tsm configuration set Options
Below is a list of configuration options or keys that you can set with the tsm configuration set
command. In many cases you can find out the current value of a configuration key with the tsm configuration get
command.
This list is not intended to be an exhaustive list of Tableau Server configuration settings. It represents a subset of configuration keys that can be set by server administrators. Finally, some keys used internally by Tableau Server do not appear in this list.
Note: Configuration keys are case-sensitive.
Using the tsm CLI
You can run tsm commands on the initial node (the node where TSM is installed), or on any additional node in the cluster.
To run tsm commands, you need to open a command prompt.
Open a command prompt with an account that is a member of the
tsmadmin
group on a node in the cluster.Run the command you want. If you are running the command from a node other than the initial node, include the
-s
option to specify the URL of the initial node by name (not IP address), and include the TSM port, 8850.To see the version of TSM and Tableau Server from the initial node:
tsm version
To see the version of TSM and Tableau Server from an additional node:
tsm version -s https://<inital_node_name>:8850
For example:
tsm version -s https://myTableauHost:8850
Basic Use of tsm configuration keys
Setting a configuration key
tsm configuration set -k <config.key> -v <config_value>
In some cases, you must include the --force-keys
option to set a configuration value for a key that has not been set before. For more information, see "Unknown key" responses.
After setting a configuration key value you must apply the pending configuration changes using tsm pending-changes apply
. Until you do, the new value will not be used by Tableau or show up in the results of a tsm configuration get
command. You can view pending changes using tsm pending-changes list
. For more information, see tsm pending-changes.
Resetting a configuration key to default
To reset a configuration key back to its default value, use the -d
option:
tsm configuration set -k <config.key> -d
Viewing the current value of a configuration key
To see what a configuration key is currently set to, use the configuration get
command:
tsm configuration get -k <config.key>
There are two special cases that will not return a useful current value for a key:
In certain cases, you cannot get a configuration value for a key that has not been explicitly set. Instead the
tsm configuration get
command will return an "Unknown key" response. For more information, see "Unknown key" responses.For certain keys with predefined default values, the
tsm configuration get
command will return a "Null" response. For more information, see "Null" value responses.
Configuration Keys
adminviews.disabled
Default value: false
Disables access to the Tableau Administrative views. By default, access to views is enabled (this option is set to "false").
api.server.enabled
Version: Deprecated in version 2023.1. You cannot disable the REST API in version 2023.1 and later.
Default value: true
Allows access to the Tableau Server REST API(Link opens in a new window).
By default, this functionality is enabled. We strongly recommend that you maintain this setting. Disabling the REST API will disrupt the functionality of a broad range of Tableau features. It will not improve performance or enhance security. If you choose to disable the REST API on your Tableau Server installation, test the functionality you require carefully.
Functionality impacted by disabling the REST API includes:
- Search
- Favourites
- Collections
- Content Management Tool (CMT)
- Resource Monitoring Tool (RMT)
- Personal Spaces
auditing.enabled
Default value: true
Allows access to the PostgreSQL (Tableau Server's own database) historical auditing tables.
backgrounder.default_run_now_priority
Default value (integer): 0
This setting controls what priority is assigned to run now jobs, with 0 being the highest priority. Values should be specified should be in the range of 0 – 100.
backgrounder.enable_parallel_adsync
Version: Added in version 2018.3.6
Default value: false
Controls whether parallel processing of external directory group synchronisation jobs is allowed when there are multiple backgrounders. By default a scheduled synchronisation of external directory groups is handled serially, by a single backgrounder. Set this to true
to enable parallel processing on multiple backgrounder instances.
backgrounder.externalquerycachewarmup.enabled
Version: Deprecated in version 2023.1. To improve view load times for workbooks, allow View Acceleration on your site instead.
Default value: false
Controls the caching of workbook query results after scheduled extract refresh tasks.
backgrounder.externalquerycachewarmup.view_threshold
Version: Deprecated in version 2023.1. To improve view load times for workbooks, allow View Acceleration on your site instead.
Default vaule: 2.0
The threshold for caching workbook query results after scheduled extract refresh tasks. The threshold is equal to the number of views that a workbook has received in the past seven days divided by the number of refreshes scheduled in the next seven days.
The following two backgrounder command options determine how long a flow task can run before the flow background task is cancelled. These two commands together determine the total timeout value for flow tasks.
backgrounder.extra_timeout_in_seconds
Default value: 1800
The number of seconds beyond the setting in backgrounder.querylimit
before a background job is cancelled. This setting makes sure that a stalled job does not hold up subsequent jobs. The setting applies to processes listed in backgrounder.timeout_tasks
. 1,800 seconds is 30 minutes.
backgrounder.default_timeout.run_flow
Default value: 14400
The number of seconds before a flow run task is cancelled. 14,400 seconds is 4 hours.
backgrounder.failure_threshold_for_run_prevention
Default value: 5
The number of consecutive failures of a subscription, extract or flow run job before that job is suspended. Suspending continuously failing jobs helps preserver backgrounder resources for other jobs. To disable suspension of failing background tasks, set this to -1
.
backgrounder.log.level
Version: Added in version 2020.3.0.
Default value: info
The logging level for the backgrounder process. This is dynamically configurable, so if you are only changing this you do not have to restart Tableau Server. For more information, see Change Logging Levels.
backgrounder.querylimit
Default value: 7200
Longest allowable time, in seconds, for completing a single extract refresh job. 7200 seconds = 2 hours.
Note: If a background job reaches this time limit, it may continue to run for an additional several minutes while being cancelled.
backgrounder.restrict_serial_collections_to_site_level
Default value: false
In Tableau Server, you can schedule extract refreshes, subscriptions or flows to run periodically. These scheduled items are referred to as tasks. The Backgrounder process initiates unique instances of these tasks to run them at the scheduled time. The unique instances of the tasks that are initiated as a result are referred to as jobs.
This setting affects schedules that are configured to run serially. By default, when a schedule is configured to run serially, all jobs using that schedule will run serially. When this setting is set to true
, jobs running on different sites can run in parallel. Jobs for scheduled tasks on the same site will continue to run serially.
The example below illustrates this scenario:
Tableau Server includes a schedule named "Daily" to run jobs every day at 7 am. The "Daily" schedule is configured to run serially. Site "HR" and site "Payroll" each have multiple scheduled tasks that use the schedule, "Daily". When this setting is set to true
, jobs for these scheduled tasks on Site "HR" can run in parallel with jobs on site "Payroll", whereas jobs on the same site will still only run serially.
backgrounder.notifications_enabled
Default value: true
Controls whether extract refresh and flow run alerts are enabled for all sites on the server. By default alerts are enabled. To disable the alerts for all sites on a server, set this to false
.
Extract alerts can be enabled or disabled on a site basis by site administrators in site settings, or at the user level in user settings.
backgrounder.sort_jobs_by_type_schedule_boundary_heuristics_milliSeconds
Default value: 60000
Controls the time window that identifies backgrounder jobs which are determined to have the same scheduled start time.
The backgrounder process orders work that is scheduled at the same time to be executed by job type, running the fastest category of jobs first: Subscriptions, then Incremental Extracts, then Full Extracts.
Jobs are batched to determine which jobs are scheduled at the “same time”. A value 60,000 milliseconds (the default) indicates jobs for schedules starting within a 1 minute window should be classified in the same batch and so are ordered by type within that batch.
backgrounder.subscription_failure_threshold_for_run_prevention
Default value: 5
Determines the number of consecutive subscription failures that must occur before alerting for a condition is suspended. When set to the default of 5
, alerting is suspended after 5 consecutive subscription failures. A value of -1
will allow notification email to continue indefinitely. This threshold is server-wide, so applies to all subscriptions defined on the server.
backgrounder.subscription_image_caching
Default value: true
Controls whether backgrounder will cache images that are generated for subscriptions. Cached images do not have to be regenerated each time so caching improves subscription performance. By default image caching is enabled. To disable image caching for all sites on a server, set this to false
.
backgrounder.timeout_tasks
Default value: The default value may be different, depending on your version of Tableau Server. To see the default value list for your version of Tableau, run the tsm configuration get
command:
tsm configuration get -k backgrounder.timeout_tasks
The list of tasks that can be cancelled if they run longer than the combined values in backgrounder.querylimit
and backgrounder.extra_timeout_in_seconds
. The list of tasks is delimited with commas. The default list represents all the possible values for this setting.
backgrounder.timeout.single_subscription_notify
Version: Added in version 2021.2.
Default Value: 1800
seconds (30 minutes)
This is the maximum allowable time specified in seconds for completing a single subscription job.
backgrounder.timeout.sync_ad_group
Version: Added in version 2021.1.23, 2021.2.21, 2021.3.20, 2021.4.15, 2022.1.11, 2022.3.3, 2023.1.
Default Value: 14400
seconds (4 hours)
This is the maximum allowable time, specified in seconds, for completing an Active Directory group sync. This applies to scheduled group synchronisations done by the backgrounder service and prevents long-running syncs from running indefinitely. This does not impact group synchronisations done using the Tableau Server UI or the REST API.
backgrounder.vInstances_max_overflow_queue_size
Version: Added in version 20221.2.
Default Value: 1000
The maximum number of jobs that can be in the secondary queue. A secondary queue is created when the number of jobs running is at the set concurrency limit. The default maximum is set to 1000 jobs – meaning if there are more than 1000 jobs when the concurrency limit is hit, anything more than 1000 jobs will not be queued. Use the backgrounder.vInstance_max_overflow_queue_size tsm command to make changes to the overflow maximum queue size.
The values should be specified in whole numbers.
backup.zstd.thread_count
Version: Added in version 2021.1.0. This key is dynamically configurable. For more information, see Tableau Server Dynamic Topology Changes
Default value: 2
The number of threads that should be used when creating a backup.
Increasing this number can improve backup performance, but we recommend thread count not exceed the number of logical processors on the Tableau Server computer, up to four.
basefilepath.backuprestore
Default value: /var/opt/tableau/tableau_server/data/tabsvc/files/backups/
The location in which the tsm maintenance backup
command creates the backup. This is also the location where the backup file must be when restored using the tsm maintenance restore
command or the tsm maintenance send-logs
command. After setting this, you should run the tsm maintenance validate-backup-basefilepath command (available in version 2022.1 and later) to verify that permissions are set properly for the location. For more information, see tsm File Paths.
basefilepath.log_archive
Default value: /var/opt/tableau/tableau_server/data/tabsvc/files/log-archives/
The location in which the tsm maintenance ziplogs
command creates the zipped archive. For more information, see tsm File Paths.
basefilepath.site_export.exports
Default value: /var/opt/tableau/tableau_server/data/tabsvc/files/siteexports/
The location in which the tsm sites export
command creates the export file. For more information, see tsm File Paths.
basefilepath.site_import.exports
Default value: /var/opt/tableau/tableau_server/data/tabsvc/files/siteimports/
The location in which the tsm sites import
command expects the import file to be located. For more information, see tsm File Paths.
clustercontroller.log.level
Version: Added in version 2020.3.0.
Default value: info
The logging level for Cluster Controller. This is dynamically configurable, so if you are only changing this you do not have to restart Tableau Server. For more information, see Change Logging Levels.
clustercontroller.zk_session_timeout_ms
Default value: 300000
The length of time, in milliseconds, that Cluster Controller will wait for the Coordination Service (ZooKeeper), before determining that failover is required.
dataAlerts.checkIntervalInMinutes
Default value: 60
The frequency, in minutes, at which Tableau Server checks to determine if data-alert conditions are true.
(The server also checks whenever extracts related to data alerts are refreshed.)
dataAlerts.retryFailedAlertsAfterCheckInterval
Default value: true
Determines how often Tableau Server rechecks failing data alerts. When set to true
, the server rechecks failing alerts at the frequency defined by dataAlerts.checkIntervalInMinutes
. When set to false
, the server rechecks failing alerts every five minutes, more quickly notifying alert recipients if data conditions have changed, but reducing server performance.
(The server also checks whenever extracts related to data alerts are refreshed.)
dataAlerts.SuspendFailureThreshold
Default value: 350
Determines the number of consecutive data alert failures that must occur before alerting for a condition is suspended. When set to the default of 350, alerting is suspended after roughly two weeks of alerts. This threshold is server-wide, so applies to any data alert defined on the server.
databaseservice.max_database_deletes_per_run
Version: Added in version 2021.2.
Default value: null
Use this option to adjust the maximum number of embedded external assets (databases and tables) that can be deleted each time the backgrounder process, controlled by features.DeleteOrphanedEmbeddedDatabaseAsset
, runs. If this option is left empty, the default maximum number of embedded external assets that can be deleted is 100.
For more information, see features.DeleteOrphanedEmbeddedDatabaseAsset.
dataserver.log.level
Version: Added in version 2020.3.0.
Default value: info
The logging level for Data Server. This is dynamically configurable, so if you are only changing this you do not have to restart Tableau Server. For more information, see Change Logging Levels.
elasticserver.vmopts
Version: Added in version: 2019.1. Removed: 2022.1
This configuration option is not valid for Tableau Server versions 2022.1 and later. For Tableau Server versions 2022.1 and later, use indexandsearchserver.vmopts
configuration option
Default value: "-Xmx<default_value> -Xms<default_value>
"
The default value varies based on the amount of system memory. The JVM maximum heap size is scaled to be 3.125% of the total system RAM.
Controls the Elastic Server heap size. Because the default value scales automatically, use this option to override the default value only when absolutely necessary. Append the letter 'k' to the value to indicate kilobytes, 'm' for megabytes or 'g' to indicate gigabytes. As a general rule, set initial heap size (-Xms
) equal to the maximum heap size (-Xmx
) to minimise garbage collections.
excel.shadow_copy_all_remote.enabled
Version: Added in versions 2019.1.5, 2019.2.1.
Default value: false
Controls whether Tableau Server creates a "shadow copy" of a shared Excel spreadsheet (.xlxs
or .xlxm
) that is being used as a live data source. When enabled, this option prevents Excel users from seeing a "Sharing Violation Error" and a message that the file is "currently in use". This option can have a performance impact with large Excel files. If Excel users do not need to edit the shared file, you do not need to enable this option.
Note: Tableau Server always attempts to create a shadow copy of a .xls
file. This option does not change that behaviour.
extractservice.command.execution.timeout
Version: Added in version 2021.4.
Default value: 7200
seconds
Sets the timeout value for VConn extract refresh run time.
Example: tsm configuration set -k extractservice.command.execution.timeout -v <timeout_in_seconds> --force-keys
Note: You must use the --force-keys
option to change this value.
features.ActiveMQ
Version: Added in version 2021.4.
Default value: true
Controls whether Tableau Server uses the Apache ActiveMQ service (Tableau Server Messaging Service) for the internal messaging mechanism.
features.DeleteOrphanedEmbeddedDatabaseAsset
Version: Added in version 2021.2.
Default value: true
Controls a backgrounder process, for Tableau Catalogue (or Tableau Metadata API), that deletes embedded external assets (databases and tables) that are no longer associated with downstream Tableau content. This process runs every day at 22:00:00 UTC (coordinated universal time) and can delete a maximum of 100 external assets each day until there are no remaining external assets without connections to downstream Tableau content. You can set this option to false
to stop this process from running. Alternatively, you can also adjust the maximum number of external embedded assets that can be deleted using databaseservice.max_database_deletes_per_run.
For more information see, Troubleshoot missing content.
features.DesktopReporting
Default value: false
Controls whether Desktop Licence Reporting is enabled on the server. When set to false
(the default), no Administrative Views related to desktop licences are available. Set this to true
to enable licence reporting and to make licence usage and expiration Administrative Views visible on the Server Status page. Note: Desktop Licence Reporting must be enabled on the client (Tableau Desktop) in order for information to be reported to Tableau Server.
features.IdentityMigrationBackgroundJob
Version: Added in version 2022.1. Default value was changed to false
in versions 2021.4.22, 2022.1.18, 2022.3.10, 2023.1.6 and 2023.3.
Default value: false
Controls the process that performs the identity migration. When set to true
, the identity migration runs in existing deployments immediately after upgrading Tableau Server to version 2022.1 (or later) and restoring a backup of Tableau Server version 2021.4 (or earlier). Set to false
(default) to disable the identity migration.
For example, to start the identity migration, run the following:
tsm configuration set -k features.IdentityMigrationBackgroundJob -v true
For more information, see About the Identity Migration.
Note: If the identity migration is disabled, Tableau Server cannot use the Identity Service to store and manage user identity information. Using the Identity Service is a prerequisite for certain capabilities like identity pools.
features.IdentityPools
Version: Added in version 2023.1.
Default value: false
A component of the identity pools capability that needs to be enabled if you perform a new Tableau Server installation. Requires feature.NewIdentityMode
and wgserver.authentication.legacy_identity_mode.enabled
. Set to true
to enable identity pools. Set to false
(default) to disable identity pools.
For example, to enable identity pools, run the following:
tsm configuration set -k features.IdentityPools -v true
tsm configuration set -k features.NewIdentityMode -v true
tsm configuration set -k wgserver.authentication.legacy_identity_mode.enabled -v false
tsm pending-changes apply
For more information, see Troubleshoot identity pools.
features.MessageBusEnabled
Version: Added in version 2019.4.
Default value: true
Controls whether Tableau Server uses the new internal messaging mechanism.
features.NewIdentityMode
Version: Added in version 2022.1.
Default value: false
. The default value was changed from true
to false
in 2023.1.6.
A prerequisite of the identity pools capability. Requires wgserver.authentication.legacy_identity_mode.enabled
to be set to false
to enable identity pools. Set to true
to disable identity pools.
tsm configuration set -k features.IdentityPools -v true
tsm configuration set -k features.NewIdentityMode -v true
tsm configuration set -k wgserver.authentication.legacy_identity_mode.enabled -v false
tsm pending-changes apply
For more information, see Troubleshoot identity pools.
features.PasswordlessBootstrapInit
Default value: true
Controls whether Tableau Server allows embedded credentials in bootstrap files. When enabled (the default), embedded credentials are included in the bootstrap file unless you specify that they should not be included. Set this to false
if credentials should never be included in any bootstrap file you generate. For more information on generating bootstrap files, see tsm topology nodes get-bootstrap-file.
This option was added beginning with Tableau Server version 2019.3.
features.PasswordReset
Version: Retired in version 2024.2. For versions 2024.2 and later, use vizportal.password_reset
.
Default value: false
Applies only to servers that use local authentication. Set to true
to let users reset their passwords with a "Forgot password" option on the sign-in page.
filestore.empty_folders_reaper.enabled
Version: Added in 2020.x (2020.1.14, 2020.2.11, 2020.3.6, 2020.4.2) and 2021.1.x. The default value was changed to true
in 2021.2.
Default value: true
Enables the job that "reaps" (removes) empty Filestore folders.
filestore_empty_folders_reap.frequency_s
Version: Added in 2020.x (2020.1.14, 2020.2.11, 2020.3.6, 2020.4.2).
Default value: 86400
(24 hours)
Specifies, in minutes, how often to run the job that removes empty Filestore folders.
features.Hyper_DisallowTDEPublishing
Version: Defaults to true
beginning in version 2023.1.0. Deprecated in Tableau Server 2024.2.
Default value: true
Specifies if users can upload .tde format files. This format was replaced by .hyper format beginning in version 10.5 of Tableau Server, but were not blocked from upload. Starting with Version 2024.3, .tde format files are no longer usable. The files were automatically converted to .hyper format if one of several actions were performed. For more information, see Extract Upgrade to .hyper Format.
filestore.log.level
Version: Added in version 2020.3.0.
Default value: info
The logging level for File Store. This is dynamically configurable, so if you are only changing this you do not have to restart Tableau Server. For more information, see Change Logging Levels.
filestore.reapemptyfoldersholdoffms
Version: Added in 2020.x (2020.1.14, 2020.2.11, 2020.3.6, 2020.4.2). This is not yet available in 2021.1.
Default value: 300000
(5 minutes)
Specifies in milliseconds, the amount of time to wait before removing empty Filestore folders.
floweditor.max_datafile_upload_size_in_kb
Version: Added in version 2020.4
Default value: 1048576
For Tableau Prep flow web authoring, the maximum size of delimited text files (for example, CSV or TXT) that can be uploaded to Tableau Server.
gateway.external_url
Version: Added in version 2023.1
Default value: Null
Required when OpenID Connect (OIDC) authentication is configured in TSM during Tableau Server setup or with identity pools. Specifies the Tableau Server URL used by the identity provider (IdP) to redirect users who authenticate into Tableau. The gateway external URL is the same URL that you specified as the redirect URL with your IdP, which is used for matching purposes.
For example, to redirect the IdP associated with OIDC authentication configuration to your Tableau Server, http://myco, run the following command:
tsm configuration set -k gateway.external_url -v http://myco
gateway.http.cachecontrol.updated
Default value: false
The Cache-Control HTTP header specifies whether the client browser should cache content sent from Tableau Server. To disable caching of Tableau Server data on the client, set this option to true
.
gateway.http.hsts
Default value: false
The HTTP Strict Transport Security (HSTS) header forces browsers to use HTTPS on the domain where it is enabled.
gateway.http.hsts_options
Default value: "max-age=31536000"
By default, HSTS policy is set for one year (31536000 seconds). This time period specifies the amount of time in which the browser will access the server over HTTPS.
gateway.httpd.loglevel
Version: Added in 2021.3.0.
Default value: notice
Specifies the logging level for the Gateway (Apache HTTPD server). By default, this is set to notice
. Other options include debug
, info
, warning
, error
. If you change the logging level, be aware of potential impact to disk space usage and performance. As a best practice, return the logging level to the default after you have gathered the information you need. For detailed information on Apache logging, see the Apache HTTP documentation(Link opens in a new window).
gateway.httpd.shmcb.size
Version: Added in 2021.4
Default value: 2048000
Specifies the amount of memory in bytes for the circular buffer when using the shmcb
storage type. This configuration key doesn’t apply when using the dbm
storage type.
gateway.httpd.socache
Version: Added in 2021.4
Default value: shmcb
Specifies the storage type of the global/inter-process SSL Session Cache. By default, this is set to shmcb
, with another configurable option dbm
. For more information about shmcb
and dbm
storage types, see SSLSessionCache Directive(Link opens in a new window) on the Apache website.
gateway.http.request_size_limit
Default value: 16380
The maximum size (bytes) of header content that is allowed to pass through the Apache gateway on HTTP requests. Headers that exceed the value set on this option will result in browser errors, such as HTTP Error 413 (Request Entity Too Large) or authentication failures.
A low value for gateway.http.request_size_limit
can result in authentication errors. Single sign-on solutions that integrate with Active Directory (SAML and Kerberos) often require large authentication tokens in HTTP headers. Be sure to test HTTP authentication scenarios before deploying into production.
We recommend setting tomcat.http.maxrequestsize
option to the same value that you set for this option.
gateway.http.x_content_type_nosniff
Default value: true
The X-Content-Type-Options response HTTP header specifies that the MIME type in the Content-Type header should not be changed by the browser. In some cases, where MIME type is not specified, a browser may attempt to determine the MIME type by evaluating the characteristics of the payload. The browser will then display the content accordingly. This process is referred to as "sniffing". Misinterpreting the MIME type can lead to security vulnerabilities. The X-Content-Type-Options HTTP header is set to 'nosniff' by default with this option.
gateway.http.x_xss_protection
Default value: true
The HTTP X-XSS-Protection response header is sent to the browser to enable cross-site scripting (XSS) protection. The X-XSS-Protection response header overrides configurations in cases where users have disabled XXS protection in the browser. The X-XSS-Protection response header is enabled by default with this option.
gateway.log.level
Version: Added in version 2020.3.0.
Default value: info
The logging level for Gateway. This is dynamically configurable, so if you are only changing this you do not have to restart Tableau Server. For more information, see Change Logging Levels.
gateway.public.host
Default value: <hostname>
The name (URL) of the server, used for external access to Tableau Server. If Tableau Server is configured to work with a proxy server or external load balancer, it is the name entered in a browser address bar to reach Tableau Server. For example, if Tableau Server is reached by entering tableau.example.com
, the name for gateway.public.host is tableau.example.com
.
gateway.public.port
Default value: 80
(443
if SSL)
Applies to proxy server environments only. The external port the proxy server listens on.
gateway.slow_post_protection.enabled
Default value: true
When enabled, this can provide some help in protecting against slow POST (Denial-of-Service) attacks by timing out POST requests that transfer data at extremely slow rates.
Note: This will not eliminate the threat of such attacks, and could have the unintended impact of terminating slow connections.
gateway.slow_post_protection.request_read_timeout
Default value: header=10-30,MinRate=500 body=30,MinRate=500
When enabled by the preceding option, gateway.slow_post_protection.enabled
, this option sets the Apache httpd ReadRequestTimeout. The httpd directive is documented at Apache Module mod_reqtimeout(Link opens in a new window). The primary use of this option is as a defence for the Slowloris attack. See the Wikipedia entry, Slowloris (computer security)(Link opens in a new window).
Note: Older versions use a default value: header=15-20,MinRate=500 body=10,MinRate=500
gateway.timeout
Default value: 7200
Longest amount of time, in seconds, that the gateway will wait for certain events before failing a request (7200 seconds = 2 hours).
gateway.trusted
Default value: IP address of proxy server machine
Applies to proxy server environments only. The IP address(es) or host name(s) of the proxy server.
gateway.trusted_hosts
Default value: Alternate names of proxy server
Applies to proxy server environments only. Any alternate host name(s) for the proxy server.
hyper.file_partition_size_limit
Default value: 0
When set to 0, the size is set to unlimited and will use all the disk space that is available.
This option is used to set the disk space limit for a query that spools to disk. If your disk space usage by the spool.<id>.tmp file is higher than where you need it to be for your environment, it means that queries are spooling and taking up disk space. Use this option to limit the amount of disk space that any one query can use. The spool.<id>.tmp file can be found in the temp folder of the user account running Tableau Server. You can specify this value in K(KB), M(MB), G(GB) or T(TB) units. For example, you can specify the size limit as 100 G when you want to limit the disk space usage to 100 GB.
For more information about spooling see the Memory and CPU Usage section in Tableau Server Data Engine.
hyper.global_file_partition_size_limit
Default value: 0
When set to 0, the size is set to unlimited and will use all the disk space that is available.
This option is used to set the disk space limit for all queries that spool to disk. If your disk space usage by the spool.<id>.tmp file is higher than where you need it to be for your environment, it means that queries are spooling and taking up disk space. The spool.<id>.tmp file can be found in the temp folder of the user account running Tableau Server. Use this option to limit the amount of disk space in sum total that all queries use when spooling to disk . You can specify this value in K(KB), M(MB), G(GB) or T(TB) units. For example, you can specify the size limit as 100 G when you want to limit the disk space usage to 100 GB. Tableau recommends that you start with this configuration when fine tuning your spooling limits.
For more information about spooling see the Memory and CPU Usage section in Tableau Server Data Engine.
hyper.enable_accesspaths_symbolic_canonicalization
Default value: false
On Windows OS systems, in order to resolve symlinks, Hyper needs to have access to the directory where extracts are stored and all its parent directories. If this is not the case, you may see an error message in the Hyper log that says: Unable to obtain canonical path for //dirA/subdir/myextract.hyper ... Access is denied
.
In such cases, you can set this to true
so Data Engine (Hyper) will not try to resolve symlinks when using canonical paths.
Note: Setting the value to true
also implies that Hyper can no longer guarantee to guard against a potential attacker who manages to place a symlink to escape the allowed set of directories which Hyper is configured to allow access to.
hyper.log_queries
Default value: true
When set to true, query information is logged.
By default query information is logged. If however you find that the log files are too large for the amount of disk space available, you can set it to false
to disable logging query information. Tableau recommends leaving this configuration set to true
.
hyper.log_query_cpu
Default value: false
Use this setting to log how much time each query takes and the CPU usage.
hyper.log_timing
Default value: false
This setting is useful to find out more information about the queries, like compilation and parsing times. By default this setting is disabled. You can turn this by setting the value to true
to collect more details about your queries. Note, however that this will increase the size of your data engine log files (\logs\hyper).
hyper.log_troublesome_query_plans
Default value: true
When set to true
, logs query plans of query that are identified as problematic. Queries that are either cancelled, running slower than 10 seconds, or if the queries are spooling to disk fall into this category. The information in the logs can be useful to troubleshoot problematic queries. You can change the setting to false
if you are concerned about the size of the logs.
hyper.memory_limit
Default value: 80%
Controls the maximum amount of memory used by Hyper. Specify the number of bytes. Append the letter 'k' to the value to indicate kilobytes, 'm' to indicate megabytes, 'g' to indicate gigabytes or 't' to indicate terabytes. For example, hyper.memory_limit="7g"
. Alternatively, specify the memory limit as a percentage of the overall available system memory. For example, hyper.memory_limit="90%"
.
hyper.memtracker_hard_reclaim_threshold
Default value: 80%
This setting only applies to Windows. Hyper keeps decompressed and decrypted parts of the extract in memory to make subsequent accesses faster. This setting controls when worker threads will start writing this data out to a disk cache to reduce memory pressure. If given as a percentage, the value is interpreted as a percentage of the overall hyper.memory_limit
setting. For example, hyper.memtracker_hard_reclaim_threshold="60%"
. Absolute values can be specified as 'k' (kilobytes), 'm' (megabytes), 'g' (gigabytes) or ‘t’ (terabytes). For example, hyper.memtracker_hard_reclaim_threshold="10g"
. The value should be larger than the hyper.memtracker_soft_reclaim
threshold.
hyper.memtracker_soft_reclaim_threshold
Default value: 50%
This setting only applies to Windows. When interacting with a Hyper file, Hyper will write out some data for caching or persisting the data. Windows has the special behaviour that it locks freshly written data into memory. To avoid swapping, we force out the data when Hyper reaches the configured limit for the reclaim threshold. When the soft reclaim threshold is reached, Hyper will try to reclaim cached data in the background to attempt to stay below the reclaim threshold. In situations where swapping would happen otherwise, triggering reclamation in Hyper can lead to a better outcome. Therefore, if your Tableau Server installation experiences a lot of swapping, this setting can be used to attempt to reduce the memory pressure.
Specify the number of bytes. Append the letter 'k' to the value to indicate kilobytes, 'm' to indicate megabytes, 'g' to indicate gigabytes or 't' to indicate terabytes. Alternatively, specify the value as a percentage of the overall configured memory for Hyper. For example, hyper.memtracker_soft_reclaim_threshold="20%"
.
hyper.network_threads
Default value: 150%
Controls the number of network threads used by Hyper. Specify either the number of network threads (for example, hyper.network_threads=4
) or specify the percentage of threads in relation to the logical core count (for example, hyper.network_threads="300%"
).
Network threads are used for accepting new connections and sending or receiving data and queries. Hyper uses asynchronous networking, so many connections can be served by a single thread. Normally, the amount of work that is done on network threads is very low. The one exception is opening databases on slow file systems, which can take a long time and block the network thread. If connection times are slow when you try to view or edit dashboards that use extracts and have not been used in a while and you frequently see “asio-continuation-slow” messages in the Hyper log and long “construct-protocol” times to Hyper in the Tableau log, try to increase this value.
hyper.objectstore_validate_checksums
Default value: false
A boolean setting that controls file integrity checks in Hyper. When set to true
, Hyper will check the data in an extract file when it is first accessed. This allows silent corruption and corruption that would crash Hyper to be detected. In general, it is advisable to turn this setting on except for installations with very slow disks where it could cause performance regressions.
hyper.query_total_time_limit
Default value: 0
(which means unlimited)
Sets an upper bound on the total thread time that can be used by individual queries in Hyper. Append 's' to the value to indicate seconds, 'min' to indicate minutes or 'h' to indicate hours.
For example, to restrict all queries to a total time usage of 1500 seconds of total thread time, run the following command:
tsm configuration set -k hyper.query_total_time_limit -v 1500s
If a query runs longer then the specified limit, the query will fail and an error will be returned. This setting allows you to automatically control runaway queries that would otherwise use too many resources.
Hyper executes queries in parallel. For example, if a query executes for 100 seconds and during this time is running on 30 threads, the total thread time would be 3000 seconds. The thread time of each query is reported in the Hyper log in the “query-end” log entries in the “total-time” field.
hyper.session_memory_limit
Default value: 0
(which means unlimited)
Controls the maximum memory consumption that an individual query can have. Specify the number of bytes. Append the letter 'k' to the value to indicate kilobytes, 'm' to indicate megabytes, 'g' to indicate gigabytes or 't' to indicate terabytes.
For example, to set the memory limit to 900 megabytes, run the following command:
tsm configuration set -k hyper.session_memory_limit -v 900m
.
Alternatively, to specify the session memory limit as a percentage of the overall available system memory run the following command:
tsm configuration set -k hyper.session_memory_limit -v 90%
.
Lowering this value can help when a query is using excessive amounts of memory and making other queries fail over a long period of time. By lowering the limit, the single big query would fail (or resort to spooling if spooling isn’t turned off) and not have a negative impact on other queries.
hyper.srm_cpu_limit_percentage
Default value (in percent): 75
Specifies the maximum hourly average CPU usage permitted by Hyper. If exceeded, Data Engine will restart itself to minimise impact to other processes on the computer.
By default Data Engine will restart itself if it averages more than 75% usage of CPU over an hour. This value should not be changed except when working with Tableau Support, or if you are running Data Engine on a dedicated server node. If Data Engine is running on a dedicated node, you can safely increase this value to 95 percent to take full advantage of available computer hardware. For details on running Data Engine on a dedicated node, see Optimise for Extract Query-Heavy Environments.
To increase this to 95%:
tsm configuration set -k hyper.srm_cpu_limit_percentage -v 95 --force-keys
tsm pending-changes apply
To reset this to the default of 75%:
tsm configuration set -k hyper.srm_cpu_limit_percentage -v 75 --force-keys
tsm pending-changes apply
hyper_standalone.consistent_hashing.enabled
Default value: true
Improves the chance that the extract for a query is already cached. If the node with the extract cached cannot support additional load, you will be routed to a new node and the extract will be loaded into cache on the new node. This results in better system utilisation because extracts are only loaded into memory if there is load that justifies the need.
hyper_standalone.health.enabled
Default value: true
Switches the load balancing metric from random selection to picking the Data Engine (Hyper) node based on a health score that is made of up of a combination of current Hyper activity and system resource usage. Based on these values, the load balancer will pick the node that is most capable of handling an extract query.
hyper.temp_disk_space_limit
Default value: 100%
Sets the upper limit of disk space at which Hyper will stop allocating space for temporary files. This setting can help to stop the hard disk from filling up with temporary files from Hyper and running out of disk space. If disk space reaches this threshold, Hyper will attempt to recover automatically without administrator intervention.
Specify it as percentage of the overall available disk space to be used. For example, hyper.temp_disk_space_limit="96%"
. When set to 100%, all of the disk space that is available can be used.
For Data Engine to start, the configured amount of disk space must be available. If not enough disk space is available, you will see a Data Engine log entry that says, “Disk limit for temporary files has been reached. Please free up disk space on the device. See the Hyper log for more information: No space left on device”.
hyper.hard_concurrent_query_thread_limit
Default value: 150%
Use this option to set the maximum number of threads Hyper should use for running queries. Use this when you want to set a hard limit on the CPU usage. Specify either the number of threads or specify the percentage of threads in relation to the logical core count. Hyper will most likely not use more resources than are configured by this setting but Hyper background and network threads are not affected by this setting (though they tend to not be CPU intensive).
It is important to consider that this setting controls the number of concurrent queries that can be executed. So, if you decrease this setting, the chance of queries needing to wait for currently running queries to complete increases, which may affect workbook load times.
hyper.soft_concurrent_query_thread_limit
Default value: 100%
Use this option to specify the number of threads that a single query can be parallelised across if sufficiently many threads are available given the hard_concurrent_query_thread_limit
setting. Specify either the number of threads or specify the percentage of threads in relation to the logical core count.
To illustrate this, here is a simplified example:
Let's say you set this value to 10 threads, this means queries can be parallelised up to 10 threads. If only 2 queries are running, the remaining 8 threads are used to parallelise the 2 queries.
The hyper. hard_concurrent_query_thread_limit, and hyper.soft_concurrent_query_thread_limit options work together to give you some options to manage your CPU usage while maximising available CPU resources to complete queries faster. If you don't want the Data Engine to use all the available CPU on the machine, change it to less than 100% to a percentage that is optimal for your environment. The soft limit is a way for you to limit CPU usage but allow it to go beyond the soft limit up to the hard limit if necessary.
Note: The hyper.hard_concurrent_query_thread_limit and hyper.soft_concurrent_query_thread_limit options replace hyper.num_job_worker_threads and hyper.num_task_worker_threads options available in Tableau Server versions 2018.3 and earlier, and are retired and no longer available.
hyper.use_spooling_fallback
Default value: true
When set to true
, it allows spooling to disk when querying extracts exceeds set RAM usage (80% of installed RAM). In other words, it allows Hyper to execute a query using the disk if it exceeds RAM usage.
Tableau recommends that you use the default setting. You can turn this off by setting the value to false
if you are concerned about disk usage. If you turn this setting off, queries that use more than 80% of installed RAM will be cancelled. Spooling queries usually take substantially longer to finish.
For more information about spooling see the Memory and CPU Usage section in Tableau Server Data Engine.
indexandsearchserver.vmopts
Version: Added in version: 2022.1.
Default value: "-Xmx<default_value> -Xms<default_value>
"
The default value is based on the amount of system memory and is 3.125% of the total system RAM.
Controls the Index and Search Server heap size. Because the default value scales automatically, use this option to override the default value only when absolutely necessary. Append the letter 'k' to the value to indicate kilobytes, 'm' for megabytes or 'g' to indicate gigabytes. As a general rule, set initial heap size (-Xms
) equal to the maximum heap size (-Xmx
) to minimise garbage collections.
jmx.security.enabled
Version: Added in version: 2022.1.
Default value: false
JMX is disabled by default, so secure JMX is also disabled. If you are enabling JMX, we strongly recommend you enable secure JMX.
This is set to true
and turns secure JMX on with SSL and basic username/password authentication for readonly access when you run the tsm maintenance jmx enable
command and answer y
when prompted to enable security features for JMX:
tsm maintenance jmx enable We do not recommend you enable JMX unsecured on a production environment. Would you like to enable security features for JMX? (y/n): y
jmx.ssl.enabled
Version: Added in version: 2022.1.
Default value: true
Enforces SSL for JMX. This option defaults to true
but has no effect unless jmx.security.enabled
is also set to true
. To enable JMX security, run the tsm maintenance jmx enable
command. Answer y
when prompted to leave SSL enabled, or n
to disable SSL:
tsm maintenance jmx enable ... Would you like to enable SSL? (y/n): n
jmx.ssl.require_client_auth
Version: Added in version: 2022.1.
Default value: false
This is set to true
when you run the tsm maintenance jmx enable
command and answer y
when prompted to require client authentication (mTLS):
tsm maintenance jmx enable ... Would you like to require client authentication (mTLS)? (y/n): y
To complete configuration you must have a client cert and place this in the correct location on your client computer.
jmx.ssl.user.name
Version: Added in version: 2022.1.
Default value: tsmjmxuser
This is set when you install or upgrade Tableau Server.
jmx.ssl.user.password
Version: Added in version: 2022.1.
Default value: <generated>
This is set when you install or upgrade Tableau Server.
jmx.user.access
Version: Added in version: 2022.1.
Default value: readonly
You can change this to readwrite
when you run the tsm maintenance jmx enable
command and answer y
when prompted to add readwrite
access:
tsm maintenance jmx enable ... JMX access is readonly by default. Would you like to add readwrite access? (y/n): y
licensing.login_based_licence_management.default_requested_duration_seconds
Default value: 0
Set to the duration (in seconds) that a user's login-based licence can be offline with no connection to Tableau Server before they are prompted to activate again. This duration is always refreshed when Tableau Desktop is in use and can connect to Tableau Server.
licensing.login_based_license_management.enabled
Default value: true
Set to true to enable login-based licence management. Set to false to disable login-based licence management.
Note: In order to use login-based licence management, you must activate a product key that is enabled for login-based licence management. You can use the tsm licenses list
to see which product keys have login-based licence management enabled.
licensing.login_based_licence_management.max_requested_duration_seconds
Default value: 7776000
Set to the maximum duration (in seconds) that a user’s login-based licence can be offline with no connection to Tableau Server before they are prompted to activate Tableau again. The maximum value is 7776000 seconds (90 days). This duration is always refreshed when Tableau Desktop is in use and can connect to Tableau Server.
maestro.app_settings.sampling_max_row_limit
Default value: 1000000
Sets the maximum number of rows for sampling data from large data sets with Tableau Prep on the web.
maestro.input.allowed_paths
Default value: ""
By default, access to any directory will be denied, and only publishing to Tableau Server with content that is included in the tflx file is allowed.
A list of allowed network directories for flow input connections. You must enable Tableau Prep Conductor to schedule flows on your Tableau Server. For more information, see Tableau Prep Conductor.
The following rules apply and must be considered when configuring this setting:
Paths should be accessible by Tableau Server. These paths are verified during server startup and at flow run time.
Network directory paths have to be absolute and cannot contain wildcards or other path traversing symbols. For example
\\myhost\myShare\*
or\\myhost\myShare*
are invalid paths and would result in all the paths as disallowed. The correct way to allowlist any folder under myShare would be\\myhost\myShare or \\myhost\\myShare\
.Note: The
\\myhost\myShare
configuration will not allow\\myhost\myShare1
. In order to safe list both of these folders, one would have to safe list them as \\myhost\myShare; \\myhost\myShare1.The value can be either
*
meaning that any path, including local (with the exception of some system paths configured using “native_api.internal_disallowed_paths”), or a list of paths, delimited by “;”.Note: If a path is both on the flows allowed list and internal_disasslowed list, internal_disallowed takes precedence.
Important:
This command overwrites existing information and replaces it with the new information you provided. If you want to add a new location to an existing list, you must provide a list of all the locations, existing and the new one you want to add. Use the following commands to see the current list of input and output locations:tsm configuration get -k maestro.input.allowed_paths
tsm configuration get -k maestro.output.allowed_paths
For more information and details about configuring allowed directories for flow input and output connections, see Step 4: Safe list Input and Output locations(Link opens in a new window).
maestro.output.allowed_paths
Default value: ""
By default, access to any directories will be denied.
A list of allowed network directories for flow output connections. You must enable Tableau Prep Conductor to schedule flows on your Tableau Server. For more information, see Tableau Prep Conductor.
The following rules apply and must be considered when configuring this setting:
Paths should be accessible by Tableau Server. These paths are verified during server startup and at flow run time.
Network directory paths have to be absolute and cannot contain wildcards or other path traversing symbols. For example
\\myhost\myShare\*
or\\myhost\myShare*
are invalid paths and would result in all the paths as disallowed. The correct way to allowlist any folder under myShare would be\\myhost\myShare or \\myhost\\myShare\
.Note: The
\\myhost\myShare
configuration will not allow\\myhost\myShare1
. In order to safe list both of these folders, one would have to safe list them as \\myhost\myShare; \\myhost\myShare1.The value can be either
*
meaning that any path, including local (with the exception of some system paths configured using “native_api.internal_disallowed_paths”), or a list of paths, delimited by “;”.Note: If a path is both on the flows allowed list and internal_disasslowed list, internal_disallowed takes precedence.
For more information and details about configuring allowed directories for flow input and output connections, see Step 4: Safe list Input and Output locations(Link opens in a new window).
maestro.output.write_to_mssql_using_runas
Version: Added in version: 2022.3.1
Default value: false
When enabled, flow outputs published to Tableau Server are allowed write access to a Microsoft SQL Server database using Run As credentials. The credentials used by the Run As service account must have write permission to the database. Evaluate your security and deployment requirements before enabling the maestro.output.write_to_mssql_using_runas
setting. For more information, see Run As Service Account.
Note: This command requires the --force-keys
option. For example: tsm configuration set -k maestro.output.write_to_mssql_using_runas -v true --force-keys
.
maestro.sessionmanagement.maxConcurrentSessionPerUser
Default value: 4
Sets the maximum number of flow web editing sessions that a user can have open at one time.
metadata.ingestor.blocklist
Default value: null
When configured, Tableau Catalogue blocks specified content from being ingested. To specify which content to block, you must identify the blocklist values, which is a combination of both the site ID, content type and content ID of the content you want to block, from the server “noninteractive” log files. Blocklist values must be separated by a comma.
Important: You should only use this option when directed to do so by Tableau Support.
For example, you can use the tsm configuration set --force-keys -k metadata.ingestor.blocklist
to block ingestion of a combination of data sources, workbooks and flows using the following command:
tsm configuration set --force-keys -k metadata.ingestor.blocklist -v "sites/1/datasources/289, sites/2/datasources/111, sites/1/workbooks/32, sites/3/workbooks/15, sites/1/flows/13, sites/1/flows/18”
To validate blocked content, review the server “noninteractive” log files for the following events:
Skipping ingestion for
Successfully updated blocklist to
For example:
Skipping ingestion for contentType [Workbook], contentId [sites/1/datasources/289], siteDisabled [false], swallowEvent [false], contentBlocked [true]
Skipping ingestion for contentType [Workbook], contentId [sites/3/workbooks/15], siteDisabled [false], swallowEvent [false], contentBlocked [true]
and
Successfully updated blocklist to: [sites/1/datasources/289, sites/1/workbooks/32, sites/2/datasources/111]
metadata.ingestor.pipeline.throttleEventsEnable
Default value: false
Controls whether indexing of new and updated content, also called eventing, is regulated across all sites on the server. By default, event throttling is turned off. To turn on event throttling, change this setting to true
using the following command:
tsm configuration set -k metadata.ingestor.pipeline.throttleEventsEnable -v true --force-keys
For more information about event throttling, see Enable Tableau Catalog.
metadata.ingestor.pipeline.throttleLimit
Default value: 20
When event throttling is enabled, this is the maximum number of new and updated content items that can be indexed during a specified period of time. Once the specified limit is reached for a specific item, indexing is deferred.
By default, the limit is set to 20
and can't be set to lower than 2
. You can use the following command to change the limit:
tsm configuration set -k metadata.ingestor.pipeline.throttleLimit -v 25 --force-keys
Throttled events can be identified in the server "noninteractive" log files as ingestor event flagged for removal by throttle filter
.
metadata.ingestor.pipeline.throttlePeriodLength
Default value: 20
When event throttling is enabled, this is the period of time, in minutes, a specified maximum number of new and updated content items can be indexed. Once the specified time is reached, indexing of any additional new and updated content is deferred.
By default, the time is set to 30 minutes. You can use the following command to change the time:
tsm configuration set -k metadata.ingestor.pipeline.throttlePeriodLength -v PT45M --force-keys
metadata.query.limits.time
Default value: 20
This is the longest allowable time, in seconds, for a Catalogue or Metadata API query to run before a timeout occurs and the query is cancelled. Tableau recommends incrementally increasing the timeout limit to no more than 60 seconds using the following command:
tsm configuration set -k metadata.query.limits.time –v PT30S --force-keys
Important: This option should be changed only if you see the error described here, Timeout limit and node limit exceeded messages. Increasing the timeout limit can utilise more CPU for longer, which can impact the performance of tasks across Tableau Server. Increasing the timeout limit can also cause higher memory usage, which can cause issues with the interactive microservices container when queries run in parallel.
metadata.query.limits.count
Default value: 20000
This is the number of objects (which can loosely map to the number of query results) that Catalogue can return before the node limit is exceeded and the query is cancelled. Tableau recommends incrementally increasing the timeout limit, to no more than 100,000 using the following command:
tsm configuration set -k metadata.query.limits.count –v 3000 --force-keys
Important: This option should be changed only if you see the error described here, Timeout limit and node limit exceeded messages. Increasing the node limit can cause higher memory usage, which can cause issues with the interactive microservices container when queries run in parallel.
metadata.query.throttling.enabled
Version: Added in version 2023.3
Default value: true
Controls whether Metadata API(Link opens in a new window) query throttling is enabled. Metadata API query throttling is a feature designed to prevent a server's API responses from negatively impacting overall performance. When set to true
(the default), if a request to the Metadata API exceeds the defined threshold, a RATE_EXCEEDED
error is returned.
If Metadata API users are seeing frequent RATE_EXCEEDED
errors, an administrator can try to adjust throttling using the metadata.query.throttling.tokenRefilledPerSecond
and metadata.query.throttling.queryCostCapacity
settings. Alternatively, the administrator can disable throttling entirely by setting the metadata.query.throttling.enabled
value to false
. Doing so would prevent the performance-protecting benefits of the feature, however.
metadata.query.throttling.queryCostCapacity
Version: Added in version 2023.3
Default value: 20000000
A number representing the capacity that the Metadata API(Link opens in a new window) has for answering queries. Each request to the Metadata API has a calculated cost that is subtracted from this number when it's executed. (Using a token bucket model, this is the maximum amount of tokens that can be in the bucket.)
If Metadata API users are seeing frequent RATE_EXCEEDED
errors, an administrator can adjust throttling settings. They should adjust metadata.query.throttling.tokenRefilledPerSecond
and test the results before trying to adjust metadata.query.throttling.queryCostCapacity
. Alternatively, the administrator can disable throttling entirely by setting metadata.query.throttling.enabled
to false
. Doing so would prevent the performance-protecting benefits of the feature, however.
metadata.query.throttling.tokenRefilledPerSecond
Version: Added in version 2023.3
Default value: 5555
A number representing the amount of Metadata API(Link opens in a new window) query capacity that's regenerated every second. (Using a token bucket model, this is the number of tokens that are put into the bucket every second.)
If Metadata API users are seeing frequent RATE_EXCEEDED
errors, an administrator can adjust throttling settings. They should adjust metadata.query.throttling.tokenRefilledPerSecond
and test the results before trying to adjust metadata.query.throttling.queryCostCapacity
. Alternatively, the administrator can disable throttling entirely by setting metadata.query.throttling.enabled
to false
. Doing so would prevent the performance-protecting benefits of the feature, however.
metricsservices.checkIntervalInMinutes
Version: Retired in version 2024.2.
Default value: 60
Controls the interval, in minutes, between refreshes for metrics that rely on live data sources. A metric refreshes when the server checks for new data via the metric’s connected view.
metricsservices.enabled
Version: Added in version: 2022.3. Retired in version 2024.2.
Default value: true
When set to false
, the metrics content type is disabled for all sites on a server. For more information, see Disable metrics for a server.
Retirement of the legacy metrics feature
Tableau's legacy metrics feature was retired in Tableau Cloud in February 2024 and in Tableau Server version 2024.2. In October 2023, Tableau retired the ability to embed legacy metrics in Tableau Cloud and in Tableau Server version 2023.3. With Tableau Pulse, we've developed an improved experience to track metrics and ask questions of your data. For more information, see Create Metrics with Tableau Pulse to learn about the new experience and Create and Troubleshoot Metrics (Retired) for the retired feature.
metricsservices.failureCountToWarnUser
Version: Retired in version 2024.2.
Default value: 10
Controls the number of consecutive refresh failures that must occur before the metric owner is warned. When set to the default of 10, a metric refresh must fail 10 times in a row before the owner is sent a notification about the failure.
metricsservices.maxFailedRefreshAttempts
Version: Retired in version 2024.2.
Default value: 175
Controls the number of consecutive refresh failures that must occur before a metric refresh is suspended.
mobile.deep_linking.on_prem.enabled
Default value: true
Controls whether links to Tableau Server are treated as deep links by the Tableau Mobile app. When set to true
, links to supported content types open in the app. When set to false
, links open in the mobile browser. For more information see, Control deep linking for Tableau Mobile.
monitoring.dataengine.connection_timeout
Default value: 30000
The length of time, in milliseconds, that Cluster Controller will wait for the data engine, before determining that a connection timeout occurred. The default is 30,000 milliseconds (30 seconds).
native_api.allowed_paths
Default value: ""
Note: In Tableau Server releases (including maintenance releases) before October 2023, this setting was configured to allowed access to all paths by default.
Use this setting to specify an allowlist for access to files stored on Tableau or on remote shares. This scenario allows authorised Tableau Server users to build workbooks that use files on the server as file-based data sources (such as spreadsheets).
This setting allows you to limit access only to those directories that you specify. The tableau
system account access is therefore limited to the directory paths where you host data files.
tsm configuration set -k native_api.allowed_paths -v "path"
, where path is the directory to add to the allowlist. All subdirectories of the specified path will be added to the allowlist. If you want to specify multiple paths, separate them with a semicolon, as in this example:
tsm configuration set -k native_api.allowed_paths -v "/datasources;/HR/data"
Important: Make sure the file paths you specify in this setting exist and are accessible by the system account.
native_api.connection.limit.<connection class>
Set parallel query limit for the specified data source (connection class). This overrides the global limit for the data source.
native_api.connection.globallimit
Default value: 16
Global limit for parallel queries. Default is 16 except for Amazon Redshift which has a default of 8.
native_api.ExplainDataEnabled
Default value: true
This option controls whether Explain Data is enabled or disabled for the server. For more information about Explain Data, see Get Started with Explain Data(Link opens in a new window) in the Tableau Help.
This option was added beginning with Tableau Server version: 2019.3.
native_api.force_alternative_federation_engine
Default value: false
Override the operation restrictions when joining data from a single file connection and a single SQL database connection. Set this option to True
to force Tableau to process the join using the live database connection.
native_api.ProtocolTransitionLegacyFormat
Default value: false
Use the legacy name format for constrained delegation.
The name format was changed in version 10.1 to allow cross-domain protocol transition (S4U). If this causes problems with existing configurations and you don't need cross-domain protocol transition, configure Tableau Server to use the old behaviour by setting this to true
.
native_api.unc_mountpoints
Default value: none
Specifies UNC and FQDN path for shared Windows directories that are accessed by Tableau Server on Linux. Each path must also be referenced in a corresponding auto.cifs file. Separate each path by a semicolon, for example:
'//filesrv01/development;/mnt/filesrv01/development;//filesrv01.example.lan/development;/mnt/filesrv01/development'
Subsequent updates to the native_api.unc_mountpoints
value will overwrite the existing value. Therefore, each time you add a Windows share, you must include all shares in the updated value.
For more information, see the Community wiki topic, Connecting to a Windows Shared Directory(Link opens in a new window).
native_api.InitializeQueryCacheSizeBasedOnWeights
Default value: True
Controls whether the query cache size is initialised automatically based on the amount of available system memory. The query cache consists of the logical query cache, metadata cache and native query cache. By default, this functionality is enabled.
native_api.QueryCacheMaxAllowedMB
The maximum size of the query cache in megabytes. This value varies based on the amount of system memory. The query cache consists of the logical query cache, metadata cache and native query cache. Use the table below to determine your default value:
System Memory | Default Value for Tableau Server | Default Value for Tableau Desktop |
---|---|---|
64 GB and more | 3200 MB | 1600 MB |
From 32 GB to 64 GB | 2400 MB | 1200 MB |
From 16 GB to 32 GB | 1600 MB | 800 MB |
16 GB and less | 800 MB | 400 MB |
native_api.LogicalQueryCacheMaxAllowedWeight
Default value: 70
The weight of logical query cache size limit in the total query cache size.
native_api.MetadataQueryCachMaxAllowedWeight
Default value: 4
The weight of metadata query cache size limit in the total query cache size.
native_api.NativeQueryCacheMaxAllowedWeight
Default value: 26
The weight of native query cache size limit in the total query cache size.
native_api.QueryCacheEntryMaxAllowedInPercent
Default value: 60
Specifies the maximum size of query results that can be put into the query cache. It is set as the percentage of the total query cache size. For example, if the logical query cache size is 100 MB and native_api.QueryCacheEntryMaxAllowedInPercent
is set to 60 percent, then only query results that are smaller than 60 MB can be put into the logical query cache.
native_api.UserInfoInGeneratedSQLEnabled
Default value: false
Determines whether query tagging is enabled for all content on a Tableau Server. When true, queries sent from Tableau to customer SQL databases will include metadata about the source of the query. The resulting content in customer database logs can be used for troubleshooting performance or other issues.
nlp.concepts_shards_count
Default value: 1
Note: The default shard count value is sufficient for most Tableau Server installations.
Controls the number of data shards for the Concepts index of Ask Data, field names, field synonyms and analytical terms stored in shards in:
- The Index and Search Server for 2022.1 and later versions.
- Elastic Server for 2019.1 - 2021. 4
The shard count partitions the search index to reduce total index size, which may improve the performance of Ask Data's semantic parser. Adjusting the shard count is another performance enhancement measure that you can take along with increasing the heap size through elasticserver.vmopts
or indexandsearchserver.vmopts
, depending on the version of Tableau Server that you are running.
Tableau recommends increasing the shard count by 1 for every 50 GB. To reduce the number of times you need to adjust the shard count, calculate the total index size by adding 50% to the current index. For example, if the total index size is less than 50 GB, then 1 shard is sufficient. Actual performance will vary depending on the server, the rate at which the index size grows and other factors.
- 0 to 50 GB: 1
- 50 GB to 100 GB: 2
- 100 GB to 150 GB: 3
You can use the following command to increase the Concepts index shard count from default to 2:
tsm configuration set -k nlp.concepts_shards_count -v 2
nlp.values_shards_count
Default value: 1
Controls the number of data shards for the Concepts index of Ask Data, field names, field synonyms and analytical terms stored in shards in:
- The Index and Search Server for 2022.1 and later versions.
- Elastic Server for 2019.1 - 2021. 4
The shard count partitions the search index to reduce total index size, which may improve the performance of Ask Data's semantic parser. Adjusting the shard count is another performance enhancement measure that you can take along with increasing the heap size through elasticserver.vmopts
or indexandsearchserver.vmopts
, depending on the version of Tableau Server that you are running.
Tableau recommends increasing the shard count by 1 for every 50 GB. To reduce the number of times you need to adjust the shard count, calculate the total index size by adding 50% to the current index. For example, if the total index size is less than 50 GB, then 1 shard is sufficient. Actual performance will vary depending on the server, the rate at which the index size grows and other factors.
- 0 to 50 GB: 1
- 50 GB to 100 GB: 2
- 100 GB to 150 GB: 3
You can use the following command to increase the Values index shard count from default to 2:
tsm configuration set -k nlp.values_shards_count -v 2
nlp.defaultNewSiteAskDataMode
Default value: disabled_by_default
Use this option to set the initial value of the Ask Data Mode when a site is created. For more information see Disable or Enable Ask Data for a Site.
Valid options are disabled_by_default
and disabled_always
.
This option was added beginning with Tableau Server versions: 2019.4.5, 2020.1.3.
noninteractive.vmopts
Default value: "-XX:+UseConcMarkSweepGC -Xmx<default_value>g -XX:+ExitOnOutOfMemoryError"
The default value varies based on the amount of system memory. The JVM maximum heap size is scaled to be 6.25% of the total system RAM.
This option controls the JVM maximum heap size for Tableau Catalogue ingestion. Because the default value scales automatically, use this option to override the default value only when absolutely necessary by modifying the -Xmx<default_value>g
argument. For example, you can use the following command to increase the max heap size to 2 GB:
tsm configuration set -k noninteractive.vmopts -v "-XX:+UseConcMarkSweepGC -Xmx2g -XX:+ExitOnOutOfMemoryError"
For more information, see Memory for non-interactive microservice containers.
pgsql.port
Default value: 8060
Port that PostgreSQL listens on.
pgsql.preferred_host
Specifies the computer name of the node with the preferred repository installed. This value is used if the --preferred
or -r
option is specified with the tsm topology failover-repository command.
Example:
tsm configuration set -k pgsql.preferred_host -v "<host_name>"
Note: The host_name
is case-sensitive and must match the node name shown in the output of tsm status -v
.
pgsql.ssl.ciphersuite
Default value: HIGH:MEDIUM:!aNULL:!MD5:!RC4
Specifies the cipher algorithms that are allowed for SSL for the Repository.
For acceptable values and formatting requirements, see ssl_ciphers(Link opens in a new window) on the Postgres website.
pgsql.ssl.max_protocol_version
Default value:TLSv1.3
Sets the maximum SSL/TLS protocol version to use when connecting to the repository over SSL.
Valid values: TLSv1
, TLSv1.1
, TLSv1.2
, TLSv1.3
pgsql.ssl.min_protocol_version
Default value:TLSv1.2
Sets the minimum SSL/TLS protocol version to use when connecting to the repository over SSL.
Valid values: TLSv1
, TLSv1.1
, TLSv1.2
, TLSv1.3
pgsql.verify_restore.port
Default value: 8061
Port used to verify the integrity of the PostgreSQL database. See tsm maintenance backup for more information.
ports.blocklist
Version: Added in version 2021.1
Default value: no ports blocked in the range used for automatic port assignment.
Used to specify ports within the port assignment range that should not be used by Tableau when dynamically assigning ports. This is useful when you know that another application is using a port within the range. Separate multiple ports with commas, for example:
tsm configuration set -k ports.blocklist -v 8000,8089, 8090
For more information on using the ports.blocklist
key, see Blocking specific ports within the range
recommendations.enabled
Default value: true
Controls the recommendations feature, which powers recommendations for data sources and tables (for Tableau Desktop) and recommendations for views (for Tableau Server). Recommendations are based on the popularity of content and on content used by other users determined to be similar to the current user.
recommendations.vizrecs.enabled
Default value: true
Controls recommendations for views for Tableau Server users. This option is a child of recommendations.enabled
and will have no effect if the parent option is set to false. When the parent option is set to true, and this option is set to false, data sources and tables will still be recommended to Tableau Desktop users, but recommendations for views on Tableau Server will be disabled.
redis.max_memory_in_mb
Default value: 1024
Specifies the size in megabytes of the cache server external query cache.
refresh_token.absolute_expiry_in_seconds
Default value: 31536000
Specifies the number of seconds for absolute expiration of refresh tokens and personal access tokens (PATs).
Refresh tokens are used by connected clients (Tableau Desktop, Tableau Prep Builder, Tableau Mobile, etc.) for authentication to Tableau Server after initial sign-in.
To remove limits set the value to -1
. To disable refresh tokens and PATs, see Disable Automatic Client Authentication.
refresh_token.idle_expiry_in_seconds
Default value: 1209600
Specifies the number of seconds when idle refresh tokens expire. The refresh tokens are used by connected clients (Tableau Desktop, Tableau Prep Builder, Tableau Mobile, etc.) for authentication to Tableau Server after initial sign-in. To remove limits set the value to -1
.
refresh_token.max_count_per_user
Default value: 24
Specifies the maximum number of refresh tokens that can be issued for each user. If the maximum number of user sessions is not enough, increase this value or set it to -1
to entirely remove this refresh token limit.
rsync.timeout
Default value: 600
Longest allowable time, in seconds, for completing file synchronisation (600 seconds = 10 minutes). File synchronisation occurs as part of configuring high availability, or moving the data engine and repository processes.
schedules.display_schedule_description_as_name
Default value: false
Controls whether a schedule name displays when creating a subscription or extract refresh (the default), or the "schedule frequency description" name describing the time and frequency of the schedule displays. To configure Tableau Server to display timezone-sensitive names for schedules, set this value to true
.
When true, the "schedule frequency description" is also displayed after the schedule name on the schedule list page.
schedules.display_schedules_in_client_timezone
Default value: true
Shows the "schedule frequency description" in the timezone of the user when true (uses the client browser timezone to calculate the "schedule frequency description").
schedules.ignore_extract_task_priority
Default value (boolean): False
This setting controls whether or not task priority is considered for determining the job rank which determines when to pull jobs off the queue. Setting this to true
disables editing the task priority on tasks, and only schedule priority will be considered for determining the job rank.
searchserver.connection_timeout_milliseconds
Version: Added in version 2019.1. Deprecated in version 2022.3. Retired in version 2023.3.
Default value, in milliseconds: 100000
Specifies, in milliseconds, the amount of time Search & Browse clients will wait to establish a connection to the Search & Browse server.
On especially busy Tableau Server computers, or if you see log errors "Failed zookeeper health check. Refusing to start SOLR." increase this value.
For more information, see Client session timeouts.
searchserver.index.bulk_query_user_groups
Version: Retired in version 2022.3.
Default value: true
Specifies whether querying of site users is done in bulk when importing or deleting users with a CSV file. When set to true
(the default), indexing is done as in bulk.
searchserver.javamemopts
Version: Added in version 2019.1. Retired in 2023.3
Default value: -Xmx512m -Xms512m -XX:+ExitOnOutOfMemoryError -XX:-UsePerfData
Determines JVM options for SOLR.
Of all configurable options, the maximum heap memory, configured by the -Xmx
parameter, is the most important when tuning the searchserver. In most cases this should be set as high as is possible, up to 24 GB, based on available physical memory on the Tableau Server computer. To change only the max heap memory, specify the entire default string but only change the value for -Xmx
.
Valid values for -Xmx
depend on available memory on the Tableau Server computer, but cannot be greater than 24 GB. For more information, see Search & Browse Max Heap Memory.
searchserver.startup.zookeeper_healthcheck_timeout_ms
Version: Added in version 2020.1. Retired in version 2023.3.
Default value, in milliseconds: 300000
Specifies, in milliseconds, the amount of time Tableau Server should wait for a successful Zookeeper health check on startup.
On especially busy Tableau Server computers, or if you see log errors "Failed zookeeper health check. Refusing to start SOLR." increase this value.
For more information, see Zookeeper connection health check timeout at startup.
searchserver.zookeeper_session_timeout_milliseconds
Version: Retired in version 2022.3.
Default value, in milliseconds: 100000
Specifies, in milliseconds, the amount of time Search & Browse clients will wait to establish a connection to the Coordination Service (Zookeeper).
For more information, see Client session timeouts.
ServerExportCSVMaxRowsByCols
Version: Added in version 2020.3.
Default value: 0
(no limit)
Specifies the maximum number of cells of data that can be downloaded from View Data into a CSV file. By default, there is no limit. Specify the number of cells. For example to set a limit of 3 million:
tsm configuration set -k ServerExportCSVMaxRowsByCols -v 3000000
tsm pending-changes apply
service.jmx_enabled
Default value: false
Setting to true
enables JMX ports for optional monitoring and troubleshooting.
service.max_procs
Default value: <number>
Maximum number of server processes.
service.port_remapping.enabled
Default value: true
Determines whether or not Tableau Server will attempt to dynamically remap ports when the default or configured ports are unavailable. Setting to false
disables dynamic port remapping.
sheet_image.enabled
Default value: true
Controls whether you can get images for views with the REST API. For more information, see REST API Reference.
ssl.ciphersuite
Default value: HIGH:MEDIUM:!EXP:!aNULL:!MD5:!RC4:!3DES:!CAMELLIA:!IDEA:!SEED
Specifies the cipher algorithms that are allowed for SSL for Gateway.
For acceptable values and formatting requirements, see SSLCipherSuite(Link opens in a new window) on the Apache website.
ssl.client_certificate_login.blocklisted_signature_algorithms
Default value:
Version 2020.4.0:
sha1withrsaencryption,
sha1withrsaVersion 2020.4.1 and later:
sha1withrsaencryption,
sha1withrsa,
sha1withrsaandmgf1,
sha1withdsa,
sha1withecdsa
The default value blocks certificates with the SHA-1 signing algorithm. Specifies the client signing algorithms that are blocked for SSL. To disable blocking of all signature algorithms, run this key with an empty set of quotes.
For more information about this key, see the Knowledge Base article, Mutual SSL Fails After Upgrading if Certificates Signed with SHA-1(Link opens in a new window).
ssl.client_certificate_login.min_allowed.elliptic_curve_size
Default value: 256
Specifies the minimum elliptic curve size required for ECDSA client certificates that are authenticating with Tableau Server over mutual SSL If a client presents an ECDSA client certificate that does not satisfy this minimum curve size, the authentication request will fail.
This option was introduced in Tableau Server version 2021.1.
ssl.client_certificate_login.min_allowed.rsa_key_size
Default value: 2048
Specifies the minimum key size for RSA client certificates that are authenticating with Tableau Server over mutual SSL If a client presents an RSA client certificate that does not satisfy this minimum key size, the authentication request will fail.
This option was introduced in Tableau Server version 2021.1.
ssl.protocols
Default value: all +TLSv1.2 -SSLv2 -SSLv3 -TLSv1.3
Specifies the SSL protocols that Tableau Server supports for TLS connections for Gateway. Acceptable values derive from the Apache SSLPrtocol Directive(Link opens in a new window). We recommend following SSL protocol configuration as described in Security Hardening Checklist.
storage.monitoring.email_enabled
Default value: false
Controls whether email notifications are enabled for server disk space monitoring. By default, email notifications are enabled. To enable notifications for disk space monitoring, set this to true
.
SMTP must be configured for notifications to be sent. For details, see Configure SMTP Setup.
storage.monitoring.warning_percent
Default value: 20
Warning threshold of remaining disk space, in percentage of total disk space. If disk space falls below this threshold, a warning notification is sent.
storage.monitoring.critical_percent
Default value: 10
Critical threshold of remaining disk space, in percentage of total disk space. If disk space falls below this threshold, a critical notification is sent.
storage.monitoring.email_interval_min
Default value: 60
How often, in minutes, that email notifications should be sent when disk space monitoring is enabled and a threshold is crossed.
storage.monitoring.record_history_enabled
Default value: true
Determines whether free disk space history is saved and available to view in Administrative Views. To disable history storage for monitoring, set storage.monitoring.record_history_enabled
to false
.
subscriptions.enabled
Default value: false
Controls whether subscriptions are configurable system-wide. See Set Up a Site for Subscriptions.
subscriptions.timeout
Default value: 1800
Length of time, in seconds, for a view in a workbook subscription task to be rendered before the task times out. If this time limit is reached while a view is being rendered, the rendering continues, but any subsequent view in the workbook is not rendered, and the job ends in error. In the case of a single-view workbook, this value will never result in the rendering being halted due to a timeout.
svcmonitor.notification.smtp.enabled
Default value: false
Controls whether email notifications are enabled for server process events. By default notifications are sent when processes go down, fail over or restart. To enable server process notifications, set this to true
.
SMTP must be configured for notifications to be sent. For details, see Configure SMTP Setup.
svcmonitor.notification.smtp.mime_use_multipart_mixed
Version: Added in version: 2020.1.8, 2020.2.5, 2020.3.1
Default value: false
Controls whether subscription HTML MIME attachments are sent as multipart/related (the default) or multipart/mixed.
In rare cases, email clients may not properly parse emails sent by Tableau Server. Many times this can be fixed by setting this property to true
. Known clients include iOS Mail and Microsoft Outlook (when paired with Exchange S/MIME encryption).
tabadmincontroller.auth.expiration.minutes
Default value: 120
Controls how long session cookies are valid. By default this is set to 120 minutes. This value also determines how long the embedded credentials in a node bootstrap file are valid. For more information, see tsm topology nodes get-bootstrap-file.
tdsservice.log.level
Version: Added in version 2020.3.0
Default value: info
The logging level for the Data Source Properties service. This is dynamically configurable, so if you are only changing this you do not have to restart Tableau Server. For more information, see Change Logging Levels.
tomcat.http.maxrequestsize
Default value: 16380
The maximum size (bytes) of header content that is allowed to pass through the Apache gateway on HTTP requests. Headers that exceed the value set on this option will result in browser errors, such as HTTP Error 413 (Request Entity Too Large) or authentication failures.
A low value for tomcat.http.maxrequestsize
may result in authentication errors. Single sign-on solutions that integrate with Active Directory (SAML and Kerberos) often require large authentication tokens in HTTP headers. Be sure to test HTTP authentication scenarios before deploying into production.
We recommend setting gateway.http.request_size_limit
option to the same value that you set for this option.
tomcat.http.proxyHost
Specifies forward proxy host name for OpenID requests to the IdP. See Configure Tableau Server for OpenID Connect.
tomcat.http.ProxyPort
Specifies forward proxy port for OpenID requests to the IdP. See Configure Tableau Server for OpenID Connect.
tomcat.https.proxyHost
Specifies forward proxy host name for OpenID requests to the IdP. See Configure Tableau Server for OpenID Connect.
tomcat.https.ProxyPort
Specifies forward proxy port for OpenID requests to the IdP. See Configure Tableau Server for OpenID Connect.
tomcat.https.port
Default value: 8443
SSL port for Tomcat (unused).
tomcat.server.port
Default value: 8085
Port that tomcat listens on for shutdown messages.
tomcat.useSystemProxies
Default value: false
Specifies whether tomcat components (OpenID) require access to the forward proxy configuration on the local Windows operating system. See Configure Tableau Server for OpenID Connect.
tomcatcontainer.log.level
Default value: info
The logging level for microservices in the Interactive Microservice Container and Non-Interactive Microservice Container. This is dynamically configurable starting in version 2020.4, so if you are only changing this, you do not have to restart Tableau Server. For more information, see Change Logging Levels.
tsm.log.level
Default value: info
Logging level for TSM services. These logs include information that can be useful if you have problems with TSM services: Administration Agent, Administration Controller, Client File Service, Cluster Controller, Service Manager and Licence Service. This configuration key does not change the logging level for Coordination Service or for maintenance processes. For more information, see Change Logging Levels and Tableau Server Processes.
tsm.controlapp.log.level
Default value: info
Logging level for control_<app>
services. These logs include information that can be useful if you are running into problems starting or reconfiguring a TSM or Tableau Server process. For more information, see Change Logging Levels.
usernotifications.reap_after_days
Default value: 30
Number of days after which a user notification will be deleted from the server.
vizportal.adsync.update_system_user
Default value: false
Specifies whether email addresses and display names of users are changed (even when changed in Active Directory) when an Active Directory group is synchronised in Tableau Server. To ensure that user email addresses and display names are updated during synchronisation, set vizportal.adsync.update_system_user
to true
, and then restart the server.
vizportal.alwaysUseEmbeddedShareLinks
Version: Added in version 2021.3.0
Default value: false
Specifies whether the Copy Link option should include the "embed=y" parameter. Starting in version 2019.4, by default, it does not include this parameter. Setting this configuration key to true changes the behaviour so that the "embed=y" parameter is included. For details about using the Copy Link option to share links for embedding in web pages, see Embed Views into Webpages(Link opens in a new window) in the Tableau Desktop and Web Authoring Help.
vizportal.art_skip_list
Version: Added in version 2024.2.
Default value: null
Use this configuration key to specify aspects of Tableau Server functionality that do not use Activity and Resource Tracing (ART) and will generate large amounts of unnecessary data while ART is enabled.
This key is used together with vizportal.log_art_java
and vizportal.enable_art
for troubleshooting issues with Application Server (VizPortal). When set to [need info here about what it gets set to.] To learn how to use this configuration setting, see Troubleshooting problems with Application Server.
vizportal.commenting.delete_enabled
Default value: true
When set to true
, lets users delete comments on views. You can delete a comment if you created it, are the content owner, a project leader with an appropriate site role or are an administrator. To learn which site roles are required for full project leader access, see Project-level administration.
vizportal.csv_user_mgmt.index_site_users
Version: Deprecated in version 2022.3. Retired (removed entirely) in version 2023.3.
Default value: true
Specifies whether indexing of site users is done user by user when importing or deleting users with a CSV file. When set to true
(the default) indexing is done as each user is added or deleted. To delay the indexing of the site users until after the entire CSV file has been processed, set this to false
.
vizportal.csv_user_mgmt.bulk_index_users
Version: Deprecated in version 2022.3. Retired (removed entirely) in version 2023.3.
Default value: false
Specifies whether indexing of site users is done in bulk when importing or deleting users with a CSV file. When set to false
(the default), indexing is done individually. To have the indexing done in bulk after the CSV file has been processed, set this to true
.
vizportal.enable_art
Version: Added in version 2024.2.
Default value: false
This configuration key is used together with vizportal.log_art_java
and vizportal.art_skip_list
for troubleshooting issues with Application Server (VizPortal). When set to true, this enables Activity and Resource Tracing in Application Server. To learn how to use this configuration setting, see Troubleshooting problems with Application Server.
vizportal.log_art_java
Version: Added in version 2024.2.
Default value: false
This configuration key is used together with vizportal.enable_art
and vizportal.art_skip_list
for troubleshooting issues with Application Server (VizPortal). When set to true, this enables Activity and Resource Tracing in Application Server. To learn how to use this configuration setting, see Troubleshooting problems with Application Server.
vizportal.log.level
Default value: info
The logging level for vizportal Java components. Logs are written to /var/opt/tableau/tableau_server/data/tabsvc/logs/vizportal/*.log
.
Set to debug
for more information. Using the debug setting can significantly impact performance, so you should only use this setting when directed to do so by Tableau Support.
Beginning with version 2020.4.0, this is dynamically configurable, so if you are only changing this, you do not have to restart Tableau Server. For more information, see Change Logging Levels.
vizportal.oauth.connected_apps.max_expiration_period_in_minutes
Version: Added in version 2021.4.
Default value: 10
The maximum period of time, in minutes, the JSON web token (JWT) is valid. At the time the JWT is verified, Tableau Server checks that the time period specified in the JWT doesn’t exceed this default value. This setting is used when a Tableau-connected app has been configured on Tableau Server using the Tableau REST API(Link opens in a new window).
For example, to change maximum period to 5 minutes, run the following command:
tsm configuration set -k vizportal.oauth.external_authorization_server.max_expiration_period_in_minutes -v 5
vizportal.oauth.external_authorization.enabled
Version: Added in version 2021.4.
Default value: false
In Tableau Server 2024.2 and later, the Enable connected apps option is enabled for Tableau Server. In Tableau Server 2023.2 and earlier, it is specified whether the Enable OAuth Access for Embedding Content option is enabled for Tableau Server.
Use this option to register an external authorisation server (EAS) with Tableau Server so that you can enable application integration. For more information, see Configure Connected Apps with OAuth 2.0 Trust.
To enable this option, run the following command:
tsm configuration set -k vizportal.oauth.external_authorization.enabled -v true
vizportal.oauth.external_authorization_server.blocklisted_jws_algorithms
Version: Added in version 2021.4.
Default value: ES256K
When an external authorisation server (EAS) is registered or connected app is configured, you can use this command to specify the signing algorithm used in JSON web token (JWT) header. For more information, see Configure Connected Apps with OAuth 2.0 Trust or Use Tableau Connected Apps for Application Integration.
For example, if needed, you might run the following command to remove the algorithm:
tsm configuration set - k vizportal.oauth.external_authorization_server.blocklisted_jws_algorithms -v
Important: The example command above allows unsafe signing algorithms and should only be used to troubleshoot errors.
vizportal.oauth.external_authorization_server.issuer
Version: Added in version 2021.4.
Default value: null
Required. Use this command to specify the issuer URL. The issuer URL is required to register the external authorisation server (EAS) with Tableau Server. For more information, see Configure Connected Apps with OAuth 2.0 Trust.
For example, if your EAS is Okta, you might run a command similar to the following:
tsm configuration set -k vizportal.oauth.external_authorization_server.issuer -v "https://dev-12345678.okta.com/oauth2/abcdefg9abc8eFghi76j5"
vizportal.oauth.external_authorization_server.jwks
Version: Added in version 2021.4.
Default value: null
When an external authorisation server (EAS) is registered, you can use this command to specify the JSON web key set (JWKS) URL. The JWKS URL is required if the identity provider (IdP) doesn’t expose the external authorisation server metadata endpoint.
For example, if your IdP is Amazon Cognito, you might run a command similar to the following:
tsm configuration set -k vizportal.oauth.external_authorization_server.jwks -v "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_Ab129faBb/.well-known/jwks.json"
vizportal.oauth.external_authorization_server.max_expiration_period_in_minutes
Version: Added in version 2021.4.
Default value: 10
The maximum period of time, in minutes, the JSON web token (JWT) is valid. At the time the JWT is verified, Tableau Server checks that the time period specified in the JWT doesn’t exceed this default value. This setting is used when an EAS has been registered with Tableau Server. For more information, see Configure Connected Apps with OAuth 2.0 Trust.
For example, to change maximum period to 5 minutes, run the following command:
tsm configuration set -k vizportal.oauth.external_authorization_server.max_expiration_period_in_minutes -v 5
vizportal.openid.client_authentication
Specifies custom client authentication method for OpenID Connect.
To configure Tableau Server to use the IdPs that require the client_secret_post
, set this value to client_secret_post
.
An example would be when connecting to the Salesforce IDP, which requires this.
vizportal.openid.essential_acr_values
Version: Added in version 2020.4.
Specifies a list of authentication context class reference (ACR) values to provide the OpenID Connect IdP as an essential claim request. The IdP is responsible for ensuring that authentication meets the expected criteria. If the vizportal.openid.essential_acr_values
configuration key is populated, Tableau Server acts as the relying party and will inspect the ACR claim in the token response. Tableau Server will only warn if the ACR claim doesn't match the expected configuration key value.
To set this option, enter the ACR values in order of preference, enclosed by double-quotes. You must separate multiple values by a comma and space, as in this example:
tsm configuration set -k vizportal.openid.essential_acr_values -v "value1, value2"
vizportal.openid.full_server_request_logging_enabled
Default value: false
Specifies whether to do full logging of OpenID activity.
Set this to true
when troubleshooting OpenID Connect issues to gather more detailed logs and allow you to better troubleshoot.
As with all logging-related configurations, we recommend that after you have finished troubleshooting and collecting logs, you reset this key to its default (false
). This limits the amount of information logged and keeps the log file sizes to a minimum.
vizportal.openid.voluntary_acr_values
Version: Added in version 2020.4.
Specifies a list of authentication context class reference (ACR) values to provide the OpenID Connect IdP as a voluntary claim request. The IdP is responsible for ensuring that authentication meets the expected criteria. If the vizportal.openid.voluntary_acr_values
configuration key is populated, Tableau Server acts as the relying party and will inspect the ACR claim in the token response. The authentication request will fail if the ACR claim is missing or the provided claim value doesn't match the expected configuration key value.
To set this option, enter the ACR values in order of preference, enclosed by double-quotes. You must separate multiple values by a comma and space, as in this example:
tsm configuration set -k vizportal.openid.voluntary_acr_values -v "value1, value2"
vizportal.password_reset
Version: Replaces features.PasswordReset
in version 2024.2.
Default value: false
Applies only to servers that use local authentication. Set to true
to let users reset their passwords with a "Forgot password" option on the sign-in page.
vizportal.rest_api.cors.allow_origin
Specifies the origins (sites) that are allowed access to the REST API endpoints on Tableau Server when vizportal.rest_api.cors.enabled
is set to true
. You can specify more than one origin by separating each entry with a comma (,).
tsm configuration set -k vizportal.rest_api.cors.allow_origin -v https://mysite, https://yoursite
If vizportal.rest_api.cors.enabled
is false
, the origins listed by this option are ignored. For more information, see Enabling CORS on Tableau Server.
Note: You can use an asterisk (*) as a wild card to match all sites. This is not recommended as it allows access from any origin that has access to the server and can present a security risk. Do not use an asterisk (*) unless you fully understand the implications and risks for your site.
vizportal.rest_api.cors.enabled
Default value: false
Controls whether Tableau Server allows Cross Origin Resource Sharing (CORS). When set to true
, the server allows web browsers to access the Tableau REST API endpoints. You can use this option and the REST API to create custom portals. By default, this functionality is not enabled. To specify which origins (sites) have access, use the vizportal.rest_api.cors.allow_origin
option. Only the origins specified with this option are allowed to make requests to the Tableau Server REST API. For more information, see Enabling CORS on Tableau Server.
vizportal.site_user_group_count_enabled
Version: Added in version 2022.3.5 and later, 2023.1.0 and later.
Default value: false
Controls whether Site Users page will include a column showing the group count for each user.
vizqlserver.allow_insecure_scripts
Default value: false
Allows a workbook to be published to the server from Tableau Desktop, and to be opened from the server, even if the workbook contains SQL or R expressions that are potentially unsafe (for example, a SQL expression that could potentially allow SQL injection). When this setting is false
(the default), publishing a workbook or opening it from the server results in an error message, and the workbook is blocked. Before you set this value to true
review the Knowledge Base article, Blocking or Allowing Insecure Scripts in Tableau Server(Link opens in a new window).
vizqlserver.browser.render
Default value: true
Views under the threshold set by vizqlserver.browser.render_threshold
or vizqlserver.browser.render_threshold_mobile
are rendered by the client web browser instead of by the server. See Configure Client-Side Rendering for details.
vizqlserver.browser.render_threshold
Default value: 100
The default value represents a high level of complexity for a view displayed on a PC. Complexity factors include number of marks, headers, reference lines and annotations. Views that exceed this level of complexity are rendered by the server instead of in the PC's web browser.
vizqlserver.browser.render_threshold_mobile
Default value: 60
The default value represents a high level of complexity for a view displayed on a tablet. Complexity factors include number of marks, headers, reference lines and annotations. Views that exceed this level of complexity are rendered by the server instead of in the tablet's web browser.
vizqlserver.clear_session_on_unload
Default value: false
Determines whether or not VizQL sessions are kept in memory when a user navigates away from a view or closes their browser. The default value (false) keeps sessions in memory. To close VizQL sessions on leaving a view or closing a browser, set this to true
.
vizqlserver.force_maps_to_offline
Version: Added in version 2020.4.0.
Default value: false
Determines whether Tableau Server runs in offline mode for maps. This is useful in disconnected environments where access to the internet and the map server is restricted. To enable offline mode for maps, set this value to true
. For more information about installing and configuring Tableau Server in an environment without internet access, see Install Tableau Server in a Disconnected (Air-Gapped) Environment.
vizqlserver.geosearch_cache_size
Default value: 5
Sets the maximum number of different geographic search locale/language data sets that can be loaded into server memory at the same time. When the server receives a geographic search request for locale/language data set that is not in memory, it will load the set into memory. If loading the data set will exceed the specified limit, the least recently used locale/language data set is cleared from memory so the requested one can be loaded. The minimum value is 1. Each cache takes approximately 60 MB in memory (so if you set this to 10, the memory usage would be 600 MB (60 * 10).
vizqlserver.initialsql.disabled
Default value: false
Specify whether to ignore initial SQL statements for all data sources. Set this to true to ignore initial SQL:
tsm configuration set -k vizqlserver.initialsql.disabled -v true
vizqlserver.log.level
Default value: info
The logging level for VizQL Server Java components. Logs are written to /var/opt/tableau/tableau_server/data/tabsvc/logs/vizqlserver/*.log
.
Set to debug
for more information. Using the debug setting can significantly impact performance, so you should only use it when directed to do so by Tableau Support.
Beginning with version 2020.3.0, this is dynamically configurable, so if you are only changing this you do not have to restart Tableau Server. For more information, see Change Logging Levels.
vizqlserver.NumberOfWorkbookChangesBetweenAutoSaves
Default value: 5
Auto recover configuration for web authoring. Specifies the number of changes that a user must make to trigger auto save. Take care when changing this value. Auto recover functionality may impact the performance of web authoring and other viz-related operations on Tableau Server. We recommend tuning this value by making incremental adjustments over time.
vizqlserver_<n>.port
The port a VizQL server instance (specified by "<n>") is running on.
vizqlserver.protect_sessions
Version: Retired in 2024.2.0. Beginning in 2024.2.0, Tableau Server always prevents VizQL sessions from being reused after the original user signs out.
Default value: true
When set to true
, prevents VizQL sessions from being reused after the original user signs out.
vizqlserver.querylimit
Default value: 1800
Longest allowable time for updating a view, in seconds. 1800 seconds = 30 minutes. This configuration option impacts VizQL Server and Data Server.
vizqlserver.RecoveryAttemptLimitPerSession
Default value: 3
Auto recover configuration for web authoring. The maximum number of attempts to recover the same session. Take care when changing this value. Auto recover functionality may impact the performance of web authoring and other viz-related operations on Tableau Server. We recommend tuning this value by making incremental adjustments over time.
vizqlserver.session.expiry.minimum
Default value: 5
Number of minutes of idle time after which a VizQL session is eligible to be discarded if the VizQL process starts to run out of memory.
vizqlserver.session.expiry.timeout
Default value: 30
Number of minutes of idle time after which a VizQL session is discarded.
vizqlserver.sheet_image_api.max_age_floor
Default value: 1
The amount of time, in minutes, to cache images that are generated by the Query View Image method of the REST API. For more information, see the REST API Reference(Link opens in a new window) in the REST API help.
vizqlserver.showdownload
Default value: true
Controls the display of the Tableau Workbook option of the Download menu in views. When set to false
, the Tableau Workbook option is unavailable.
Note: This setting does not remove the option for users in Web Edit mode.
vizqlserver.showshare
Default value: true
Controls the display of Share options in views. To hide these options, set to false.
Note: Users can override the server default by setting the "showShareOptions" JavaScript or URL parameter.
vizqlserver.url_scheme_allowlist
Specifies one or more URL schemes to allow (safe list) when using URL actions(Link opens in a new window) on views and dashboards. The schemes http
, https
, gopher
, mailto
, news
, sms
, tel
, tsc
and tsl
are allowed (safe listed) by default. This command can contain multiple comma and space-separated values, as in this example:
tsm configuration set -k vizqlserver.url_scheme_whitelist -v scheme1, scheme2
The values you specify overwrite previous settings. Therefore, you must include the full list of schemes in the set
command. (You cannot amend the list of schemes by running the set
command repeatedly.)
vizqlserver.web_page_objects_enabled
Default value: true
Controls whether Web Page objects in dashboards can display target URLs. To prevent web pages from appearing, set to false.
vizqlserver.WorkbookTooLargeToCheckpointSizeKiB
Default value: 5120
Auto recover configuration for web authoring. Size limit (KB) for a workbook that will auto save. Workbooks larger than this value will not be auto-saved. Take care when changing this value. Auto recover functionality may impact the performance of web authoring and other viz-related operations on Tableau Server. We recommend tuning this value by making incremental adjustments over time.
Note: Older versions of Server use a default value: 1024
vizqlserver.workflow_objects_enabled
Default value: true
Determines whether the Tableau External Actions Workflow object can be added to dashboards.
webdataconnector.refresh.enabled
Deprecated. Use tsm data-access web-data-connectors allow
instead.
Determines whether extract refreshes for web data connectors (WDCs) are enabled in Tableau Server. To disable refresh for all WDCs, set the value for this key to false
, as shown below:
tsm configuration set --key webdataconnector.refresh.enabled --value false
To learn more, see Web Data Connectors in Tableau Server.
webdataconnector.allowlist.fixed
Deprecated. Use tsm data-access web-data-connectors add
instead.
Specifies one or more web data connectors (WDCs) that can be used by to access data connections that are accessible over HTTP or HTTPS. This command is formatted as JSON data on a single line, with all double-quotes (") escaped using a backslash (\).
For example to add a San Francisco Film Locations WDC to the safe list:
tsm configuration set --key webdataconnector.whitelist.fixed --value "'{\"https://tableau.data.world:443\": {\"properties\": { \"secondary_whitelist\": [\"(https://data.world/)(.*)\"] } } }'"
To learn more, see Web Data Connectors in Tableau Server.
webdataconnector.enabled
Deprecated. Use tsm data-access web-data-connectors allow
instead.
Default value: true
When set to true
, you can use tsm
commands to manage web data connectors on the server.
webdataconnector.allowlist.mode
Default value: mixed
Determines how Tableau Server can run web data connectors. Supported modes are:
mixed
. Users can run connectors that are on an allowlist (safe list) of URLs. This mode originally also allowed users to run WDCs that had been imported. Importing WDCs is no longer supported.fixed
. Users can run connectors that are on an allowlist (safe list) of URLs.insecure
. Users can run any connector.
Important: Use the insecure
option only for development and testing. Because connectors run custom code, running connectors that have not been vetted can pose a security threat.
wgserver.audit_history_expiration_days
Default value: 183
Specifies the number of days after which historical events records are removed from the PostgreSQL database (the Tableau Server database).
wgserver.authentication.legacy_identity_mode.enabled
Version: Added in version 2022.1
Default value: false
for Tableau Server 2022.1 and later. For pre-2022.1 Tableau Server deployments upgraded to 2022.1 or later, default value is true
.
Set to false
to use identity pools.
For more information, see Troubleshoot identity pools.
wgserver.authentication.identity_pools.default_pool_description
Version: Added in version 2023.1
Default value: Null
Optionally, you can add a description for the initial pool (TSM configured) to the Tableau Server landing page and is visible to all users. When one or more identity pools are created, this description is added below the primary sign-in option and can be used to help guide users that belong to the initial pool (TSM configured) to the correct sign-in option.
For example, to add a “Regular employees sign in here” description, you can use the following command:
tsm configuration set -k wgserver.authentication.identity_pools.default_pool_description -v “Regular employees sign in here"
Note: The initial pool (TSM configured) description is different from the Sign-In Customisation note. The Sign In Customisation note is displayed on the Tableau Server landing page below all sign-in options and on the page where your initial pool (TSM configured) users enter their username and password.
wgserver.change_owner.enabled
Default value: true
Controls whether the ownership of a workbook, data source or project can be changed. Other options include false
and adminonly
.
wgserver.clickjack_defense.enabled
Default value: true
When set to true
, helps prevents a malicious person from "clickjacking" a Tableau Server user. In a clickjack attack, the target page is displayed transparently over a second page, and the attacker gets the user to click or enter information in the target page while the user thinks he or she is interacting with the second page.
For more information, see Clickjack Protection.
wgserver.domain.accept_list
Version: This was added in version 2020.4.0 and replaces wgserver.domain.whitelist
.
Default value: null
Allows connection from Tableau Server to secondary Active Directory domains. A secondary domain is one that Tableau Server connects to for user synchronisation, but is a domain where Tableau Server is not installed. Tableau Server will attempt to connect to secondary domains for user and group synchronisation. In some cases, Tableau Server may be unable to connect to the secondary domain, which will result in the error, "Domain not in accept list (errorCode=101015)."
Setting the wgserver.domain.accept_list
option is required by a fix for the security vulnerability, [Important] ADV-2020-003: Tableau Server Forced Authentication(Link opens in a new window). As of February 2020, the fix for this vulnerability is included in all latest versions and maintenance releases of Tableau Server.
To set this option, enter the secondary domain enclosed by double-quotes. Multiple domains must be separated by a comma and a space. For example, tsm configuration set -k wgserver.domain.accept_list -v "example.org, domain.com"
.
Wildcard functionality is not supported. For example, if Tableau connects to sub1.example.org
and sub2.example.org
, then both domains must be added.
Updating the wgserver.domain.accept_list
option overwrites the existing value. Therefore, if you are adding a new domain to an existing set of domains stored in the value, include all existing domains with the new domain when you set the option. You can retrieve the full list of existing domains by running tsm configuration get –k wgserver.domain.accept_list
.
wgserver.domain.ldap.domain_custom_ports
Default value: null
Allows you to map child domains and their LDAP ports. Domain and port are separated by a colon (:) and each domain:port pair is separated by a comma (,) using this format: FQDN1:port,FQDN2:port
Example: tsm configuration set -k wgserver.domain.ldap.domain_custom_ports -v childdomain1.lan:3269,childdomain2.lan:3269,childdomain3.lan:389
wgserver.domain.password
Default value: null
Specifies password for the user account that is used for LDAP connection. See External Identity Store Configuration Reference.
wgserver.domain.username
Default value: null
Specifies name for the user account that is used for LDAP connection. See External Identity Store Configuration Reference.
wgserver.domain.allowlist
Important: This key has been deprecated as of version 2020.4.0. Use wgserver.domain.accept_list
instead.
Default value: null
Allows connection from Tableau Server to secondary Active Directory domains. A secondary domain is one that Tableau Server connects to for user synchronisation, but is a domain where Tableau Server is not installed. Tableau Server will attempt to connect to secondary domains for user and group synchronisation. In some cases, Tableau Server may be unable to connect to the secondary domain, which will result in the error, “Domain not in allowlist (errorCode=101015)”.
wgserver.extended_trusted_ip_checking
Default value: false
Enforces IP client matching for trusted ticket requests.
wgserver.ignore_domain_in_username_for_matching
Version: Added in versions 2021.4.21, 2022.1.17, 2022.3.9 and 2023.1.5
Default value: false
When you enable SAML, you can configure Tableau Server to ignore the domain portion of the SAML username attribute when matching the identity provider (IdP) user name to a user account on Tableau Server. You might ignore the domain portion of the username attribute when you already have users defined in Tableau Server that match the prefix portion of a username attribute but not the domain portion of the username attribute. For more information, see the Ignore domain when matching SAML username attribute section in the SAML Requirements topic.
For example, to ignore the domain name in the SAML username attribute, run the following command:
tsm configuration set -k wgserver.ignore_domain_in_username_for_matching -v true
Important:
- We do not recommend ignoring the domain name without taking precautions. Specifically, verify that user names are unique across the configured domains that you've created in your IdP.
- This command only works in Tableau Server deployments that are in
legacy-identity-mode
or deployments that have not been updated through the identity migration(Link opens in a new window) to use the Identity Service.
wgserver.restrict_options_method
Default value: true
Controls whether Tableau Server accepts HTTP OPTIONS requests. If this option is set to true
, the server returns HTTP 405 (Method Not Allowed) for HTTP OPTIONS requests.
wgserver.saml.blocklisted_digest_algorithms
Version: Added in version 2021.1.
Default value: SHA1
Specifies the hashing algorithms that are not allowed for any relevant SAML certificate signatures or SAML assertion digest method or signature methods . When set, certificates or assertions that are signed & hashed with a blocklisted algorithm will be rejected and fail.
There are multiple places where SHA-1 could be used on both the Tableau and IdP side. For example:
- Certificates uploaded with TSM that are used by Tableau Server to sign the request that is sent to the IdP.
- Certificates in the IdP metadata used to verify the AuthnResponse (signature) received from the IdP using the public key in the Certificate.
- Incoming assertions signed and hashed with SHA-1 (DigestMethod set to SHA-1 and SignatureMethod set to SHA-1).
The default value was changed to (SHA1
in Tableau Server 2021.2. For more information about upgrading to 2021.2 with SAML configured, see the Knowledge Base article, Tableau Server Using SAML Authentication Fails to Start or Rejects Login After Upgrade to Tableau Server 2021.2.
wgserver.saml.forceauthn
Version: Added in version 2019.3.
Default value: false
When set to true
, if the Tableau user session expires, Tableau Server will re-authenticate the user with the IdP. This option can also be used to ask the IdP to prompt the user for re-authentication, even if the user has an active IdP session.
wgserver.saml.idpattribute.username
Specifies the name of the attribute in which your SAML IdP stores usernames. By default, this is set to username
. If the attribute name that your IdP uses contains spaces, enclose it in quotation marks. For more information, see Configure Server-Wide SAML or Configure Site-Specific SAML.
wgserver.saml.iframed_idp.enabled
Default value: false
Default of false means that when users select the sign-in button on an embedded view, the IdP’s sign-in form opens in a pop-up window.
When you set it to true, and a server SAML user who is already signed in navigates to a web page with an embedded view, the user will not need to sign in to see the view.
You can set this to true only if the IdP supports signing in within an iframe. The iframe option is less secure than using a pop-up, so not all IdPs support it. If the IdP sign-in page implements clickjack protection, as most do, the sign-in page cannot display in an iframe, and the user cannot sign in.
If your IdP does support signing in via an iframe, you might need to enable it explicitly. However, even if you can use this option, it disables Tableau Server clickjack protection for SAML, so it still presents a security risk.
wgserver.saml.maxassertiontime
Default value: 3000
Specifies the maximum number of seconds, from creation, that a SAML assertion is usable.
wgserver.saml.min_allowed.elliptic_curve_size
Default value: 256
Version: Added in version 2021.1 but did not include a default value. In 2021.2, the default value was set to 256
.
This option specifies the minimum allowed ECDSA curve size for the certificate used for SAML authentication. If you upload a certificate that has an ECDSA curve size less than 256, TSM will log an error when you apply changes.
If you are upgrading to Tableau Server 2021.2 or later and your SAML certificate uses an ECDSA curve size less than 256, Tableau Server will not start after upgrading. We recommend uploading a new certificate with 256 (or larger) ECDSA curve size before upgrading. Alternatively, you can run this command to set a lower ECDSA curve size on older versions (pre-2021.1) of Tableau Server before you upgrade. If you are running this command on a version prior to 2021.1, you must include the --force-keys
option with the command. For more information about upgrading to 2021.2 with SAML configured, see the Knowledge Base article, Tableau Server Using SAML Authentication Fails to Start or Rejects Login After Upgrade to Tableau Server 2021.2.
wgserver.saml.min_allowed.rsa_key_size
Default value: 2048
Version: Added in version 2021.1 but did not include a default value. In 2021.2, the default value was set to 2048
.
This option specifies the minimum allowed RSA key length for the certificate used for SAML authentication. If you upload a certificate that has an RSA key length less than 2048, TSM will log an error when you apply changes.
To run SAML authentication with a 1024 RSA key length (not recommended), set this value to 1024
.
If you are upgrading to Tableau Server 2021.2 or later and your SAML certificate uses a key length less than 2048, Tableau Server will not start after upgrading. We recommend uploading a new certificate with 2048 (or larger) key length before upgrading. Alternatively, you can run this command to set a lower key strength on older versions (pre-2021.1) of Tableau Server before you upgrade. If you are running this command on a version prior to 2021.1, you must include the --force-keys
option with the command. For more information about upgrading to 2021.2 with SAML configured, see the Knowledge Base article, Tableau Server Using SAML Authentication Fails to Start or Rejects Login After Upgrade to Tableau Server 2021.2.
wgserver.saml.responseskew
Default value: 180
Sets the maximum number of seconds difference between Tableau Server time and the time of the assertion creation (based on the IdP server time) that still allows the message to be processed.
wgserver.saml.sha256
Default value: true
When set to true
, Tableau Server will hash message signatures and digests with SHA-256 in SAML assertions to the IdP. Set this option to false
only if your IdP rejects assertions containing SHA-256 hashed content.
wgserver.session.apply_lifetime_limit
Default value: false
Controls whether there is a session lifetime for server sessions. Set this to true
to configure a server session lifetime.
wgserver.session.idle_limit
Default value: 240
The number of minutes of idle time before a sign-in to the web application times out.
wgserver.session.lifetime_limit
Default value: 1440
The number of minutes a server session lasts if a session lifetime is set. The default is 1440 minutes (24 hours). If wgserver.session.apply_lifetime_limit
is false
(the default) this is ignored.
wgserver.unrestricted_ticket
Default value: false
Specifies whether to extend access to server resources for users authenticated by trusted tickets. Default behaviour allows users to access views only. Setting this to true
allows users with valid trusted tickets to access server resources (projects, workbooks and so on) as if they had signed in using their credentials.
workerX.gateway.port
Default value: 80
(443
if SSL)
External port that Apache listens on for workerX (where a “worker” is the term used for subsequent server nodes in the cluster). worker0.gateway.port is Tableau Server’s external port. In a distributed environment, worker0 is the initial Tableau Server node.
workerX.vizqlserver.procs
Default value: <number>
Number of VizQL servers.
zookeeper.config.snapCount
Specifies the number of transactions necessary to cause the Coordination Service to create a snapshot of the logs. By default this value is 100,000 transactions. If your Coordination Service is not writing enough transactions to result in snapshots, the automatic cleanup of snapshots older than five days will not take place, and you may lose disk space to the transaction logs. By default transaction logs and snapshots are created in the Tableau data directory.