Before you can perform any activities in Tableau Cloud Manager (TCM), you need to authenticate to Tableau Cloud Manager REST API. Authenticating to Tableau Cloud Manager REST API has different requirements than authenticating directly to Tableau Cloud Manager.
About authenticating to Tableau Cloud Manager REST API
To authenticate, or sign in, to Tableau Cloud Manager REST API, you must be a cloud administrator, and use a personal access tokens (PAT) to acquire a TCM credentials token. This TCM credentials token is required for any subsequent API requests that you make. You can use the Authentication Methods to sign in to the Tableau Cloud Manager REST API.
For more information, see Sign in to Tableau Cloud Manager REST API below.
About authenticating to Tableau Cloud Manager
To authenticate, or sign in, to the TCM UI, you must be a cloud administrator and one of the following authentication types must be enabled for the tenant:
Notes:
For more information, see Set up TCM authentication for users below.
Table of Contents
To sign in to Tableau Cloud Manager REST API, you need to generate a personal access token (PAT) through the TCM UI first. After you create the PAT, you can use it in the Sign In method request body.
About personal access tokens
PATs are long-lived access tokens. PATs validate that cloud administrators are allowed to sign in to Tableau Cloud Manager REST API. PATs offer the following advantages:
For more information about PATs, see the Personal Access Tokens for Tableau Cloud Manager topic in the Tableau Cloud Help.
Notes:
Before you can sign in to the Tableau Cloud REST API for the first time, you must generate a PAT from the TCM UI first.
The following section describes the different components required to sign in to the Tableau Cloud Manager REST API using the Sign In method.
URI example
To call the Tableau Cloud REST API, first make a request using the Sign In method to generate a TCM credentials token like in the example below.
POST https://mytenant.cloudmanager.tableau.com/api/v1/pat/login
Note: The URI requires you include the tenant name. If you don’t know the tenant name, see How to Find Tenant Name
Request body example
The Sign In request body must contain the PAT secret, like in the example below.
{
"token": "JKGpaIjBQaS1vlXIIt9g+A==:-jeD0dkAWu-mwZQPgRf3NvgHQBUZ7atQsPxh911YmPU"
}
Response body example
The Sign In request produces the following response body, which includes the TCM credentials token, sessionToken
, like in the example below.
{
"sessionToken": "+iUzQx+s:E9T43sqund-xDGle-9trR7WPLkqCkT_7zks3_dVsV0By_Jji",
"userId": "306982a2-4bb0-b858-b82eeI24b857",
"tenantId": "56978815-59b6-4a61-b9e8-ede126e23bab",
"sessionExpiration": "2024-0706T84:53:13.688541Z"
}
After the TCM credentials token is generated, add it to the header, x-tableau-session-token
, for all subsequent Tableau Cloud Manager REST API requests.
+iUzQx+s:E9T43sqund-xDGle-9trR7WPLkqCkT_7zks3_dVsV0By_Jji
x-tableau-session-token
header in subsequent requestsAfter the TCM credentials token, sessionToken
, is generated, add the TCM credentials token value to the header, x-tableau-session-token
, for all subsequent Tableau Cloud Manager REST API requests.
Header example
x-tableau-session-token:+iUzQx+s:E9T43sqund-xDGle-9trR7WPLkqCkT_7zks3_dVsV0By_Jji
The TCM credentials token is short-lived. It expires after 4 hours or when the session is idle for 30 continuous minutes with no requests. When the TCM credentials token expires, you need to sign in to Tableau Cloud Manager REST API again to get a new TCM credentials token.
Using the Tableau Cloud Manager REST API, you can configure authentication to Tableau Cloud Manager (TCM) and assign the authentication type to TCM users. You can set the following types of authentication to enable sign-in for TCM users:
Note: To use Tableau with MFA authentication, skip Step 1 and go directly to Step 2: Assign authentication to users below.
After you make the sign-in request, you can configure Google or Salesforce authentication using the Create or update OIDC configuration method.
The example below sets up Salesforce authentication for the tenant, which has a resource value of 123e4567-e89b-12d3-a456-426614174000
that can be retrieved by using the Get Tenant method.
URI example
PUT https://mytenant.cloudmanager.tableau.com/api/v1/resources/123e4567-e89b-12d3-a456-426614174000/oidcconfiguration
Request body example
{
"enabled": true,
"knownProviderAlias": "Salesforce",
"salesforceDomain": "login.salesforce.com"
}
After the authentication type has been configured for the tenant, assign TCM users to use that authentication.
Using the Add tenant user method, set the idp
value to OpenID
. In this example, Salesforce authentication is assigned to the new TCM user because Salesforce is the authentication type configured for the tenant, which is specified by the knownProviderAlias
attribute in Step 1: Configure authentication above.
URI example
POST https://mytenant.cloudmanager.tableau.com/api/v1/tenants/f97df110-f4de-492e-8849-4a6af68026b0/users
Request body example
{
"linkRoles": [
{
"linkID": "ce9cad81-cd67-43fb-b952-2441d7b5a751",
"linkRole": "LINK_ADMIN",
"idp": "OpenID"
}
]
}
Using the Add tenant user method, set the idp
value to TabIDWithMFA
.
URI example
POST https://mytenant.cloudmanager.tableau.com/api/v1/tenants/f97df110-f4de-492e-8849-4a6af68026b0/users
Request body example
{
"linkRoles": [
{
"linkID": "ce9cad81-cd67-43fb-b952-2441d7b5a751",
"linkRole": "LINK_ADMIN",
"idp": "TabIDWithMFA"
}
]
}