Hi datafam!
I'm working on permissions monitoring using the Tableau Server Repository (PostgreSQL) database. I found my way through the maze, but there's one thing I'm stuck on:
Where in the repository tables are project-level object permissions stored?
This:
- Project-level permissions are in next_gen_permissions (authorizable_type = Project)
- object-level permissions are there too (authorizable_type = Workbook)
But these permissions as shown in the screenshot just don't show up. Not for the project or for content in the project. And without them, I cannot go through the full process of evaluating effective permissions.
Am I missing something? Or is this part overlooked in the repository database development?
An example to clarify:
I published a workbook to a project. I gave workbook permissions on a project level:
- project ID P0007
- workbook ID W0045
- project permissions are set to customizable
User Creator Two = User ID U008
This results in the following permissions for the user as shown in the repository:
Great! Exactly what I need. The permission given at the project is translated into a permission for the object. But that's because the project permissions are set to customizable, which will push project permissions to objects.
So next I tested the same thing on a locked project. I copied the workbook there and set the exact same workbook permissions (project ID P0003, workbook ID W0048):
(purely looking at Creator Two here - last row)
This time, no permissions are stored for the workbook W0048 and at the project level, only the project permissions are stored, not the workbook permissions:
And that's a problem, because the effective permission for Creator Two is that they can perform certain actions on the workbook. But that's not stored anywhere in the repository.
