Tableau Cloud Help

Starting in May 2026 (Tableau 2026.2), you can configure your organization's network to restrict user access to approved Tableau Cloud sites only. This security feature helps prevent unauthorized data sharing by blocking access to unauthorized sites like personal trial sites or other organizations' Tableau Cloud sites.

Note: This topic describes how to control which sites your users can access from your network. To control which locations your users can access sites from, consider IP filtering(Link opens in a new window).

Benefits of restricting site access

Site-specific access is a network-based security control that allows your organization to enforce which Tableau Cloud sites users can access from your network. When configured, users can only sign in to and interact with Tableau Cloud sites that your organization has explicitly approved. This approach is particularly important in industries and regions with strict data security requirements, such as financial services, healthcare, and public sector organizations.

This capability helps organizations:

• Prevent data loss: Block users from uploading company data to unauthorized Tableau Cloud trial sites or other sites
• Maintain compliance: Prevent unauthorized use of unapproved Tableau Cloud sites to demonstrate control over where organizational data can be published and shared
• Meet regulatory requirements: Address strict data security requirements in regulated industries and regions

How it works

Site-specific site access works by using your organization's network infrastructure:

1. Your organization configures an SSL proxy server to intercept HTTPS traffic to Tableau Cloud (*.online.tableau.com).
2. The proxy adds the X-Tableau-Allowed-Sites header to requests that identify which Tableau Cloud sites are approved for access.
3. Tableau Cloud reads these headers and allows or blocks access based on the approved site list.
4. When a user attempts to access a non-approved site, access is denied.

Important: Tableau Support can't assist with configuring or troubleshooting SSL proxies.

What restricting site access affects

When this capability is enabled for your network, the following access is affected:

• Access through a web browser
• Tableau Desktop connections to Tableau Cloud
• Tableau REST API calls
• Embedded views

Before you begin

Site-specific access requires coordination between Tableau Cloud cloud administrators and your organization's IT admin. Before implementing this feature, make sure you have:

• SSL proxy infrastructure: An SSL proxy server that supports SSL interception and HTTP header injection
• IT support: Technical resources to configure the proxy server and maintain header injection
• Site inventory: A complete list of approved Tableau Cloud site IDs

Configure organization-specific site access

Implementing site-specific access involves both IT configuration and ongoing Tableau Cloud administration.

Step 1: Identify approved sites

The best way to generate a comprehensive list of site IDs for approved sites is through Tableau Cloud Manager (TCM) and your web browser's developer tools.

1. Open a web browser and go to the browser's developer tools.

2. Go to and sign in to Tableau Cloud Manager(Link opens in a new window) as a cloud administrator.

3. Back in the browser's developer tools, on the Network tab, do the following:

1. Look for requests to https://<your-tenant-name>.cloudmanager.tableau.com/api/v1/tenants/<tenantId>/sites.

2. Go to sites?maxResults=200.

3. Inspect the response. The response contains a list of all sites within your tenant, including the site IDs. Site IDs are listed as siteUUID.

4. Capture all of the siteUUID values in the response to compile the list of sites to include in the X-Tableau-Allowed-Sites header.

Step 2: Work with IT to configure SSL proxy

Provide your IT admin with the list of approved sites and work with them to configure the SSL proxy.

Configure the SSL proxy to add the following header to requests for *.online.tableau.com. The HTTP header value is a comma-separated list of approved site IDs. Up to about 400 site IDs can be listed in the header.

• For a single site: X-Tableau-Allowed-Sites: siteUUID

• For multiple sites: X-Tableau-Allowed-Sites: siteUUID1,siteUUID2,siteUUID3

Note: If your Tableau Cloud site is configured to use a custom domain, the IT admin needs to configure the SSL proxy to add the X-Tableau-Allowed-Sites header to requests for the custom domain.

Step 3: Validate traffic routing through proxy

After the SSL proxy is configured, the IT admin should validate that all user traffic to your sites are routed through the configured SSL proxy to ensure the HTTP header is applied to every request.

Step 4: Test the configuration

Test the configuration to verify that approved sites are accessible and non-approved sites are blocked.

You can test the configuration by:

1. Verify blocking: Verify blocking works by going to a site that's not included in the list of site IDs that were added to the HTTP header.

   Blocking works when you see an HTTP 403 (Forbidden) response.

2. Verify allowed access: Verify access works by going to a site that's included in the list of site IDs that were added to the HTTP header.

   Access works when the page loads normally.

3. Verify backwards compatibility: Verify backwards compatibility by removing X-Tableau-Allowed-Sites HTTP header from your proxy configuration. Navigate to your site.

   Backwards compatibility works when the page loads normally.

Troubleshoot

Symptom	Issue	Resolution
Users report unexpected HTTP 403 (Forbidden) errors	Unexpected HTTP 403 (Forbidden) errors	Verify the site IDs in the X-Tableau-Allowed-Sites header matches exactly the sites users are trying to access.
Users can't access any site	All sites are inaccessible	Check that the X-Tableau-Allowed-Sites header contains the correct site IDs, there are no typos, or extra white spaces.
X-Tableau-Allowed-Sites doesn't appear to be working	Feature doesn't appear to be working	Confirm the SSL proxy is correctly adding the X-Tableau-Allowed-Sites header to requests to *.online.tableau.com.