400 998 0226管理外部资产的权限
- 版本 :2022.1 及更高版本
Tableau Online 和 Tableau Server 提供了用于访问和管理已发布内容的空间。当 Tableau Online 或 Tableau Server 获得数据管理附加组件的许可时,您有权访问 Tableau 目录。Tableau 目录在整个站点中添加了一个互补空间和一组功能,用于跟踪和管理发布到站点的内容所使用的外部资产的元数据和沿袭。
Tableau 目录索引内容和资产
目录会发现、跟踪和存储您发布到 Tableau Online 或 Tableau Server 的内容中的元数据。
目录索引以下各项的元数据:
Tableau 内容:工作簿、数据源、流程、项目、指标、用户和网站
外部资产:与 Tableau 内容关联的数据库和表
目录将来自 Tableau 环境外部的任何数据的元数据分类为外部资产。来自 Tableau 环境外部的数据以许多不同的格式存储,例如数据库服务器或本地 .json 文件。
Catalog 仅跟踪外部数据的元数据,不以任何形式(原始或聚合)跟踪基础数据。
目录元数据包括以下内容:
世系信息或项目之间的关系。例如,Sales 表与超市数据源和超市示例工作簿都有关系。
架构信息。一些示例包括:
表名、列名和列类型。例如,表 A 包含列 A、B 和 C,它们是 INT、VARCHAR 和 VARCHAR 类型。
数据库名称和服务器位置。例如,Database_1是位于 http://example.net 的 SQL Server 数据库。
数据源名称,以及数据源包含的字段的名称和类型。例如,超级存储数据源具有字段 AA、BB 和 CC。字段 CC 是一个计算字段,它同时引用字段 AA 和字段 BB。
用户策划、添加或管理的信息。例如,项目描述、认证、用户联系人、数据质量警告等。
Tableau 目录如何工作?
Tableau 目录对发布到 Tableau Online 或 Tableau Server 的所有内容编制索引,以跟踪沿袭和架构元数据。例如,元数据来自工作簿、打包工作簿、数据源以及 Tableau Server 或 Tableau Online 存储库。
作为索引编制过程的一部分,还会对已发布内容使用的外部资产(数据库和表)的沿袭和架构元数据编制索引。
注意:除了从 Tableau Online 或 Tableau Server 访问目录之外,还可以从 Tableau Metadata API 和 Tableau Server REST API 访问索引元数据。有关 Tableau 元数据 API 或 REST API 中的元数据方法的更多信息,请参阅Tableau Metadata API和 Tableau Server REST API 中的元数据方法。
对元数据的权限
权限控制允许谁查看和管理外部资产,以及通过沿袭显示哪些元数据(对于 Tableau 内容和外部资产)。
注意:如果 Tableau Online 或 Tableau Server 未获得数据管理加载项的许可,则默认情况下,只有管理员才能通过 Tableau 元数据 API 查看数据库和表元数据。可以将此默认值更改为使用“派生权限”,如下所述。
访问元数据
用于通过目录(或元数据 API)访问元数据的权限的工作方式类似于通过 Tableau Online 或 Tableau Server 访问内容的权限,但对于可通过沿袭公开的敏感数据以及授予外部资产的功能,还有一些其他注意事项。
对 Tableau 内容的权限
目录使用现有 Tableau 内容已使用的查看和管理功能来控制您可以查看和管理 Tableau 内容的元数据。有关这些功能的更多常规信息,请参阅权限。
Permissions on external assets using derived permissions
When Tableau Online or Tableau Server is licensed with the Data Management Add-on, by default Catalog uses derived permissions to automatically grant you capabilities to external assets in the following scenarios:
For View capability:
If you are the owner of a workbook, data source, or flow, you can see the database and table metadata used directly by that workbook, data source, or flow. See Additional notes about lineage.
If you are a project owner or project leader, you can see all the database and table metadata used by the content published to your project.
Embedded files use the permissions of the source (such as the workbook, data source, or flow), rather than the derived permissions of the external asset (the database or table). For example, if you can see the workbook with an embedded file, you can see the embedded file and its metadata used by that workbook.
For both Overwrite and Set Permissions capabilities:
If you are the owner of a flow, you can edit and manage permissions for the database and table metadata used by the flow output.
Note: For the flow cases above, the capabilities apply only after there has been at least one successful flow run under the current owner of the flow.
Check permissions
As an admin or someone who has been given the capability to set permissions for an asset, you can validate who has derived permissions by following the steps below.
Sign in to Tableau Online or Tableau Server.
From the left navigation pane, click External Assets.
From the drop-down menu, select Databases and Files or Tables.
Note: Local files, like .json or .csv files are grouped as external assets under Databases.Select the check box next to the database or table whose permissions you want to modify, and then select Actions > Permissions.
In the Permissions dialog box, click + Add Group/User Rule and start typing to search for a group or user.
Validate the permissions by clicking a group name or user name in the permission rules to see the effective permissions below.
Order of precedence in which Tableau evaluates derived permissions for external assets
When derived permissions are configured for your Tableau Online site or Tableau Server, each user's level of access to external assets depends on the associated Tableau content and the order of precedence of rules Tableau uses for its content.
Tableau follows the rules below, continuing on to the next rule, only if the current rule evaluates to "denied." If any rule evaluates to "allowed," the capability is allowed and Tableau stops evaluating. This rules list is based on the Permissions.
For View capability:
Admin role
License
Project leader (Tableau content)
Project owner (Tableau content)
Content owner (Tableau content)
Derived permissions (applies only to external assets and the View capability)
Admin role
License
Project leader (external assets)
Project owner (external assets)
Content owner (external assets)
Explicit permissions
For Overwrite and Set Permissions capabilities:
Admin role
License
Project leader (Tableau content)
Project owner (Tableau content)
Content owner (Tableau content)
Explicit permissions (Tableau content)
Derived permissions (applies only to external assets and the Overwrite and Set Permissions capabilities for flow outputs)
Admin role
License
Project leader (external assets)
Project owner (external assets)
Content owner (external assets)
As an admin, you can turn off the derived permissions default setting for a site in favor of manually granting explicit permissions to databases and tables.
Sign in to Tableau Online or Tableau Server as an admin.
From the left navigation pane, click Settings.
On the General tab, under Automatic Access to Metadata about Databases and Tables, clear the Automatically grant authorized users access to metadata about databases and tables check box.
Note: Data quality warning messages on databases and tables that are visible to users though derived permissions remain visible to those users even when the check box is not selected.
Set permissions on individual external assets
In order to grant additional users permissions to view, edit (overwrite), and manage external assets, an admin can grant those capabilities explicitly on individual databases or tables for users or groups.
Database permissions act as a permissions template
Database permissions function like Permissions. In other words, when permissions are set at the database level, those permissions can serve as a template for any newly discovered and indexed child tables of that database. Furthermore, database permissions can also be locked so that the child tables will always use the permissions set at the database level.
Granting permission at the database level can help create a scalable process for enabling permissions to tables.
Summary of permissions capabilities
The following table shows the capabilities you can set for external assets (databases and tables):
| Capability | Description | Template |
|---|---|---|
| See the database or table asset. | View |
| Add or edit data quality warnings and descriptions of the database or table asset. Prior to version 2020.1, the Overwrite capability was called Save. | Publish |
| Grant or deny permissions for the database or table asset. | Administer |
Set permissions on a database or table
To set permissions on databases or tables, use the following procedure.
Sign in to Tableau Online or Tableau Server as an admin or someone who has been granted the "Set Permissions" capability.
From the left navigation pane, click External Assets.
From the drop-down menu, select Databases and Files or Tables.
Note: Local files, like .json or .csv files are grouped as external assets under Databases.Select the check box next to the database or table whose permissions you want to modify, and then select Actions > Permissions.
In the Permissions dialog box, click + Add Group/User Rule and start typing to search for a group or user.
Select a permission role template to apply an initial set of capability for the group or user, and then click Save. Available templates are: View, Publish, Administer, None, and Denied.
To further customize the rule, click a capability in the rule to set it to Allowed or Denied, or leave it unspecified. Click save when you are done.
Configure any additional rules you want for other groups or users.
Validate the permissions clicking a group name or user name in the permission rules to see the effective permissions below.
Lock permissions to the database
To lock (or unlock) permissions to the database, use the following procedure.
Sign in to Tableau Online or Tableau Server as an admin or someone who has been granted the "Set Permissions" capability.
From the left navigation pane, click External Assets. By default, the External Assets page shows a list of databases and files.
Select the check box next to the database whose permissions you want to lock, select Actions > Permissions, and then click the Table Permissions Edit link .
In the Table Permissions in Database dialog box, select Locked and click Save.
To unlock permissions, click Edit again, and select Customized.
Access lineage information
Catalog (and the Metadata API) can expose relationship and dependencies metadata, also referred to as lineage, among the content and assets on Tableau Online or Tableau Server. Lineage can show three primary things:
How items relate to each other, either directly or indirectly
How many of those items relate to each other
With the appropriate permissions, shows sensitive data about items in the lineage
In some cases, lineage can contain sensitive data, such as data quality warning messages, content or asset names, or related items and metadata.
By default, complete lineage information displays for all users while its sensitive data is blocked from specific users who don’t have the appropriate View capabilities. The concept of blocking sensitive data is called obfuscation.
Obfuscation allows all metadata in the lineage to be visible while keeping its sensitive data blocked from specific users who don’t have the appropriate View capabilities. This default enables workflows that rely on a complete impact analysis.
If obfuscating sensitive data in the lineage is not enough for your organization, certain parts of the lineage, including its sensitive data, can be filtered.
Filtering omits certain parts of the lineage (and lineage-related areas like data details) for specific users who don't have the appropriate View capabilities to its sensitive data. Because filtering omits parts of lineage, it prevents workflows that rely on a complete impact analysis.
To change how sensitive data is handled, do the following:
Sign in to Tableau Online or Tableau Server as an admin.
From the left navigation pane, click Settings.
On the General tab, under Sensitive Lineage Information, select the radio button that best handles lineage information for all users on your Tableau Online site or Tableau Server.
Additional notes about lineage
If you have the View capability on related assets, you can see when and what assets and content are related to each other, and their sensitive metadata.
For example, you can see 1) the names, data quality warnings, and total number of related upstream databases and tables and 2) the combined number of sheets (visible and hidden) in the lineage of the downstream workbook of the asset you are evaluating.
If you don't have the View capability on related assets, you can always see when assets relate to each other.
For example, you can see 1) whether related upstream databases and tables exist in the lineage and 2) the total number of databases or total number of tables that are related to the asset you are evaluating.
However, you can't see the metadata associated with those assets when you don't have the view capability for them. When metadata is blocked because of limited permissions, or the asset is in a Personal Space, you see Permissions Required.
If you don't have the View capability on related assets, you can always see whether the assets are certified.
However, the level of detail that you can't see if you don't have View capability is the sensitive information related to the certification, like the names of the related databases and tables. When metadata is blocked because of limited permissions, or the asset is in a Personal Space, you see Permissions Required.
For more information about lineage see Use Lineage for Impact Analysis.
Additional notes about tags discoverable through lineage data
In addition to Tableau content, external assets can also be tagged. Although tags are always visible, tagged items that you see through lineage data can either be obfuscated (default) or filtered as described earlier in this topic.
When tagged items are obfuscated:
If you have the View capability for tagged items, you can see the tagged items and related tagged items, and all metadata.
If you don’t have the View capability for tagged items:
You can see the type of tagged and related tagged items but you can't see sensitive metadata about the items. For example, suppose you use a tag filter to see items with the tag “Noteworthy.” Although you can see that there are database items tagged with "Noteworthy," you can’t see the names of the tagged databases.
You can see how many related tagged items there are. For example, suppose you do a tag query on “Noteworthy.” Your query returns five tagged databases.
When tagged items are filtered, the tagged and related tagged items you see are limited to only the items that you have the View capability for.
For more information about tags, see Tagged Items in the Tableau User Help.
Potential mismatch between asset results and content results
当目录显示沿袭信息时,它会提供内容和资产之间的信息。目录沿袭始终显示关联项目的真实计数或结果。但是,在 Tableau Online 或 Tableau Server 中的其他位置,您可能会看到较少的项目数。其中一个原因是您的 View 功能。在目录之外,或者在 Tableau Online 或 Tableau Server 中的其他位置,您会看到您有权访问的内容的筛选计数或结果,具体取决于您的内容权限。
例如,假设您正在查看超级存储数据源。Superstore 数据源的沿袭可以显示数据源连接到多少个上游基础表以及有多少下游工作簿依赖于该数据源。但是,由于您可能没有所有这些下游工作簿的“查看”功能,因此当您查看目录沿袭信息时,相关工作簿的总数可能与“连接的工作簿”选项卡中表示的工作簿总数不同。
可能还有其他原因(与权限无关)您可能会看到资产计数和内容计数不匹配。有关详细信息,请参阅使用沿袭进行影响分析。
谁可以做到这一点
以下信息汇总了可以执行本主题中描述的任务的用户类型。
Tableau Online 站点或 Tableau Server 管理员
具有创建者或资源管理器许可证的用户