Tableau Admin

Login
Insights Home Tableau Admin Home

Understanding Access in the Tableau Metadata API

Overview

Purpose: Learn how to harness the Metadata API to explore and manage metadata in your Tableau environment.

Scope:

  • Getting Started: Understand prerequisites for both Tableau Cloud and Tableau Server.
  • Querying: Dive into constructing GraphQL queries and exploring the metadata schema.
  • Permissions: Clarify who can access what, including licensing nuances and View capabilities.

Key Takeaways:

  • Visibility into both Tableau content and external assets.
  • Differences between Tableau Cloud (always enabled) and Tableau Server (requires manual enablement).
  • How permissions and derived permissions shape metadata visibility.

Getting Started – Prerequisites

For Tableau Cloud:

  • Authentication: An authentication token is required (same process as Tableau REST API).
  • API Availability: The Metadata API is always enabled; no manual activation needed.

For Tableau Server:

  • Version Requirement: Must be running Tableau Server 2019.3 or later.
  • REST API Requirement: The Tableau REST API must be active as it shares the authentication mechanism with the Metadata API.
  • Enabling the API:
    • A server admin must enable the Metadata API using the Tableau Services Manager (TSM) CLI command:
    • tsm maintenance metadata-services enable
    • Note: This method applies to Tableau Server as there is no equivalent settings-based alternative.
  • Initial Ingestion: Running the TSM command triggers an initial metadata ingestion process, indexing your content.

Who Can Query the Metadata API

Access Fundamentals:

  • Authorized Users: Any user with valid credentials on your Tableau Cloud or (enabled) Tableau Server instance can run queries.

Licensing Impact:

  • With Data Management: You can view both Tableau content and related external assets. External assets that you have explicit permissions for (or those granted via derived permissions) are fully visible.
  • Without Data Management: Access is limited to Tableau content only. If “derived permissions” is enabled, some related external assets may be visible, but editing or management is not available.

Content Ownership & Viewing Permissions:

  • Non-admin Users: Typically, visibility is restricted to content you own or that has been explicitly shared with you. Without ownership or proper permissions, the Metadata API may not return full details.
  • Admins: Administrators have broader access across all content on the server.

Implication: Ensure your account has the necessary permissions or content ownership to view the metadata you need.

Permissions Overview & View Capabilities

Permissions Basics:

  • View Capabilities: Permissions determine which metadata elements you can see. If you lack the necessary View rights, sensitive details are obfuscated.
  • Filter Mode: When enabled in your query, only the metadata you have permission to view is returned, omitting sensitive details completely.

Management Capabilities:

  • With Data Management: You can edit metadata and manage permissions for external assets if granted explicit rights.
  • Without Data Management: Editing or permission management for external assets is not supported.

Key Considerations:

  • Permissions for Tableau content (workbooks, data sources, etc.) follow the same rules as within the Tableau UI.
  • The same View capability mechanism controls metadata visibility via the API.

Deep Dive – Permissions on External Assets

Understanding External Assets:

  • Definition: External assets include databases, tables, and other data sources connected to your Tableau content. Their metadata (e.g., schema, lineage, descriptions) is available via the Metadata API.

Metadata Exposure:

  • Lineage: Understand relationships between assets (e.g., how a Sales table is used across data sources).
  • Schema Details: View table names, column names, types, and more. For example, a database may include detailed column data types.
  • User-Curated Information: Asset descriptions, certifications, and data quality warnings provide additional context.

Derived Permissions:

  • Automatic Granting: For sites licensed with Data Management, derived permissions automatically grant View access to external assets.
  • Manual Adjustments: In Tableau Server without Data Management, administrators may enable derived permissions manually.
  • Editing Rights: When you own a flow (and derived permissions are enabled), you may have Overwrite and Set Permissions capabilities on external assets after a successful flow run.

Clarification on API Enablement:

  • Tableau Server: The Metadata API is enabled via the TSM command (tsm maintenance metadata-services enable) since no settings-based alternative exists.
  • Tableau Cloud: The Metadata API is always enabled, so no manual configuration is required.