions_obj_list([owner_perms, ])
print("Permissions reset for workbook")
Publishing a New Copy instead of Save As
Another solution using the REST API sets up a different workflow, where users cannot Save As or even Web Edit from the original / template copies of workbooks. Instead, you allow the user through your application to Make a Copy with a name (possibly even specifying location, and who else could see it). Then you use the REST API to do the following steps:
- Download the selected Workbook from the Server
- Republish the Workbook to the specified location
- Set the content permissions
- Set the Content Owner to the user
At this point, you could then load the new Workbook in Web Edit mode. The advantage of this method is that the user is never presented with the workbook when the permissions are not exclusive to them. The disadvantage is that you must always use Published Data Sources, because the REST API cannot bring down credentials with the workbook when it is downloaded.
Tableau and Behold! 