Create a Group and Add Users to It
As a site admin, you can organize Tableau Cloud users into groups to make it easier to manage multiple users. Groups can also be used by users (such as site admins, project owners, and content owners) to apply permission rules for Tableau content.
Users can belong to multiple groups.
Create a group
-
On a site, click Groups, and then click New Group.
-
Type a name for the group.
-
Optionally, do one or both of the following:
-
If your site is licensed with the Embedded Analytics usage-based model, select the Allow on-demand access check box to enable the on-demand access capability for embedding workflows.
For more information, see one of the following: On-demand access using connected apps with direct trust(Link opens in a new window) or On-demand access using connected apps with OAuth 2.0 trust(Link opens in a new window).
- Select Grant role on sign in and select a minimum site role for the group. For more information, see Grant License on Sign In.
-
-
Click Create.
Note: Every user (excluding users with on-demand access) added to a Tableau Cloud site becomes a member of the All Users group automatically. The All Users group exists in every site by default. You cannot delete this group, but you can set permissions for it.
Add users to a group (Users page)
-
On a site, click Users.
-
Select the users you want to add to the group, and then select Actions > Group Membership.
-
Select the groups and then click Save.
Add users to a group (Groups page)
-
From the left navigation pane, click Groups, and then click the name of the group.
-
On the Group's page, click Add Users.
-
Select the users to be added, and then click Add Users.
Dynamic group membership using assertions
Beginning in June 2024 (Tableau 2024.2), if you have OIDC or SAML authentication configured or use Tableau connected apps for embedding workflows, you can dynamically control group membership through assertions. When configured, at runtime during user authentication, Tableau receives the assertion and then evaluates membership in groups and thus the content whose permissions are dependent on those groups.
The process to dynamically control group membership through assertions requires 1) enabling the setting and 2) ensuring the group membership claims are included in the assertions.
Step 1: Turn on the setting
For security purposes, group membership is only validated in an authentication workflow if the site setting is turned on.
-
Sign in to Tableau Cloud and click Settings > Authentication.
-
Under Assertions for Group Membership heading, select the Allow group assertions to enable group membership through SAML, OIDC, or JWT assertions check box.
For more information about site settings, see Assertions for Group Membership.
Step 2: Ensure group membership claims are included in the assertion
Two custom group membership claims must be included in the respective OIDC, SAML or JWT assertion to specify group membership. The two custom group membership claims are:
-
Group:
https://tableau.com/groups
-
Group names. These names should match local group names in Tableau Cloud exactly.
Note: Group sets can't be asserted.
For example assertions, refer to one of the following sections:
- Dynamic group membership using OIDC assertions
- Dynamic group membership using SAML assertions:
- Connected apps - direct trust: Dynamic group membership (embedding workflows only)
- Connected apps - OAuth 2.0 trust: Dynamic group membership (embedding workflows only)