Tableau Server – Permissions

March 12, 2019

In Tableau Server v2018.2.3, all data asset permissions are found in the next_gen_permissions table. A few quirks lurk inside this table, by none appear to adversely affect permission query results. Below is a set of PostgreSQL queries which can be used narrowly to identify which Tableau users have View permissions to Tableau data assets.

Study data asset user/group permissions

The next_gen_permissions table contains permissions info for Project, Workbook, Data Source and View data assets. As a general rule, this table will contain all Project permissions. It will only contain Workbook and Data Source asset permissions where Project permissions are UNLOCKED, and it will only contain View permissions where Workbook permissions are UNLOCKED. There are exceptions. For example, the table can contain a small set of data assets that are LOCKED at the Project level, and it can contain assets that have been deleted.

The authorizable_id’s column represents the id’s of each Project, Workbook, Data Source and View table. These id’s can overlap, so use the authorizable_type field to distinguish between the assets.

------------------------------------------------------------
-- Find asset permissions in next_gen_permissions 
------------------------------------------------------------
SELECT DISTINCT
	ngp.authorizable_id
FROM 
	public.next_gen_permissions ngp
WHERE
--	ngp.authorizable_type LIKE 'Datasource'
--	ngp.authorizable_type LIKE 'Project'
--	ngp.authorizable_type LIKE 'Workbook'
--	ngp.authorizable_type LIKE 'View'
ORDER BY
	ngp.authorizable_id
;

Quicklinks:

Projects

next_gen_permissions shows all Project permissions, locked or unlocked, parent Project or child Project. It does NOT show Projects totally lacking permission assignments.

Useful queries

------------------------------------------------------------
-- 1. Show all Projects
------------------------------------------------------------
SELECT
	p.id
	,p.name
FROM 
	public.projects p
ORDER BY 
	p.id
;

------------------------------------------------------------
-- 2. Projects found in next_gen_permissions
------------------------------------------------------------
SELECT DISTINCT
	ngp.authorizable_id
	,ngp.authorizable_type
FROM 
	public.next_gen_permissions ngp
WHERE
	ngp.authorizable_type LIKE 'Project'
ORDER BY
	ngp.authorizable_id
;

------------------------------------------------------------
-- 3. Projects missing from next_gen_permissions - note: these
-- don't show any permissions in the UI either
------------------------------------------------------------
SELECT
    p.id
    ,p.name
    ,ngp.authorizable_id
FROM 
    public.projects p
LEFT OUTER JOIN
    public.next_gen_permissions ngp ON ngp.authorizable_id = p.id
WHERE
    ngp.authorizable_id IS NULL
ORDER BY 
    p.id
;

Workbooks

The next_gen_permissions table shows only Workbook assets from unlocked Projects. These Workbook assets typically have different permission assignments than the Project(s) they belong to.

Some of these Workbooks might belong to locked Projects, and a few of these Workbooks might be missing from the workbooks table.

Workbooks missing from the next_gen_permissions table typically have no direct permission assignments, because they belong to locked Projects. Permissions for these Workbooks can be gleaned from the Project(s) they belong to in next_gen_permissions.

Some Workbooks belonging to unlocked Projects may have no direct permission assignments. Permissions for these Workbooks can also be gleaned from the Project(s) they belong to in next_gen_permissions.

Useful queries

Show the set of Workbooks found in the workbooks table.

------------------------------------------------------------
-- 1. Show all Workbooks
------------------------------------------------------------
SELECT
	wb.id
	,wb.name
FROM
	public.workbooks wb
ORDER BY
	wb.id
;

Show the set of Workbooks found inside the next_gen_permissions table. Again, most of these will belong to UNLOCKED Projects. But a handful may belong to LOCKED Projects, and some may no longer exist in the workbooks table.

------------------------------------------------------------
-- 2. Show only the Workbooks found in next_gen_permissions 
-- that have direct permissions assignments
------------------------------------------------------------
SELECT DISTINCT
	ngp.authorizable_id
	,ngp.authorizable_type
FROM 
	public.next_gen_permissions ngp
WHERE
	ngp.authorizable_type LIKE 'Workbook'
ORDER BY
	ngp.authorizable_id
;

------------------------------------------------------------
-- Validate the total
------------------------------------------------------------
-- 2a. Set of Workbooks in LOCKED Projects
------------------------------------------------------------
SELECT DISTINCT
	wb.id AS id
	,wb.name
FROM 
	public.workbooks wb
JOIN
	public.projects p ON p.id = wb.project_id
FULL OUTER JOIN
	public.next_gen_permissions ngp ON ngp.authorizable_id = wb.id
WHERE
	ngp.authorizable_id IS NOT NULL
	AND
	p.controlled_permissions_enabled = TRUE
	AND
	ngp.authorizable_type LIKE 'Workbook'

UNION

-- 2b. Set of Workbooks in UNLOCKED Projects
------------------------------------------------------------
SELECT DISTINCT
	wb.id AS id
	,wb.name
FROM 
	public.workbooks wb
JOIN
	public.projects p ON p.id = wb.project_id
FULL OUTER JOIN
	public.next_gen_permissions ngp ON ngp.authorizable_id = wb.id
WHERE
	ngp.authorizable_id IS NOT NULL
	AND
	p.controlled_permissions_enabled = FALSE
	AND
	ngp.authorizable_type LIKE 'Workbook'
	
EXCEPT 

-- 2c. Find the correct the total of Workbooks found in next_gen_permissions 
-- by subtracting the Workbooks missing from the workbooks table
SELECT DISTINCT
	ngp.authorizable_id AS id
	,ngp.authorizable_type
FROM 
	public.workbooks wb
FULL OUTER JOIN
	public.next_gen_permissions ngp ON ngp.authorizable_id = wb.id
WHERE
	wb.id IS NULL
	AND
	ngp.authorizable_type LIKE 'Workbook'

ORDER BY
	id

Show the set of Workbooks missing from next_gen_permissions that need to inherit permissions from the Project they belong to. Note, permissions for these Projects can be both LOCKED or UNLOCKED.

------------------------------------------------------------
-- 3. Show only the Workbooks missing from next_gen_permissions
-- that inherit permissions from Projects
------------------------------------------------------------
SELECT DISTINCT
	wb.id
FROM 
	public.workbooks wb

EXCEPT

SELECT DISTINCT
	ngp.authorizable_id
FROM 
	public.next_gen_permissions ngp
WHERE
	ngp.authorizable_type LIKE 'Workbook'

------------------------------------------------------------
-- Validate the total
------------------------------------------------------------
-- 3a. Set of Workbooks missing from ngp that belong to LOCKED p
------------------------------------------------------------
SELECT DISTINCT
	wb.id AS id
	,wb.name
FROM 
	public.next_gen_permissions ngp
FULL OUTER JOIN
	public.workbooks wb ON wb.id = ngp.authorizable_id
JOIN
	public.projects p ON p.id = wb.project_id
WHERE
	wb.id IS NOT NULL
	AND
	ngp.authorizable_id IS Null
	AND
	p.controlled_permissions_enabled = TRUE

UNION

-- 3b Workbooks missing from ngp that belong to UNLOCKED p
------------------------------------------------------------
SELECT DISTINCT
	wb.id AS id
	,wb.name
FROM 
	public.next_gen_permissions ngp
FULL OUTER JOIN
	public.workbooks wb ON wb.id = ngp.authorizable_id
JOIN
	public.projects p ON p.id = wb.project_id
WHERE
	wb.id IS NOT NULL
	AND
	ngp.authorizable_id IS Null
	AND
	p.controlled_permissions_enabled = FALSE

UNION

-- 3c. Workbooks found in ngp belonging to LOCKED p
------------------------------------------------------------
SELECT DISTINCT
	wb.id AS id
	,wb.name
FROM 
	public.next_gen_permissions ngp
FULL OUTER JOIN
	public.workbooks wb ON wb.id = ngp.authorizable_id
JOIN
	public.projects p ON p.id = wb.project_id
WHERE
	wb.id IS NOT NULL
	AND
	ngp.authorizable_id IS NOT Null
	AND
	ngp.authorizable_type NOT LIKE 'View'
	AND
	p.controlled_permissions_enabled = TRUE

UNION

-- 3d. Set of Workbooks found in ngp belonging to UNLOCKED p
------------------------------------------------------------
SELECT DISTINCT
	wb.id AS id
	,wb.name
FROM 
	public.next_gen_permissions ngp
FULL OUTER JOIN
	public.workbooks wb ON wb.id = ngp.authorizable_id
JOIN
	public.projects p ON p.id = wb.project_id
WHERE
	wb.id IS NOT NULL
	AND
	ngp.authorizable_id IS NOT Null
	AND
	ngp.authorizable_type NOT LIKE 'View'
	AND
	p.controlled_permissions_enabled = FALSE

ORDER BY
	id

App-specific queries

Show Tableau Groups Permitting All Users

Show a comma delimited string of organization-wide groups that have at least read access to the Workbook, like the ALL_USERS or ALL_INTERNAL_USERS groups (group_id‘s 2 and 558 respectively from the groups table). Add all Workbooks with permissions found in next_gen_permissions to the set of Workbooks inheriting from Projects. Exclude some Projects and Workbooks from the results.

Tips
  • Some workbooks contain both of these groups, so a WHERE clause that tries to filter them with an OR clause will be inaccurate. Instead, return DISTINCT results with a GROUP BY on the workbook key.
  • To display the group names as a single value in each result, aggregate them into a single string (or array) of delimited values. As these values can have duplicates, return only DISTINCT items to the aggregation.
------------------------------------------------------------
-- What Workbooks do "All User" type groups have access to?
------------------------------------------------------------
-- 1. Get Workbook permissions from Project
------------------------------------------------------------
SELECT DISTINCT
	wbid AS id
	,STRING_AGG(DISTINCT grp.name, ',') AS permitted_group_all	
FROM 
(
	-- set of Workbooks that can inherit permissions from Project
	SELECT DISTINCT
		wb.id AS wbid
		,p.id AS pid
	FROM 
	(
		-- subset of workbooks missing from ngp
		SELECT DISTINCT
			wb.id AS wbid
		FROM 
			public.workbooks wb
		EXCEPT
		SELECT DISTINCT
			ngp.authorizable_id AS vid
		FROM 
			public.next_gen_permissions ngp
		WHERE
			ngp.authorizable_type LIKE 'Workbook'
	) subset1
	JOIN
		public.workbooks wb ON wb.id = subset1.wbid
	JOIN
		public.projects p ON p.id = wb.project_id
)	subset2
JOIN
	public.next_gen_permissions ngp ON ngp.authorizable_id = subset2.pid
LEFT JOIN
	public.groups grp ON grp.id = ngp.grantee_id
WHERE
	ngp.authorizable_type LIKE 'Project'
	AND
	ngp.grantee_id IN (2,558)
	AND
	pid NOT IN (1,28,115,121,122,123,132,136,140,171,172,176,187,644,699)
	AND
	wbid NOT IN (39131,39361)
GROUP BY
	wbid
	
UNION

-- 2. Get Workbook permissions from next_gen_permissions
------------------------------------------------------------
SELECT DISTINCT
	ngp.authorizable_id AS id
 	,STRING_AGG(DISTINCT grp.name, ',') AS permitted_group_all	
FROM
	public.next_gen_permissions ngp
LEFT JOIN
	public.workbooks wb ON wb.id = ngp.authorizable_id
LEFT JOIN
	public.projects p ON p.id = wb.project_id
LEFT JOIN
	public.groups grp ON ngp.grantee_id  = grp.id
WHERE
	wb.id IS NOT NULL
	AND
	ngp.authorizable_type LIKE 'Workbook'
	AND
	authorizable_id IS NOT NULL
	AND
	ngp.grantee_id IN (2,558)
	AND
	p.id NOT IN (1,28,115,121,122,123,132,136,140,171,172,176,187,644,699)
	AND
	wb.id NOT IN (39131,39361)
GROUP BY
	ngp.authorizable_id

ORDER BY
	id
;

------------------------------------------------------------
-- NOTE: To confirm the above counts match the total 
-- number of Workbooks from the views table, just comment
-- out the STRING_AGG, ngp.grantee_id and GROUP BY
-- elements
------------------------------------------------------------
Show Permitted Group User Names

Return a a comma delimited string of unique user names that inherit permissions from a Group with at least read access to the Workbook by adding the set Workbooks with permissions found in next_gen_permissions to the set of Workbooks inheriting from Projects.

------------------------------------------------------------
-- What Workbooks do Users in Groups have read access to?
------------------------------------------------------------
-- 1. Get Workbook permissions from Project
------------------------------------------------------------
SELECT DISTINCT
    wbid AS id
    ,STRING_AGG(DISTINCT su.name, ',') AS permitted_group_user_name    
FROM 
(
    -- set of Workbooks inheriting permissions from Projects
    SELECT DISTINCT
        wb.id AS wbid
        ,p.id AS pid
    FROM 
    (
        -- subset of workbooks missing from ngp
        SELECT DISTINCT
            wb.id AS wbid
        FROM 
            public.workbooks wb
        EXCEPT
        SELECT DISTINCT
            ngp.authorizable_id AS wbid
        FROM 
            public.next_gen_permissions ngp
        WHERE
            ngp.authorizable_type LIKE 'Workbook'
    )    subset1
    JOIN
        public.workbooks wb ON wb.id = subset1.wbid
    JOIN
        public.projects p ON p.id = wb.project_id
)    subset2
LEFT JOIN
    public.next_gen_permissions ngp ON ngp.authorizable_id = subset2.pid
LEFT JOIN
    public.groups g ON g.id = ngp.grantee_id
LEFT JOIN
    public.group_users gu ON gu.group_id = g.id
LEFT JOIN
    public.users u ON u.id = gu.user_id
LEFT JOIN
    public.system_users su ON su.id = u.system_user_id
WHERE
    wbid IS NOT NULL
    AND
    ngp.capability_id = 1
	AND
	ngp.permission NOT IN (2,4)
    AND 
    g.name NOT LIKE 'role%'
    AND
    ngp.grantee_id NOT IN (2,558)
    AND
    su.name IS NOT NULL
    AND
    pid NOT IN (1,28,115,121,122,123,132,136,140,171,172,176,187,644,699)
    AND
    wbid NOT IN (39131,39361)
GROUP BY
    wbid
    
UNION
-- 2. Get Workbook permissions from next_gen_permissions
------------------------------------------------------------
SELECT DISTINCT
    ngp.authorizable_id AS id
    ,STRING_AGG(DISTINCT su.name, ',') AS permitted_group_user_name
FROM 
    public.next_gen_permissions ngp
JOIN
    public.workbooks wb ON wb.id = ngp.authorizable_id
LEFT JOIN
    public.projects p ON p.id = wb.project_id
LEFT JOIN
    public.groups g ON g.id = ngp.grantee_id
LEFT JOIN
    public.group_users gu ON gu.group_id = g.id
LEFT JOIN
    public.users u ON u.id = gu.user_id
LEFT JOIN
    public.system_users su ON su.id = u.system_user_id
WHERE
    wb.id IS NOT NULL
    AND
    ngp.authorizable_type LIKE 'Workbook'
    AND
    authorizable_id IS NOT NULL
    AND
    ngp.capability_id = 1
    AND 
	ngp.permission NOT IN (2,4)
    AND 
    g.name NOT LIKE 'role%'
    AND
    ngp.grantee_id NOT IN (2,558)        
    AND
    su.name IS NOT NULL
    AND
    p.id NOT IN (1,28,115,121,122,123,132,136,140,171,172,176,187,644,699)
    AND
    wb.id NOT IN (39131,39361)
GROUP BY
    ngp.authorizable_id
ORDER BY
    id
;
------------------------------------------------------------
-- NOTE: To confirm the above counts match the total 
-- number of Workbooks from the views table, just comment
-- out the STRING_AGG, ngp.grantee_id and GROUP BY
-- elements
------------------------------------------------------------
Show Permitted User Names

Show a comma delimited string of unique user names with permissions assigned directly to the Workbook by adding the set Workbooks with permissions found in next_gen_permissions to the set of Workbooks inheriting from Projects. Exclude a few Projects and Workbooks from the set.

------------------------------------------------------------
-- What Workbooks do Users have read access to?
------------------------------------------------------------
-- 1. Get Workbook permissions from Project
------------------------------------------------------------
SELECT DISTINCT
	wbid AS id
	,STRING_AGG(DISTINCT su.name, ',') AS permitted_user_name	
FROM 
(
	-- set of Workbooks that can inherit permissions from Project
	SELECT DISTINCT
		wb.id AS wbid
		,p.id AS pid
	FROM 
	(
		-- subset of Workbooks missing from ngp
		SELECT DISTINCT
			wb.id AS wbid
		FROM 
			public.workbooks wb
		EXCEPT
		SELECT DISTINCT
			ngp.authorizable_id AS vid
		FROM 
			public.next_gen_permissions ngp
		WHERE
			ngp.authorizable_type LIKE 'Workbook'
	) subset1
	JOIN
		public.workbooks wb ON wb.id = subset1.wbid
	JOIN
		public.projects p ON p.id = wb.project_id
)	subset2
JOIN
	public.next_gen_permissions ngp ON ngp.authorizable_id = subset2.pid
LEFT JOIN
	public.users u ON u.id = ngp.grantee_id
LEFT JOIN
	public.system_users su ON su.id = u.system_user_id
LEFT JOIN
	public.groups g ON g.id = u.system_user_id
WHERE
	ngp.authorizable_type LIKE 'Project'
	AND
	ngp.capability_id = 1
	AND 
	ngp.permission NOT IN (2,4)
	AND
	su.name IS NOT NULL
	AND
	pid NOT IN (1,28,115,121,122,123,132,136,140,171,172,176,187,644,699)
	AND
	wbid NOT IN (39131,39361)
GROUP BY
	wbid
	
UNION

-- 2. Get Workbook permissions from next_gen_permissions
------------------------------------------------------------
SELECT DISTINCT
	ngp.authorizable_id AS id
	,STRING_AGG(DISTINCT su.name, ',') AS permitted_user_name	
FROM 
	public.next_gen_permissions ngp
LEFT JOIN
	public.workbooks wb ON wb.id = ngp.authorizable_id
LEFT JOIN
	public.projects p ON p.id = wb.project_id
LEFT JOIN
	public.users u ON u.id = ngp.grantee_id
LEFT JOIN
	public.system_users su ON su.id = u.system_user_id
WHERE
	wb.id IS NOT NULL
	AND
	ngp.authorizable_type LIKE 'Workbook'
	AND
	authorizable_id IS NOT NULL
	AND
	ngp.capability_id = 1
	AND 
	ngp.permission NOT IN (2,4)
	AND
	su.name IS NOT NULL
	AND
	p.id NOT IN (1,28,115,121,122,123,132,136,140,171,172,176,187,644,699)
	AND
	wb.id NOT IN (39131,39361)
GROUP BY
	ngp.authorizable_id

ORDER BY
	id
;

------------------------------------------------------------
-- NOTE: To confirm the above counts match the total 
-- number of Workbooks from the views table, just comment
-- out the STRING_AGG, ngp.grantee_id and GROUP BY
-- elements
------------------------------------------------------------

Data Sources

------------------------------------------------------------
-- Show all Data Sources
------------------------------------------------------------
SELECT
	d.id
	,d.name
	,d.*
FROM 
	public.datasources d
ORDER BY 
	d.id
;

Views

next_gen_permissions typically shows Views that are “controlled independently” from Workbooks.

Show the set of Views found in the views table.

----------------------------------------------------------
-- 1. Show all Views
----------------------------------------------------------
SELECT
	v.id
	,v.name
FROM 
	public.views v
ORDER BY
	v.id
;

Show the set of Views found inside the next_gen_permissions table. These are typically all the “independently controlled” Views that could have unique permission assignments, and some of them may be missing from the views table, though it’s not clear why.

------------------------------------------------------------
-- 2. Show only the Views found in next_gen_permissions 
-- that have direct permissions assignments
------------------------------------------------------------
SELECT DISTINCT
	ngp.authorizable_id
	,ngp.authorizable_type
FROM 
	public.next_gen_permissions ngp
WHERE
	ngp.authorizable_type LIKE 'View'
ORDER BY
	ngp.authorizable_id
;

------------------------------------------------------------
-- Breakdown
------------------------------------------------------------
-- 2a. Set of views in UNLOCKED Workbooks / LOCKED Projects
------------------------------------------------------------
SELECT DISTINCT
	v.id AS id
	,v.name
FROM 
	public.views v
JOIN
	public.workbooks wb ON wb.id = v.workbook_id
JOIN
	public.projects p ON p.id = wb.project_id
FULL OUTER JOIN
	public.next_gen_permissions ngp ON ngp.authorizable_id = v.id
WHERE
	ngp.authorizable_id IS NOT NULL
	AND
	wb.display_tabs = FALSE
	AND
	p.controlled_permissions_enabled = TRUE
	AND
	ngp.authorizable_type LIKE 'View'

UNION

-- 2b. Set of views in LOCKED Workbooks / UNLOCKED Projects
------------------------------------------------------------
SELECT DISTINCT
	v.id AS id
	,v.name
FROM 
	public.views v
JOIN
	public.workbooks wb ON wb.id = v.workbook_id
JOIN
	public.projects p ON p.id = wb.project_id
FULL OUTER JOIN
	public.next_gen_permissions ngp ON ngp.authorizable_id = v.id
WHERE
	ngp.authorizable_id IS NOT NULL
	AND
	wb.display_tabs = TRUE
	AND
	p.controlled_permissions_enabled = FALSE
	AND
	ngp.authorizable_type LIKE 'View'

UNION

-- 2c. Set of views in LOCKED Workbooks / LOCKED Projects
------------------------------------------------------------
SELECT DISTINCT
	v.id AS id
	,v.name
FROM 
	public.views v
JOIN
	public.workbooks wb ON wb.id = v.workbook_id
JOIN
	public.projects p ON p.id = wb.project_id
FULL OUTER JOIN
	public.next_gen_permissions ngp ON ngp.authorizable_id = v.id
WHERE
	ngp.authorizable_id IS NOT NULL
	AND
	wb.display_tabs = TRUE
	AND
	p.controlled_permissions_enabled = TRUE
	AND
	ngp.authorizable_type LIKE 'View'

UNION

-- 2d. Set of views in UNLOCKED Workbooks / UNLOCKED Projects
------------------------------------------------------------
SELECT DISTINCT
	v.id AS id
	,v.name
FROM 
	public.views v
JOIN
	public.workbooks wb ON wb.id = v.workbook_id
JOIN
	public.projects p ON p.id = wb.project_id
FULL OUTER JOIN
	public.next_gen_permissions ngp ON ngp.authorizable_id = v.id
WHERE
	ngp.authorizable_id IS NOT NULL
	AND
	wb.display_tabs = FALSE
	AND
	p.controlled_permissions_enabled = FALSE
	AND
	ngp.authorizable_type LIKE 'View'
	
EXCEPT 

-- 2e. Subtract the Views found in next_gen_permissions 
-- that are missing from the views table
------------------------------------------------------------
SELECT DISTINCT
	ngp.authorizable_id AS id
	,ngp.authorizable_type
FROM 
	public.views v
FULL OUTER JOIN
	public.next_gen_permissions ngp ON ngp.authorizable_id = v.id
WHERE
	v.id IS NULL
	AND
	ngp.authorizable_type LIKE 'View'

ORDER BY
	id

Show the set of Views missing from the next_gen_permissions table that will need to inherit from Workbooks and Projects.

------------------------------------------------------------
-- 3. Show only the Views missing from next_gen_permissions
-- that inherit permissions from Workbooks and Projects
------------------------------------------------------------
SELECT DISTINCT
	v.id
FROM 
	public.views v

EXCEPT

SELECT DISTINCT
	ngp.authorizable_id
FROM 
	public.next_gen_permissions ngp
WHERE
	ngp.authorizable_type LIKE 'View'

------------------------------------------------------------
-- Breakdown
------------------------------------------------------------
-- 3a. Views missing from ngp that belong to UNLOCKED wb and LOCKED p
------------------------------------------------------------
SELECT DISTINCT
	v.id AS id
	,v.name
FROM 
	public.next_gen_permissions ngp
FULL OUTER JOIN
	public.views v ON v.id = ngp.authorizable_id
JOIN
	public.workbooks wb ON wb.id = v.workbook_id
JOIN
	public.projects p ON p.id = wb.project_id
WHERE
	v.id IS NOT NULL
	AND
	ngp.authorizable_id IS Null
	AND
	wb.display_tabs = FALSE
	AND
	p.controlled_permissions_enabled = TRUE

UNION

-- 3b. Views missing from ngp that belong to LOCKED wb and UNLOCKED p
------------------------------------------------------------
SELECT DISTINCT
	v.id AS id
	,v.name
FROM 
	public.next_gen_permissions ngp
FULL OUTER JOIN
	public.views v ON v.id = ngp.authorizable_id
JOIN
	public.workbooks wb ON wb.id = v.workbook_id
JOIN
	public.projects p ON p.id = wb.project_id
WHERE
	v.id IS NOT NULL
	AND
	ngp.authorizable_id IS Null
	AND
	wb.display_tabs = TRUE
	AND
	p.controlled_permissions_enabled = FALSE

UNION

-- 3c. Views missing from ngp that belong to LOCKED wb and LOCKED p
------------------------------------------------------------
SELECT DISTINCT
	v.id AS id
	,v.name
FROM 
	public.next_gen_permissions ngp
FULL OUTER JOIN
	public.views v ON v.id = ngp.authorizable_id
JOIN
	public.workbooks wb ON wb.id = v.workbook_id
JOIN
	public.projects p ON p.id = wb.project_id
WHERE
	v.id IS NOT NULL
	AND
	ngp.authorizable_id IS Null
	AND
	wb.display_tabs = TRUE
	AND
	p.controlled_permissions_enabled = TRUE

UNION

-- 3d. Views missing from ngp that belong to UNLOCKED wb and UNLOCKED p
------------------------------------------------------------
SELECT DISTINCT
	v.id AS id
	,v.name
FROM 
	public.next_gen_permissions ngp
FULL OUTER JOIN
	public.views v ON v.id = ngp.authorizable_id
JOIN
	public.workbooks wb ON wb.id = v.workbook_id
JOIN
	public.projects p ON p.id = wb.project_id
WHERE
	v.id IS NOT NULL
	AND
	ngp.authorizable_id IS Null
	AND
	wb.display_tabs = FALSE
	AND
	p.controlled_permissions_enabled = FALSE

UNION

-- 3e. Views found in ngp that belong to UNLOCKED wb and LOCKED p
------------------------------------------------------------
SELECT DISTINCT
	v.id AS id
	,v.name
FROM 
	public.next_gen_permissions ngp
FULL OUTER JOIN
	public.views v ON v.id = ngp.authorizable_id
JOIN
	public.workbooks wb ON wb.id = v.workbook_id
JOIN
	public.projects p ON p.id = wb.project_id
WHERE
	v.id IS NOT NULL
	AND
	ngp.authorizable_id IS NOT null
	AND
	ngp.authorizable_type NOT LIKE 'View'
	AND
	wb.display_tabs = FALSE
	AND
	p.controlled_permissions_enabled = TRUE

UNION

-- 3f. Views found in ngp that belong to LOCKED wb and UNLOCKED p
------------------------------------------------------------
SELECT DISTINCT
	v.id AS id
	,v.name
FROM 
	public.next_gen_permissions ngp
FULL OUTER JOIN
	public.views v ON v.id = ngp.authorizable_id
JOIN
	public.workbooks wb ON wb.id = v.workbook_id
JOIN
	public.projects p ON p.id = wb.project_id
WHERE
	v.id IS NOT NULL
	AND
	ngp.authorizable_id IS NOT null
	AND
	ngp.authorizable_type NOT LIKE 'View'
	AND
	wb.display_tabs = TRUE
	AND
	p.controlled_permissions_enabled = FALSE
	
UNION

-- 3g. Views found in ngp that belong to LOCKED wb and LOCKED p
------------------------------------------------------------
SELECT DISTINCT
	v.id AS id
	,v.name
FROM 
	public.next_gen_permissions ngp
FULL OUTER JOIN
	public.views v ON v.id = ngp.authorizable_id
JOIN
	public.workbooks wb ON wb.id = v.workbook_id
JOIN
	public.projects p ON p.id = wb.project_id
WHERE
	v.id IS NOT NULL
	AND
	ngp.authorizable_id IS NOT null
	AND
	ngp.authorizable_type NOT LIKE 'View'
	AND
	wb.display_tabs = TRUE
	AND
	p.controlled_permissions_enabled = TRUE

UNION

-- 3h. Views found in ngp that belong to UNLOCKED wb and UNLOCKED p
------------------------------------------------------------
SELECT DISTINCT
	v.id AS id
	,v.name
FROM 
	public.next_gen_permissions ngp
FULL OUTER JOIN
	public.views v ON v.id = ngp.authorizable_id
JOIN
	public.workbooks wb ON wb.id = v.workbook_id
JOIN
	public.projects p ON p.id = wb.project_id
WHERE
	v.id IS NOT NULL
	AND
	ngp.authorizable_id IS NOT null
	AND
	ngp.authorizable_type NOT LIKE 'View'
	AND
	wb.display_tabs = FALSE
	AND
	p.controlled_permissions_enabled = FALSE

ORDER BY
	id

App-specific queries

Show Tableau Groups Permitting All Users

Show a comma delimited string of organization-wide groups that have at least read access to the View, like the ALL_USERS or ALL_INTERNAL_USERS groups (group_id‘s 2 and 558 respectively from the groups table). Add all Views with permissions found in next_gen_permissions to the set of Views inheriting permissions from Projects and/or Workbooks. Exclude some Projects and Workbooks from the results.

Tips
  • Some workbooks contain both of these groups, so a WHERE clause that tries to filter them with an OR clause will be inaccurate. Instead, return DISTINCT results with a GROUP BY on the workbook key.
  • To display the group names as a single value in each result, aggregate them into a single string (or array) of delimited values. As these values can have duplicates, return only DISTINCT items to the aggregation.
------------------------------------------------------------
-- What Views do "All User" type groups have access to?
------------------------------------------------------------
-- 1. Get View permissions from Workbook
------------------------------------------------------------
SELECT DISTINCT
	vid AS id
	,STRING_AGG(DISTINCT grp.name, ',') AS groups_permitting_all_users
	
FROM 
(
	-- set of Views that can inherit permissions from Workbooks
	SELECT DISTINCT
		REPLACE(REGEXP_REPLACE(SUBSTRING(v.repository_url, '[^.*views].*'),'sheets/',''),'/','.') AS vid
		,wb.id AS wbid
	FROM 
	(
		-- subset of views missing from ngp
		SELECT DISTINCT
			v.id AS vid
		FROM 
			public.views v
		EXCEPT
		SELECT DISTINCT
			ngp.authorizable_id AS vid
		FROM 
			public.next_gen_permissions ngp
		WHERE
			ngp.authorizable_type LIKE 'View'
	)	subset1
	JOIN
		public.views v ON v.id = subset1.vid
	JOIN
		public.workbooks wb ON wb.id = v.workbook_id
) subset2
JOIN
	public.next_gen_permissions ngp ON ngp.authorizable_id = subset2.wbid
LEFT JOIN
	public.groups grp ON grp.id = ngp.grantee_id
WHERE
	ngp.authorizable_type LIKE 'Workbook'
	AND
	ngp.grantee_id IN (2,558)
GROUP BY
	vid
	
UNION

-- 2. Get View permissions from Project
----------------------------------------------------------
(
SELECT DISTINCT
	vid AS id
	,STRING_AGG(DISTINCT grp.name, ',') AS groups_permitting_all_users
	
FROM 
(	
	-- 	subset of Views that inherit permissions from Project
	SELECT DISTINCT
		vid
		,pid
	FROM 
	(
		-- subset of PROJECT ids related to views
		SELECT DISTINCT
			REPLACE(REGEXP_REPLACE(SUBSTRING(v.repository_url, '[^.*views].*'),'sheets/',''),'/','.') AS vid
			,p.id AS pid
		FROM 
		(
			-- subset of all missing views
			SELECT DISTINCT
				v.id AS vid
			FROM 
				public.views v
			EXCEPT
			SELECT DISTINCT
				ngp.authorizable_id AS vid
			FROM 
				public.next_gen_permissions ngp
			WHERE
				ngp.authorizable_type LIKE 'View'
		) 	subset1
		JOIN
			public.views v ON v.id = subset1.vid
		JOIN
			public.workbooks wb ON wb.id = v.workbook_id
		JOIN
			public.projects p ON p.id = wb.project_id
	) 	subset2
	JOIN
		public.next_gen_permissions ngp ON ngp.authorizable_id = subset2.pid
	LEFT JOIN
		public.groups grp ON grp.id = ngp.grantee_id
	WHERE
		ngp.authorizable_type LIKE 'Project'
	
	EXCEPT

	-- Views that could inherit permissions from Project, but
	-- will inherit from Workbooks
	SELECT DISTINCT
		vid
		,pid
	FROM 
	(
		-- subset of Views that can inherit permissions from Workbooks
		SELECT DISTINCT
			vid
			,pid
		FROM 
		(
			-- subset of WORKBOOK and PROJECT ids related to views
			SELECT DISTINCT
				REPLACE(REGEXP_REPLACE(SUBSTRING(v.repository_url, '[^.*views].*'),'sheets/',''),'/','.') AS vid
				,wb.id AS wbid
				,p.id AS pid
			FROM 
			(
				-- subset of workbooks missing from ngp
				SELECT DISTINCT
					v.id AS vid
				FROM 
					public.views v
				EXCEPT
				SELECT DISTINCT
					ngp.authorizable_id AS vid
				FROM 
					public.next_gen_permissions ngp
				WHERE
					ngp.authorizable_type LIKE 'View'					
			) 	subset1
			JOIN
				public.views v ON v.id = subset1.vid
			JOIN
				public.workbooks wb ON wb.id = v.workbook_id
			JOIN
				public.projects p ON p.id = wb.project_id
		) 	subset2
		JOIN
			public.next_gen_permissions ngp ON ngp.authorizable_id = subset2.wbid
		LEFT JOIN
			public.groups grp ON grp.id = ngp.grantee_id
		WHERE
			ngp.authorizable_type LIKE 'Workbook'
	) 	subset3
	JOIN
		public.next_gen_permissions ngp ON ngp.authorizable_id = subset3.pid
	LEFT JOIN
		public.groups grp ON grp.id = ngp.grantee_id
	WHERE
		ngp.authorizable_type LIKE 'Project'
) 	main
LEFT JOIN
	public.next_gen_permissions ngp ON ngp.authorizable_id = main.pid
LEFT JOIN
	public.groups grp ON grp.id = ngp.grantee_id
WHERE
	ngp.authorizable_type LIKE 'Project'
	AND
	ngp.grantee_id IN (2,558)
GROUP BY
	vid
)

UNION

-- 3. Get View permissions from next_gen_permissions
----------------------------------------------------------
SELECT DISTINCT
	REPLACE(REGEXP_REPLACE(SUBSTRING(v.repository_url, '[^.*views].*'),'sheets/',''),'/','.') AS id
 	,STRING_AGG(DISTINCT grp.name, ',') AS groups_permitting_all_users
	
FROM
	public.next_gen_permissions ngp
LEFT JOIN
	public.views v ON v.id = ngp.authorizable_id
LEFT JOIN
	public.groups grp ON ngp.grantee_id  = grp.id
WHERE
	v.id IS NOT NULL
	AND
	ngp.authorizable_type LIKE 'View'
	AND
	authorizable_id IS NOT NULL
	AND
	ngp.grantee_id IN (2,558)
GROUP BY
	v.repository_url

ORDER BY
	id
;

------------------------------------------------------------
-- NOTE: To confirm the above counts match the total 
-- number of Views from the views table, just comment
-- out the STRING_AGG, ngp.grantee_id and GROUP BY
-- elements
------------------------------------------------------------
Permitted Group User Names

Return a comma delimited string of unique user names that inherit permissions from a Group with at least read access to the View by adding the set Views with permissions found in next_gen_permissions to the set of Views inheriting from Workbooks and Projects.

------------------------------------------------------------
-- What Views do Users in Groups have read access to?
------------------------------------------------------------
-- 1. Get View permissions from Workbook
------------------------------------------------------------
SELECT DISTINCT
	vid AS id
	,STRING_AGG(DISTINCT su.name, ',') AS permitted_group_user_name	
FROM 
(
	-- set of Views that can inherit permissions from Workbooks
	SELECT DISTINCT
		REPLACE(REGEXP_REPLACE(SUBSTRING(v.repository_url, '[^.*views].*'),'sheets/',''),'/','.') AS vid
		,wb.id AS wbid
	FROM 
	(
		-- subset of views missing from ngp
		SELECT DISTINCT
			v.id AS vid
		FROM 
			public.views v
		EXCEPT
		SELECT DISTINCT
			ngp.authorizable_id AS vid
		FROM 
			public.next_gen_permissions ngp
		WHERE
			ngp.authorizable_type LIKE 'View'
			AND
			ngp.grantee_id NOT IN (2,558)
	)	subset1
	JOIN
		public.views v ON v.id = subset1.vid
	JOIN
		public.workbooks wb ON wb.id = v.workbook_id
) subset2
LEFT JOIN
	public.next_gen_permissions ngp ON ngp.authorizable_id = subset2.wbid
LEFT JOIN
	public.groups grp ON grp.id = ngp.grantee_id
LEFT JOIN
	public.group_users ugrp ON ugrp.group_id = grp.id
LEFT JOIN
	public.users u ON u.id = ugrp.user_id
LEFT JOIN
	public.system_users su ON su.id = u.system_user_id
WHERE
	ngp.authorizable_type LIKE 'Workbook'
	AND
	ngp.capability_id = 1
	AND 
	ngp.permission NOT IN (2,4)
	AND
	ngp.grantee_id NOT IN (2,558)
	AND
	su.name IS NOT NULL
GROUP BY
	vid

UNION

-- 2. Get View permissions from Project
----------------------------------------------------------
(
SELECT DISTINCT
	vid AS id
	,STRING_AGG(DISTINCT su.name, ',') AS permitted_group_user_name
FROM 
(	
	-- 	subset of Views that inherit permissions from Project
	SELECT DISTINCT
		vid
		,pid
	FROM 
	(
		-- subset of PROJECT ids related to views 
		SELECT DISTINCT
			REPLACE(REGEXP_REPLACE(SUBSTRING(v.repository_url, '[^.*views].*'),'sheets/',''),'/','.') AS vid
			,p.id AS pid
		FROM 
		(
			-- subset of all missing views
			SELECT DISTINCT
				v.id AS vid
			FROM 
				public.views v
			EXCEPT
			SELECT DISTINCT
				ngp.authorizable_id AS vid
			FROM 
				public.next_gen_permissions ngp
			WHERE
				ngp.authorizable_type LIKE 'View'
				AND
				ngp.grantee_id NOT IN (2,558)
		) 	subset1
		JOIN
			public.views v ON v.id = subset1.vid
		JOIN
			public.workbooks wb ON wb.id = v.workbook_id
		JOIN
			public.projects p ON p.id = wb.project_id
	) 	subset2	
	LEFT JOIN
		public.next_gen_permissions ngp ON ngp.authorizable_id = subset2.pid
	LEFT JOIN
		public.groups grp ON grp.id = ngp.grantee_id
	WHERE
		ngp.grantee_id NOT IN (2,558)
		AND
		ngp.authorizable_type LIKE 'Project'
		OR
		ngp.authorizable_type IS NULL
	
	EXCEPT

	-- Views that could inherit permissions from Project, but
	-- will inherit from Workbooks
	SELECT DISTINCT
		vid
		,pid
	FROM 
	(
		-- subset of Views that can inherit permissions from Workbooks
		SELECT DISTINCT
			vid
			,pid
		FROM 
		(
			-- subset of WORKBOOK and PROJECT ids related to views
			SELECT DISTINCT
				REPLACE(REGEXP_REPLACE(SUBSTRING(v.repository_url, '[^.*views].*'),'sheets/',''),'/','.') AS vid
				,wb.id AS wbid
				,p.id AS pid
			FROM 
			(
				-- subset of workbooks missing from ngp
				SELECT DISTINCT
					v.id AS vid
				FROM 
					public.views v
				EXCEPT
				SELECT DISTINCT
					ngp.authorizable_id AS vid
				FROM 
					public.next_gen_permissions ngp
				WHERE
					ngp.authorizable_type LIKE 'View'					
					AND
					ngp.grantee_id NOT IN (2,558)
			) 	subset1
			JOIN
				public.views v ON v.id = subset1.vid
			JOIN
				public.workbooks wb ON wb.id = v.workbook_id
			JOIN
				public.projects p ON p.id = wb.project_id
		) 	subset2
		JOIN
			public.next_gen_permissions ngp ON ngp.authorizable_id = subset2.wbid
		LEFT JOIN
			public.groups grp ON grp.id = ngp.grantee_id
		WHERE
			ngp.authorizable_type LIKE 'Workbook'
	) 	subset3
	LEFT JOIN
		public.next_gen_permissions ngp ON ngp.authorizable_id = subset3.pid
	LEFT JOIN
		public.groups grp ON grp.id = ngp.grantee_id
	WHERE
		ngp.grantee_id NOT IN (2,558)
		AND
		ngp.authorizable_type LIKE 'Project'
		OR
		ngp.authorizable_type IS NULL	
) 	main	
LEFT JOIN
	public.next_gen_permissions ngp ON ngp.authorizable_id = main.pid
LEFT JOIN
	public.groups grp ON ngp.grantee_id  = grp.id
LEFT JOIN
	public.group_users ugrp ON ugrp.group_id = grp.id
LEFT JOIN
	public.users u ON u.id = ugrp.user_id
LEFT JOIN
	public.system_users su ON su.id = u.system_user_id
WHERE
	main.vid IS NOT NULL
	AND
	ngp.capability_id = 1
	AND 
	ngp.permission NOT IN (2,4)
	AND
	ngp.grantee_id NOT IN (2,558)
	AND
	su.name IS NOT NULL
GROUP BY
	vid
)
	
UNION

-- 3. Get View permissions from next_gen_permissions
------------------------------------------------------------
SELECT DISTINCT
	REPLACE(REGEXP_REPLACE(SUBSTRING(v.repository_url, '[^.*views].*'),'sheets/',''),'/','.') AS id
 	,STRING_AGG(DISTINCT su.name, ',') AS permitted_group_user_name
FROM 
	public.next_gen_permissions ngp
JOIN
	public.views v ON v.id = ngp.authorizable_id
LEFT JOIN
	public.groups grp ON ngp.grantee_id  = grp.id
LEFT JOIN
	public.group_users ugrp ON ugrp.group_id = grp.id
LEFT JOIN
	public.users u ON u.id = ugrp.user_id
LEFT JOIN
	public.system_users su ON su.id = u.system_user_id
WHERE
	v.id IS NOT NULL
	AND
	ngp.authorizable_type LIKE 'View'
	AND
	authorizable_id IS NOT NULL
	AND
	ngp.capability_id = 1
	AND 
	ngp.permission NOT IN (2,4)
	AND
	ngp.grantee_id NOT IN (2,558)
	AND
	su.name IS NOT NULL
GROUP BY
	v.repository_url

ORDER BY
	id
;

------------------------------------------------------------
-- NOTE: To confirm the above counts match the total 
-- number of Workbooks from the views table, just comment
-- out the STRING_AGG, ngp.grantee_id and GROUP BY
-- elements
------------------------------------------------------------
Permitted User Names

Show a comma delimited string of unique user names with permissions assigned directly to Views by adding the set Views with permissions found in next_gen_permissions to the set of Views inheriting from Workbooks and Projects.

------------------------------------------------------------
-- What Views do Users have read access to?
------------------------------------------------------------
-- 1. Get View permissions from Workbook
------------------------------------------------------------
SELECT DISTINCT
	vid AS id
	,STRING_AGG(DISTINCT su.name, ',') AS permitted_user_name
FROM 
(
	-- set of Views that can inherit permissions from Workbooks
	SELECT DISTINCT
		REPLACE(REGEXP_REPLACE(SUBSTRING(v.repository_url, '[^.*views].*'),'sheets/',''),'/','.') AS vid
		,wb.id AS wbid
	FROM 
	(
		-- subset of Views missing from ngp
		SELECT DISTINCT
			v.id AS vid
		FROM 
			public.views v
		EXCEPT
		SELECT DISTINCT
			ngp.authorizable_id AS vid
		FROM 
			public.next_gen_permissions ngp
		WHERE
			ngp.authorizable_type LIKE 'View'
	) subset1
	JOIN
		public.views v ON v.id = subset1.vid
	JOIN
		public.workbooks wb ON wb.id = v.workbook_id
) subset2
JOIN
	public.next_gen_permissions ngp ON ngp.authorizable_id = subset2.wbid
LEFT JOIN
	public.users u ON u.id = ngp.grantee_id
LEFT JOIN
	public.system_users su ON su.id = u.system_user_id
LEFT JOIN
	public.groups g ON g.id = u.system_user_id
WHERE
	ngp.authorizable_type LIKE 'Workbook'
	AND
	ngp.capability_id = 1
	AND 
	ngp.permission NOT IN (2,4)
	AND
	ngp.grantee_id NOT IN (2,558)
GROUP BY
	vid

UNION

-- 2. Get View permissions from Project
----------------------------------------------------------
(
SELECT DISTINCT
	vid AS id
 	,STRING_AGG(DISTINCT su.name, ',') AS permitted_user_name
FROM 
(	
	-- 	subset of Views that inherit permissions from Project
	SELECT DISTINCT
		vid
		,pid
	FROM 
	(
		-- subset of PROJECT ids related to views
		SELECT DISTINCT
			REPLACE(REGEXP_REPLACE(SUBSTRING(v.repository_url, '[^.*views].*'),'sheets/',''),'/','.') AS vid
			,p.id AS pid
		FROM 
		(
			-- subset of all missing views
			SELECT DISTINCT
				v.id AS vid
			FROM 
				public.views v
			EXCEPT
			SELECT DISTINCT
				ngp.authorizable_id AS vid
			FROM 
				public.next_gen_permissions ngp
			WHERE
				ngp.authorizable_type LIKE 'View'
		) 	subset1
		JOIN
			public.views v ON v.id = subset1.vid
		JOIN
			public.workbooks wb ON wb.id = v.workbook_id
		JOIN
			public.projects p ON p.id = wb.project_id
	) 	subset2
	JOIN
		public.next_gen_permissions ngp ON ngp.authorizable_id = subset2.pid
	LEFT JOIN
		public.users u ON u.id = ngp.grantee_id
	LEFT JOIN
		public.system_users su ON su.id = u.system_user_id
	WHERE
		ngp.authorizable_type LIKE 'Project'
	
	EXCEPT

	-- Views that could inherit permissions from Project, but
	-- will inherit from Workbooks
	SELECT DISTINCT
		vid
		,pid
	FROM 
	(
		-- subset of Views that can inherit permissions from Workbooks
		SELECT DISTINCT
			vid
			,pid
		FROM 
		(
			-- subset of WORKBOOK and PROJECT ids related to views
			SELECT DISTINCT
				REPLACE(REGEXP_REPLACE(SUBSTRING(v.repository_url, '[^.*views].*'),'sheets/',''),'/','.') AS vid
				,wb.id AS wbid
				,p.id AS pid
			FROM 
			(
				-- subset of workbooks missing from ngp
				SELECT DISTINCT
					v.id AS vid
				FROM 
					public.views v
				EXCEPT
				SELECT DISTINCT
					ngp.authorizable_id AS vid
				FROM 
					public.next_gen_permissions ngp
				WHERE
					ngp.authorizable_type LIKE 'View'					
			) 	subset1
			JOIN
				public.views v ON v.id = subset1.vid
			JOIN
				public.workbooks wb ON wb.id = v.workbook_id
			JOIN
				public.projects p ON p.id = wb.project_id
		) 	subset2
		JOIN
			public.next_gen_permissions ngp ON ngp.authorizable_id = subset2.wbid
		LEFT JOIN
			public.groups grp ON grp.id = ngp.grantee_id
		WHERE
			ngp.authorizable_type LIKE 'Workbook'
	) 	subset3
	JOIN
		public.next_gen_permissions ngp ON ngp.authorizable_id = subset3.pid
	LEFT JOIN
		public.users u ON u.id = ngp.grantee_id
	LEFT JOIN
		public.system_users su ON su.id = u.system_user_id
	WHERE
		ngp.authorizable_type LIKE 'Project'
) 	main
LEFT JOIN
	public.next_gen_permissions ngp ON ngp.authorizable_id = main.pid
LEFT JOIN
	public.users u ON u.id = ngp.grantee_id
LEFT JOIN
	public.system_users su ON su.id = u.system_user_id
LEFT JOIN
	public.groups g ON g.id = u.system_user_id
WHERE
	ngp.authorizable_type LIKE 'Project'
	AND
	authorizable_id IS NOT NULL
	AND
	ngp.capability_id = 1
	AND 
	ngp.permission NOT IN (2,4)
	AND 
	ngp.grantee_id NOT IN (2,558)
GROUP BY
	vid
)
 
UNION

-- 3. Get View permissions from next_gen_permissions
----------------------------------------------------------
SELECT DISTINCT
	REPLACE(REGEXP_REPLACE(SUBSTRING(v.repository_url, '[^.*views].*'),'sheets/',''),'/','.') AS id
 	,STRING_AGG(DISTINCT su.name, ',') AS permitted_user_name	
FROM 
	public.next_gen_permissions ngp
LEFT JOIN
	public.views v ON v.id = ngp.authorizable_id
LEFT JOIN
	public.users u ON u.id = ngp.grantee_id
LEFT JOIN
	public.system_users su ON su.id = u.system_user_id
LEFT JOIN
	public.groups g ON g.id = u.system_user_id
WHERE
	v.id IS NOT NULL
	AND
	ngp.authorizable_type LIKE 'View'
	AND
	authorizable_id IS NOT NULL
	AND
	ngp.capability_id = 1
	AND 
	ngp.permission NOT IN (2,4)
	AND 
	ngp.grantee_id NOT IN (2,558)
GROUP BY
	v.repository_url

ORDER BY
	id
;

------------------------------------------------------------
-- NOTE: To confirm the above counts match the total 
-- number of Views from the views table, just comment
-- out the STRING_AGG, ngp.grantee_id and GROUP BY
-- elements
------------------------------------------------------------

Users & Groups

Show all the users in the All Users or All Internal Users groups

SELECT
	su.name AS username
	,g.name AS group
FROM
	public.users u
JOIN
	public.group_users gu ON gu.user_id = u.id
JOIN
	public.groups g ON g.id = gu.group_id
JOIN
	public.system_users su ON su.id = u.system_user_id
WHERE
	gu.group_id IN (2,558)
ORDER BY
	su.name
;

Leave a Reply

Your email address will not be published. Required fields are marked *