tsm configuration set Options

Below is a list of configuration options or keys that you can set with the tsm configuration set command. In many cases you can find out the current value of a configuration key with the tsm configuration get command.

This list is not intended to be an exhaustive list of Tableau Server configuration settings. It represents a subset of configuration keys that can be set by server administrators. Finally, some keys used internally by Tableau Server do not appear in this list.

Note: Configuration keys are case-sensitive.

Using the tsm CLI

You can run tsm commands on the initial node (the node where TSM is installed), or on any additional node in the cluster.

To run tsm commands, you need to open a command prompt.

  1. Open a command prompt with an account that is a member of the tsmadmin group on a node in the cluster.

  2. Run the command you want. If you are running the command from a node other than the initial node, include the -s option to specify the URL of the initial node by name (not IP address), and include the TSM port, 8850.

    To see the version of TSM and Tableau Server from the initial node:

    tsm version

    To see the version of TSM and Tableau Server from an additional node:

    tsm version -s https://<inital_node_name>:8850

    For example:

    tsm version -s https://myTableauHost:8850

Basic Use of tsm configuration keys

Setting a configuration key

tsm configuration set -k <config.key> -v <config_value>

In some cases, you must include the --force-keys option to set a configuration value for a key that has not been set before. For more information, see "Unknown key" responses.

After setting a configuration key value you must apply the pending configuration changes using tsm pending-changes apply. Until you do, the new value will not be used by Tableau or show up in the results of a tsm configuration get command. You can view pending changes using tsm pending-changes list. For more information, see tsm pending-changes.

Resetting a configuration key to default

To reset a configuration key back to its default value, use the -d option:

tsm configuration set -k <config.key> -d

Viewing the current value of a configuration key

To see what a configuration key is currently set to, use the configuration get command:

tsm configuration get -k <config.key>

There are two special cases that will not return a useful current value for a key:

  • In certain cases, you cannot get a configuration value for a key that has not been explicitly set. Instead the tsm configuration get command will return an "Unknown key" response. For more information, see "Unknown key" responses.

  • For certain keys with predefined default values, the tsm configuration get command will return a "Null" response. For more information, see "Null" value responses.

Configuration Keys

adminviews.disabled

Default value: false

Disables access to the Tableau Administrative views. By default, access to views is enabled (this option is set to "false").

api.server.enabled

Version: Deprecated in version 2023.1. You cannot disable the REST API in version 2023.1 and later.

Default value: true

Allows access to the Tableau Server REST API(Link opens in a new window).

By default, this functionality is enabled. We strongly recommend that you maintain this setting. Disabling the REST API will disrupt the functionality of a broad range of Tableau features. It will not improve performance or enhance security. If you choose to disable the REST API on your Tableau Server installation, test the functionality you require carefully.

Functionality impacted by disabling the REST API includes:

  • Search
  • Favourites
  • Collections
  • Content Management Tool (CMT)
  • Resource Monitoring Tool (RMT)
  • Personal Spaces

auditing.enabled

Default value: true

Allows access to the PostgreSQL (Tableau Server's own database) historical auditing tables.

backgrounder.default_run_now_priority

Default value (integer): 0

This setting controls what priority is assigned to run now jobs, with 0 being the highest priority. Values should be specified should be in the range of 0 – 100.

backgrounder.enable_parallel_adsync

Version: Added in version 2018.3.6

Default value: false

Controls whether parallel processing of external directory group synchronisation jobs is allowed when there are multiple backgrounders. By default a scheduled synchronisation of external directory groups is handled serially, by a single backgrounder. Set this to true to enable parallel processing on multiple backgrounder instances.

backgrounder.externalquerycachewarmup.enabled

Version: Deprecated in version 2023.1. To improve view load times for workbooks, allow View Acceleration on your site instead.

Default value: false

Controls the caching of workbook query results after scheduled extract refresh tasks.

backgrounder.externalquerycachewarmup.view_threshold

Version: Deprecated in version 2023.1. To improve view load times for workbooks, allow View Acceleration on your site instead.

Default vaule: 2.0

The threshold for caching workbook query results after scheduled extract refresh tasks. The threshold is equal to the number of views that a workbook has received in the past seven days divided by the number of refreshes scheduled in the next seven days.

The following two backgrounder command options determine how long a flow task can run before the flow background task is cancelled. These two commands together determine the total timeout value for flow tasks.

backgrounder.extra_timeout_in_seconds

Default value: 1800

The number of seconds beyond the setting in backgrounder.querylimit before a background job is cancelled. This setting makes sure that a stalled job does not hold up subsequent jobs. The setting applies to processes listed in backgrounder.timeout_tasks. 1,800 seconds is 30 minutes.

backgrounder.default_timeout.run_flow

Default value: 14400

The number of seconds before a flow run task is cancelled. 14,400 seconds is 4 hours.

backgrounder.failure_threshold_for_run_prevention

Default value: 5

The number of consecutive failures of a subscription, extract or flow run job before that job is suspended. Suspending continuously failing jobs helps preserver backgrounder resources for other jobs. To disable suspension of failing background tasks, set this to -1.

backgrounder.log.level

Version: Added in version 2020.3.0.

Default value: info

The logging level for the backgrounder process. This is dynamically configurable, so if you are only changing this you do not have to restart Tableau Server. For more information, see Change Logging Levels.

backgrounder.querylimit

Default value: 7200

Longest allowable time, in seconds, for completing a single extract refresh job. 7200 seconds = 2 hours.

Note: If a background job reaches this time limit, it may continue to run for an additional several minutes while being cancelled.

backgrounder.restrict_serial_collections_to_site_level

Default value: false

In Tableau Server, you can schedule extract refreshes, subscriptions or flows to run periodically. These scheduled items are referred to as tasks. The Backgrounder process initiates unique instances of these tasks to run them at the scheduled time. The unique instances of the tasks that are initiated as a result are referred to as jobs.

This setting affects schedules that are configured to run serially. By default, when a schedule is configured to run serially, all jobs using that schedule will run serially. When this setting is set to true, jobs running on different sites can run in parallel. Jobs for scheduled tasks on the same site will continue to run serially.

The example below illustrates this scenario:

Tableau Server includes a schedule named "Daily" to run jobs every day at 7 am. The "Daily" schedule is configured to run serially. Site "HR" and site "Payroll" each have multiple scheduled tasks that use the schedule, "Daily". When this setting is set to true, jobs for these scheduled tasks on Site "HR" can run in parallel with jobs on site "Payroll", whereas jobs on the same site will still only run serially.

backgrounder.notifications_enabled

Default value: true

Controls whether extract refresh and flow run alerts are enabled for all sites on the server. By default alerts are enabled. To disable the alerts for all sites on a server, set this to false.

Extract alerts can be enabled or disabled on a site basis by site administrators in site settings, or at the user level in user settings.

backgrounder.sort_jobs_by_type_schedule_boundary_heuristics_milliSeconds

Default value: 60000

Controls the time window that identifies backgrounder jobs which are determined to have the same scheduled start time.

The backgrounder process orders work that is scheduled at the same time to be executed by job type, running the fastest category of jobs first: Subscriptions, then Incremental Extracts, then Full Extracts.

Jobs are batched to determine which jobs are scheduled at the “same time”. A value 60,000 milliseconds (the default) indicates jobs for schedules starting within a 1 minute window should be classified in the same batch and so are ordered by type within that batch.

backgrounder.subscription_failure_threshold_for_run_prevention

Default value: 5

Determines the number of consecutive subscription failures that must occur before alerting for a condition is suspended. When set to the default of 5, alerting is suspended after 5 consecutive subscription failures. A value of -1 will allow notification email to continue indefinitely. This threshold is server-wide, so applies to all subscriptions defined on the server.

backgrounder.subscription_image_caching

Default value: true

Controls whether backgrounder will cache images that are generated for subscriptions. Cached images do not have to be regenerated each time so caching improves subscription performance. By default image caching is enabled. To disable image caching for all sites on a server, set this to false.

backgrounder.timeout_tasks

Default value: The default value may be different, depending on your version of Tableau Server. To see the default value list for your version of Tableau, run the tsm configuration get command:

tsm configuration get -k backgrounder.timeout_tasks

The list of tasks that can be cancelled if they run longer than the combined values in backgrounder.querylimit and backgrounder.extra_timeout_in_seconds. The list of tasks is delimited with commas. The default list represents all the possible values for this setting.

backgrounder.timeout.single_subscription_notify

Version: Added in version 2021.2.

Default Value: 1800 seconds (30 minutes)

This is the maximum allowable time specified in seconds for completing a single subscription job.

backgrounder.timeout.sync_ad_group

Version: Added in version 2021.1.23, 2021.2.21, 2021.3.20, 2021.4.15, 2022.1.11, 2022.3.3, 2023.1.

Default Value: 14400 seconds (4 hours)

This is the maximum allowable time, specified in seconds, for completing an Active Directory group sync. This applies to scheduled group synchronisations done by the backgrounder service and prevents long-running syncs from running indefinitely. This does not impact group synchronisations done using the Tableau Server UI or the REST API.

backgrounder.vInstances_max_overflow_queue_size

Version: Added in version 20221.2.

Default Value: 1000

The maximum number of jobs that can be in the secondary queue. A secondary queue is created when the number of jobs running is at the set concurrency limit. The default maximum is set to 1000 jobs – meaning if there are more than 1000 jobs when the concurrency limit is hit, anything more than 1000 jobs will not be queued. Use the backgrounder.vInstance_max_overflow_queue_size tsm command to make changes to the overflow maximum queue size.

The values should be specified in whole numbers.

backup.zstd.thread_count

Version: Added in version 2021.1.0. This key is dynamically configurable. For more information, see Tableau Server Dynamic Topology Changes

Default value: 2

The number of threads that should be used when creating a backup.

Increasing this number can improve backup performance, but we recommend thread count not exceed the number of logical processors on the Tableau Server computer, up to four.

basefilepath.backuprestore

Default value: /var/opt/tableau/tableau_server/data/tabsvc/files/backups/

The location in which the tsm maintenance backup command creates the backup. This is also the location where the backup file must be when restored using the tsm maintenance restore command or the tsm maintenance send-logs command. After setting this, you should run the tsm maintenance validate-backup-basefilepath command (available in version 2022.1 and later) to verify that permissions are set properly for the location. For more information, see tsm File Paths.

basefilepath.log_archive

Default value: /var/opt/tableau/tableau_server/data/tabsvc/files/log-archives/

The location in which the tsm maintenance ziplogs command creates the zipped archive. For more information, see tsm File Paths.

basefilepath.site_export.exports

Default value: /var/opt/tableau/tableau_server/data/tabsvc/files/siteexports/

The location in which the tsm sites export command creates the export file. For more information, see tsm File Paths.

basefilepath.site_import.exports

Default value: /var/opt/tableau/tableau_server/data/tabsvc/files/siteimports/

The location in which the tsm sites import command expects the import file to be located. For more information, see tsm File Paths.

clustercontroller.log.level

Version: Added in version 2020.3.0.

Default value: info

The logging level for Cluster Controller. This is dynamically configurable, so if you are only changing this you do not have to restart Tableau Server. For more information, see Change Logging Levels.

clustercontroller.zk_session_timeout_ms

Default value: 300000

The length of time, in milliseconds, that Cluster Controller will wait for the Coordination Service (ZooKeeper), before determining that failover is required.

dataAlerts.checkIntervalInMinutes

Default value: 60

The frequency, in minutes, at which Tableau Server checks to determine if data-alert conditions are true.

(The server also checks whenever extracts related to data alerts are refreshed.)

dataAlerts.retryFailedAlertsAfterCheckInterval

Default value: true

Determines how often Tableau Server rechecks failing data alerts. When set to true, the server rechecks failing alerts at the frequency defined by dataAlerts.checkIntervalInMinutes. When set to false, the server rechecks failing alerts every five minutes, more quickly notifying alert recipients if data conditions have changed, but reducing server performance.

(The server also checks whenever extracts related to data alerts are refreshed.)

dataAlerts.SuspendFailureThreshold

Default value: 350

Determines the number of consecutive data alert failures that must occur before alerting for a condition is suspended. When set to the default of 350, alerting is suspended after roughly two weeks of alerts. This threshold is server-wide, so applies to any data alert defined on the server.

databaseservice.max_database_deletes_per_run

Version: Added in version 2021.2.

Default value: null

Use this option to adjust the maximum number of embedded external assets (databases and tables) that can be deleted each time the backgrounder process, controlled by features.DeleteOrphanedEmbeddedDatabaseAsset, runs. If this option is left empty, the default maximum number of embedded external assets that can be deleted is 100.

For more information, see features.DeleteOrphanedEmbeddedDatabaseAsset.

dataserver.log.level

Version: Added in version 2020.3.0.

Default value: info

The logging level for Data Server. This is dynamically configurable, so if you are only changing this you do not have to restart Tableau Server. For more information, see Change Logging Levels.

elasticserver.vmopts

Version: Added in version: 2019.1. Removed: 2022.1

This configuration option is not valid for Tableau Server versions 2022.1 and later. For Tableau Server versions 2022.1 and later, use indexandsearchserver.vmopts configuration option

Default value: "-Xmx<default_value> -Xms<default_value>"

The default value varies based on the amount of system memory. The JVM maximum heap size is scaled to be 3.125% of the total system RAM.

Controls the Elastic Server heap size. Because the default value scales automatically, use this option to override the default value only when absolutely necessary. Append the letter 'k' to the value to indicate kilobytes, 'm' for megabytes or 'g' to indicate gigabytes. As a general rule, set initial heap size (-Xms) equal to the maximum heap size (-Xmx) to minimise garbage collections.

excel.shadow_copy_all_remote.enabled

Version: Added in versions 2019.1.5, 2019.2.1.

Default value: false

Controls whether Tableau Server creates a "shadow copy" of a shared Excel spreadsheet (.xlxs or .xlxm) that is being used as a live data source. When enabled, this option prevents Excel users from seeing a "Sharing Violation Error" and a message that the file is "currently in use". This option can have a performance impact with large Excel files. If Excel users do not need to edit the shared file, you do not need to enable this option.

Note: Tableau Server always attempts to create a shadow copy of a .xls file. This option does not change that behaviour.

extractservice.command.execution.timeout

Version: Added in version 2021.4.

Default value: 7200 seconds

Sets the timeout value for VConn extract refresh run time.

Example: tsm configuration set -k extractservice.command.execution.timeout -v <timeout_in_seconds> --force-keys

Note: You must use the --force-keys option to change this value.

features.ActiveMQ

Version: Added in version 2021.4.

Default value: true

Controls whether Tableau Server uses the Apache ActiveMQ service (Tableau Server Messaging Service) for the internal messaging mechanism.

features.DeleteOrphanedEmbeddedDatabaseAsset

Version: Added in version 2021.2.

Default value: true

Controls a backgrounder process, for Tableau Catalogue (or Tableau Metadata API), that deletes embedded external assets (databases and tables) that are no longer associated with downstream Tableau content. This process runs every day at 22:00:00 UTC (coordinated universal time) and can delete a maximum of 100 external assets each day until there are no remaining external assets without connections to downstream Tableau content. You can set this option to false to stop this process from running. Alternatively, you can also adjust the maximum number of external embedded assets that can be deleted using databaseservice.max_database_deletes_per_run.

For more information see, Troubleshoot missing content.

features.DesktopReporting

Default value: false

Controls whether Desktop Licence Reporting is enabled on the server. When set to false (the default), no Administrative Views related to desktop licences are available. Set this to true to enable licence reporting and to make licence usage and expiration Administrative Views visible on the Server Status page. Note: Desktop Licence Reporting must be enabled on the client (Tableau Desktop) in order for information to be reported to Tableau Server.

features.IdentityMigrationBackgroundJob

Version: Added in version 2022.1. Default value was changed to false in versions 2021.4.22, 2022.1.18, 2022.3.10, 2023.1.6 and 2023.3.

Default value: false

Controls the process that performs the identity migration. When set to true, the identity migration runs in existing deployments immediately after upgrading Tableau Server to version 2022.1 (or later) and restoring a backup of Tableau Server version 2021.4 (or earlier). Set to false (default) to disable the identity migration.

For example, to start the identity migration, run the following:

tsm configuration set -k features.IdentityMigrationBackgroundJob -v true

For more information, see About the Identity Migration.

Note: If the identity migration is disabled, Tableau Server cannot use the Identity Service to store and manage user identity information. Using the Identity Service is a prerequisite for certain capabilities like identity pools.

features.IdentityPools

Version: Added in version 2023.1.

Default value: false

A component of the identity pools capability that needs to be enabled if you perform a new Tableau Server installation. Requires feature.NewIdentityMode and wgserver.authentication.legacy_identity_mode.enabled. Set to true to enable identity pools. Set to false (default) to disable identity pools.

For example, to enable identity pools, run the following:

tsm configuration set -k features.IdentityPools -v true
tsm configuration set -k features.NewIdentityMode -v true
tsm configuration set -k wgserver.authentication.legacy_identity_mode.enabled -v false
tsm pending-changes apply

For more information, see Troubleshoot identity pools.

features.MessageBusEnabled

Version: Added in version 2019.4.

Default value: true

Controls whether Tableau Server uses the new internal messaging mechanism.

features.NewIdentityMode

Version: Added in version 2022.1.

Default value: false. The default value was changed from true to false in 2023.1.6.

A prerequisite of the identity pools capability. Requires wgserver.authentication.legacy_identity_mode.enabled to be set to false to enable identity pools. Set to true to disable identity pools.

tsm configuration set -k features.IdentityPools -v true
tsm configuration set -k features.NewIdentityMode -v true
tsm configuration set -k wgserver.authentication.legacy_identity_mode.enabled -v false
tsm pending-changes apply

For more information, see Troubleshoot identity pools.

features.PasswordlessBootstrapInit

Default value: true

Controls whether Tableau Server allows embedded credentials in bootstrap files. When enabled (the default), embedded credentials are included in the bootstrap file unless you specify that they should not be included. Set this to false if credentials should never be included in any bootstrap file you generate. For more information on generating bootstrap files, see tsm topology nodes get-bootstrap-file.

This option was added beginning with Tableau Server version 2019.3.

features.PasswordReset

Version: Retired in version 2024.2. For versions 2024.2 and later, use vizportal.password_reset.

Default value: false

Applies only to servers that use local authentication. Set to trueto let users reset their passwords with a "Forgot password" option on the sign-in page.

filestore.empty_folders_reaper.enabled

Version: Added in 2020.x (2020.1.14, 2020.2.11, 2020.3.6, 2020.4.2) and 2021.1.x. The default value was changed to true in 2021.2.

Default value: true

Enables the job that "reaps" (removes) empty Filestore folders.

filestore_empty_folders_reap.frequency_s

Version: Added in 2020.x (2020.1.14, 2020.2.11, 2020.3.6, 2020.4.2).

Default value: 86400 (24 hours)

Specifies, in minutes, how often to run the job that removes empty Filestore folders.

features.Hyper_DisallowTDEPublishing

Version: Defaults to true beginning in version 2023.1.0. Deprecated in Tableau Server 2024.2.

Default value: true

Specifies if users can upload .tde format files. This format was replaced by .hyper format beginning in version 10.5 of Tableau Server, but were not blocked from upload. Starting with Version 2024.3, .tde format files are no longer usable. The files were automatically converted to .hyper format if one of several actions were performed. For more information, see Extract Upgrade to .hyper Format.

filestore.log.level

Version: Added in version 2020.3.0.

Default value: info

The logging level for File Store. This is dynamically configurable, so if you are only changing this you do not have to restart Tableau Server. For more information, see Change Logging Levels.

filestore.reapemptyfoldersholdoffms

Version: Added in 2020.x (2020.1.14, 2020.2.11, 2020.3.6, 2020.4.2). This is not yet available in 2021.1.

Default value: 300000 (5 minutes)

Specifies in milliseconds, the amount of time to wait before removing empty Filestore folders.

floweditor.max_datafile_upload_size_in_kb

Version: Added in version 2020.4

Default value: 1048576

For Tableau Prep flow web authoring, the maximum size of delimited text files (for example, CSV or TXT) that can be uploaded to Tableau Server.

gateway.external_url

Version: Added in version 2023.1

Default value: Null

Required when OpenID Connect (OIDC) authentication is configured in TSM during Tableau Server setup or with identity pools. Specifies the Tableau Server URL used by the identity provider (IdP) to redirect users who authenticate into Tableau. The gateway external URL is the same URL that you specified as the redirect URL with your IdP, which is used for matching purposes.

For example, to redirect the IdP associated with OIDC authentication configuration to your Tableau Server, http://myco, run the following command:

tsm configuration set -k gateway.external_url -v http://myco

gateway.http.cachecontrol.updated

Default value: false

The Cache-Control HTTP header specifies whether the client browser should cache content sent from Tableau Server. To disable caching of Tableau Server data on the client, set this option to true.

gateway.http.hsts

Default value: false

The HTTP Strict Transport Security (HSTS) header forces browsers to use HTTPS on the domain where it is enabled.

gateway.http.hsts_options

Default value: "max-age=31536000"

By default, HSTS policy is set for one year (31536000 seconds). This time period specifies the amount of time in which the browser will access the server over HTTPS.

gateway.httpd.loglevel

Version: Added in 2021.3.0.

Default value: notice

Specifies the logging level for the Gateway (Apache HTTPD server). By default, this is set to notice. Other options include debug, info, warning, error. If you change the logging level, be aware of potential impact to disk space usage and performance. As a best practice, return the logging level to the default after you have gathered the information you need. For detailed information on Apache logging, see the Apache HTTP documentation(Link opens in a new window).

gateway.httpd.shmcb.size

Version: Added in 2021.4

Default value: 2048000

Specifies the amount of memory in bytes for the circular buffer when using the shmcb storage type. This configuration key doesn’t apply when using the dbm storage type.

gateway.httpd.socache

Version: Added in 2021.4

Default value: shmcb

Specifies the storage type of the global/inter-process SSL Session Cache. By default, this is set to shmcb, with another configurable option dbm. For more information about shmcb and dbm storage types, see SSLSessionCache Directive(Link opens in a new window) on the Apache website.

gateway.http.request_size_limit

Default value: 16380

The maximum size (bytes) of header content that is allowed to pass through the Apache gateway on HTTP requests. Headers that exceed the value set on this option will result in browser errors, such as HTTP Error 413 (Request Entity Too Large) or authentication failures.

A low value for gateway.http.request_size_limit can result in authentication errors. Single sign-on solutions that integrate with Active Directory (SAML and Kerberos) often require large authentication tokens in HTTP headers. Be sure to test HTTP authentication scenarios before deploying into production.

We recommend setting tomcat.http.maxrequestsize option to the same value that you set for this option.

gateway.http.x_content_type_nosniff

Default value: true

The X-Content-Type-Options response HTTP header specifies that the MIME type in the Content-Type header should not be changed by the browser. In some cases, where MIME type is not specified, a browser may attempt to determine the MIME type by evaluating the characteristics of the payload. The browser will then display the content accordingly. This process is referred to as "sniffing". Misinterpreting the MIME type can lead to security vulnerabilities. The X-Content-Type-Options HTTP header is set to 'nosniff' by default with this option.

gateway.http.x_xss_protection

Default value: true

The HTTP X-XSS-Protection response header is sent to the browser to enable cross-site scripting (XSS) protection. The X-XSS-Protection response header overrides configurations in cases where users have disabled XXS protection in the browser. The X-XSS-Protection response header is enabled by default with this option.

gateway.log.level

Version: Added in version 2020.3.0.

Default value: info

The logging level for Gateway. This is dynamically configurable, so if you are only changing this you do not have to restart Tableau Server. For more information, see Change Logging Levels.

gateway.public.host

Default value: <hostname>

The name (URL) of the server, used for external access to Tableau Server. If Tableau Server is configured to work with a proxy server or external load balancer, it is the name entered in a browser address bar to reach Tableau Server. For example, if Tableau Server is reached by entering tableau.example.com, the name for gateway.public.host is tableau.example.com.

gateway.public.port

Default value: 80 (443 if SSL)

Applies to proxy server environments only. The external port the proxy server listens on.

gateway.slow_post_protection.enabled

Default value: true

When enabled, this can provide some help in protecting against slow POST (Denial-of-Service) attacks by timing out POST requests that transfer data at extremely slow rates.

Note: This will not eliminate the threat of such attacks, and could have the unintended impact of terminating slow connections.

gateway.slow_post_protection.request_read_timeout

Default value: header=10-30,MinRate=500 body=30,MinRate=500

When enabled by the preceding option, gateway.slow_post_protection.enabled, this option sets the Apache httpd ReadRequestTimeout. The httpd directive is documented at Apache Module mod_reqtimeout(Link opens in a new window). The primary use of this option is as a defence for the Slowloris attack. See the Wikipedia entry, Slowloris (computer security)(Link opens in a new window).

Note: Older versions use a default value: header=15-20,MinRate=500 body=10,MinRate=500

gateway.timeout

Default value: 7200

Longest amount of time, in seconds, that the gateway will wait for certain events before failing a request (7200 seconds = 2 hours).

gateway.trusted

Default value: IP address of proxy server machine

Applies to proxy server environments only. The IP address(es) or host name(s) of the proxy server.

gateway.trusted_hosts

Default value: Alternate names of proxy server

Applies to proxy server environments only. Any alternate host name(s) for the proxy server.

hyper.file_partition_size_limit

Default value: 0

When set to 0, the size is set to unlimited and will use all the disk space that is available.

This option is used to set the disk space limit for a query that spools to disk. If your disk space usage by the spool.<id>.tmp file is higher than where you need it to be for your environment, it means that queries are spooling and taking up disk space. Use this option to limit the amount of disk space that any one query can use. The spool.<id>.tmp file can be found in the temp folder of the user account running Tableau Server. You can specify this value in K(KB), M(MB), G(GB) or T(TB) units. For example, you can specify the size limit as 100 G when you want to limit the disk space usage to 100 GB.

For more information about spooling see the Memory and CPU Usage section in Tableau Server Data Engine.

hyper.global_file_partition_size_limit

Default value: 0

When set to 0, the size is set to unlimited and will use all the disk space that is available.

This option is used to set the disk space limit for all queries that spool to disk. If your disk space usage by the spool.<id>.tmp file is higher than where you need it to be for your environment, it means that queries are spooling and taking up disk space. The spool.<id>.tmp file can be found in the temp folder of the user account running Tableau Server. Use this option to limit the amount of disk space in sum total that all queries use when spooling to disk . You can specify this value in K(KB), M(MB), G(GB) or T(TB) units. For example, you can specify the size limit as 100 G when you want to limit the disk space usage to 100 GB. Tableau recommends that you start with this configuration when fine tuning your spooling limits.

For more information about spooling see the Memory and CPU Usage section in Tableau Server Data Engine.

hyper.enable_accesspaths_symbolic_canonicalization

Default value: false

On Windows OS systems, in order to resolve symlinks, Hyper needs to have access to the directory where extracts are stored and all its parent directories. If this is not the case, you may see an error message in the Hyper log that says: Unable to obtain canonical path for //dirA/subdir/myextract.hyper ... Access is denied.

In such cases, you can set this to true so Data Engine (Hyper) will not try to resolve symlinks when using canonical paths.

Note: Setting the value to true also implies that Hyper can no longer guarantee to guard against a potential attacker who manages to place a symlink to escape the allowed set of directories which Hyper is configured to allow access to.

hyper.log_queries

Default value: true

When set to true, query information is logged.

By default query information is logged. If however you find that the log files are too large for the amount of disk space available, you can set it to false to disable logging query information. Tableau recommends leaving this configuration set to true.

hyper.log_query_cpu

Default value: false

Use this setting to log how much time each query takes and the CPU usage.

hyper.log_timing

Default value: false

This setting is useful to find out more information about the queries, like compilation and parsing times. By default this setting is disabled. You can turn this by setting the value to true to collect more details about your queries. Note, however that this will increase the size of your data engine log files (\logs\hyper).

hyper.log_troublesome_query_plans

Default value: true

When set to true, logs query plans of query that are identified as problematic. Queries that are either cancelled, running slower than 10 seconds, or if the queries are spooling to disk fall into this category. The information in the logs can be useful to troubleshoot problematic queries. You can change the setting to false if you are concerned about the size of the logs.

hyper.memory_limit

Default value: 80%

Controls the maximum amount of memory used by Hyper. Specify the number of bytes. Append the letter 'k' to the value to indicate kilobytes, 'm' to indicate megabytes, 'g' to indicate gigabytes or 't' to indicate terabytes. For example, hyper.memory_limit="7g". Alternatively, specify the memory limit as a percentage of the overall available system memory. For example, hyper.memory_limit="90%".

hyper.memtracker_hard_reclaim_threshold

Default value: 80%

This setting only applies to Windows. Hyper keeps decompressed and decrypted parts of the extract in memory to make subsequent accesses faster. This setting controls when worker threads will start writing this data out to a disk cache to reduce memory pressure. If given as a percentage, the value is interpreted as a percentage of the overall hyper.memory_limit setting. For example, hyper.memtracker_hard_reclaim_threshold="60%". Absolute values can be specified as 'k' (kilobytes), 'm' (megabytes), 'g' (gigabytes) or ‘t’ (terabytes). For example, hyper.memtracker_hard_reclaim_threshold="10g". The value should be larger than the hyper.memtracker_soft_reclaim threshold.

hyper.memtracker_soft_reclaim_threshold

Default value: 50%

This setting only applies to Windows. When interacting with a Hyper file, Hyper will write out some data for caching or persisting the data. Windows has the special behaviour that it locks freshly written data into memory. To avoid swapping, we force out the data when Hyper reaches the configured limit for the reclaim threshold. When the soft reclaim threshold is reached, Hyper will try to reclaim cached data in the background to attempt to stay below the reclaim threshold. In situations where swapping would happen otherwise, triggering reclamation in Hyper can lead to a better outcome. Therefore, if your Tableau Server installation experiences a lot of swapping, this setting can be used to attempt to reduce the memory pressure.

Specify the number of bytes. Append the letter 'k' to the value to indicate kilobytes, 'm' to indicate megabytes, 'g' to indicate gigabytes or 't' to indicate terabytes. Alternatively, specify the value as a percentage of the overall configured memory for Hyper. For example, hyper.memtracker_soft_reclaim_threshold="20%".

hyper.network_threads

Default value: 150%

Controls the number of network threads used by Hyper. Specify either the number of network threads (for example, hyper.network_threads=4) or specify the percentage of threads in relation to the logical core count (for example, hyper.network_threads="300%").

Network threads are used for accepting new connections and sending or receiving data and queries. Hyper uses asynchronous networking, so many connections can be served by a single thread. Normally, the amount of work that is done on network threads is very low. The one exception is opening databases on slow file systems, which can take a long time and block the network thread. If connection times are slow when you try to view or edit dashboards that use extracts and have not been used in a while and you frequently see “asio-continuation-slow” messages in the Hyper log and long “construct-protocol” times to Hyper in the Tableau log, try to increase this value.

hyper.objectstore_validate_checksums

Default value: false

A boolean setting that controls file integrity checks in Hyper. When set to true, Hyper will check the data in an extract file when it is first accessed. This allows silent corruption and corruption that would crash Hyper to be detected. In general, it is advisable to turn this setting on except for installations with very slow disks where it could cause performance regressions.

hyper.query_total_time_limit

Default value: 0 (which means unlimited)

Sets an upper bound on the total thread time that can be used by individual queries in Hyper. Append 's' to the value to indicate seconds, 'min' to indicate minutes or 'h' to indicate hours.

For example, to restrict all queries to a total time usage of 1500 seconds of total thread time, run the following command:

tsm configuration set -k hyper.query_total_time_limit -v 1500s

If a query runs longer then the specified limit, the query will fail and an error will be returned. This setting allows you to automatically control runaway queries that would otherwise use too many resources.

Hyper executes queries in parallel. For example, if a query executes for 100 seconds and during this time is running on 30 threads, the total thread time would be 3000 seconds. The thread time of each query is reported in the Hyper log in the “query-end” log entries in the “total-time” field.

hyper.session_memory_limit

Default value: 0 (which means unlimited)

Controls the maximum memory consumption that an individual query can have. Specify the number of bytes. Append the letter 'k' to the value to indicate kilobytes, 'm' to indicate megabytes, 'g' to indicate gigabytes or 't' to indicate terabytes.

For example, to set the memory limit to 900 megabytes, run the following command:

tsm configuration set -k hyper.session_memory_limit -v 900m.

Alternatively, to specify the session memory limit as a percentage of the overall available system memory run the following command:

tsm configuration set -k hyper.session_memory_limit -v 90%.

Lowering this value can help when a query is using excessive amounts of memory and making other queries fail over a long period of time. By lowering the limit, the single big query would fail (or resort to spooling if spooling isn’t turned off) and not have a negative impact on other queries.

hyper.srm_cpu_limit_percentage

Default value (in percent): 75

Specifies the maximum hourly average CPU usage permitted by Hyper. If exceeded, Data Engine will restart itself to minimise impact to other processes on the computer.

By default Data Engine will restart itself if it averages more than 75% usage of CPU over an hour. This value should not be changed except when working with Tableau Support, or if you are running Data Engine on a dedicated server node. If Data Engine is running on a dedicated node, you can safely increase this value to 95 percent to take full advantage of available computer hardware. For details on running Data Engine on a dedicated node, see Optimise for Extract Query-Heavy Environments.

To increase this to 95%:

tsm configuration set -k hyper.srm_cpu_limit_percentage -v 95 --force-keys

tsm pending-changes apply

To reset this to the default of 75%:

tsm configuration set -k hyper.srm_cpu_limit_percentage -v 75 --force-keys

tsm pending-changes apply

hyper_standalone.consistent_hashing.enabled

Default value: true

Improves the chance that the extract for a query is already cached. If the node with the extract cached cannot support additional load, you will be routed to a new node and the extract will be loaded into cache on the new node. This results in better system utilisation because extracts are only loaded into memory if there is load that justifies the need.

hyper_standalone.health.enabled

Default value: true

Switches the load balancing metric from random selection to picking the Data Engine (Hyper) node based on a health score that is made of up of a combination of current Hyper activity and system resource usage. Based on these values, the load balancer will pick the node that is most capable of handling an extract query.

hyper.temp_disk_space_limit

Default value: 100%

Sets the upper limit of disk space at which Hyper will stop allocating space for temporary files. This setting can help to stop the hard disk from filling up with temporary files from Hyper and running out of disk space. If disk space reaches this threshold, Hyper will attempt to recover automatically without administrator intervention.

Specify it as percentage of the overall available disk space to be used. For example, hyper.temp_disk_space_limit="96%". When set to 100%, all of the disk space that is available can be used.

For Data Engine to start, the configured amount of disk space must be available. If not enough disk space is available, you will see a Data Engine log entry that says, “Disk limit for temporary files has been reached. Please free up disk space on the device. See the Hyper log for more information: No space left on device”.

hyper.hard_concurrent_query_thread_limit

Default value: 150%

Use this option to set the maximum number of threads Hyper should use for running queries. Use this when you want to set a hard limit on the CPU usage. Specify either the number of threads or specify the percentage of threads in relation to the logical core count. Hyper will most likely not use more resources than are configured by this setting but Hyper background and network threads are not affected by this setting (though they tend to not be CPU intensive).

It is important to consider that this setting controls the number of concurrent queries that can be executed. So, if you decrease this setting, the chance of queries needing to wait for currently running queries to complete increases, which may affect workbook load times.

hyper.soft_concurrent_query_thread_limit

Default value: 100%

Use this option to specify the number of threads that a single query can be parallelised across if sufficiently many threads are available given the hard_concurrent_query_thread_limit setting. Specify either the number of threads or specify the percentage of threads in relation to the logical core count.

To illustrate this, here is a simplified example:

Let's say you set this value to 10 threads, this means queries can be parallelised up to 10 threads. If only 2 queries are running, the remaining 8 threads are used to parallelise the 2 queries.

The hyper. hard_concurrent_query_thread_limit, and hyper.soft_concurrent_query_thread_limit options work together to give you some options to manage your CPU usage while maximising available CPU resources to complete queries faster. If you don't want the Data Engine to use all the available CPU on the machine, change it to less than 100% to a percentage that is optimal for your environment. The soft limit is a way for you to limit CPU usage but allow it to go beyond the soft limit up to the hard limit if necessary.

Note: The hyper.hard_concurrent_query_thread_limit and hyper.soft_concurrent_query_thread_limit options replace hyper.num_job_worker_threads and hyper.num_task_worker_threads options available in Tableau Server versions 2018.3 and earlier, and are retired and no longer available. For information on the hyper.num_job_worker_threads and hyper.num_task_worker_threads, see tsm configuration set Options.(Link opens in a new window)

hyper.use_spooling_fallback

Default value: true

When set to true, it allows spooling to disk when querying extracts exceeds set RAM usage (80% of installed RAM). In other words, it allows Hyper to execute a query using the disk if it exceeds RAM usage.

Tableau recommends that you use the default setting. You can turn this off by setting the value to false if you are concerned about disk usage. If you turn this setting off, queries that use more than 80% of installed RAM will be cancelled. Spooling queries usually take substantially longer to finish.

For more information about spooling see the Memory and CPU Usage section in Tableau Server Data Engine.

indexandsearchserver.vmopts

Version: Added in version: 2022.1.

Default value: "-Xmx<default_value> -Xms<default_value>"

The default value is based on the amount of system memory and is 3.125% of the total system RAM.

Controls the Index and Search Server heap size. Because the default value scales automatically, use this option to override the default value only when absolutely necessary. Append the letter 'k' to the value to indicate kilobytes, 'm' for megabytes or 'g' to indicate gigabytes. As a general rule, set initial heap size (-Xms) equal to the maximum heap size (-Xmx) to minimise garbage collections.

jmx.security.enabled

Version: Added in version: 2022.1.

Default value: false

JMX is disabled by default, so secure JMX is also disabled. If you are enabling JMX, we strongly recommend you enable secure JMX.

This is set to true and turns secure JMX on with SSL and basic username/password authentication for readonly access when you run the tsm maintenance jmx enable command and answer y when prompted to enable security features for JMX:

tsm maintenance jmx enable
We do not recommend you enable JMX unsecured on a production environment. Would you like to enable security features for JMX?
(y/n): y

jmx.ssl.enabled

Version: Added in version: 2022.1.

Default value: true

Enforces SSL for JMX. This option defaults to true but has no effect unless jmx.security.enabled is also set to true. To enable JMX security, run the tsm maintenance jmx enable command. Answer y when prompted to leave SSL enabled, or n to disable SSL:

tsm maintenance jmx enable
...
Would you like to enable SSL?
(y/n): n

jmx.ssl.require_client_auth

Version: Added in version: 2022.1.

Default value: false

This is set to true when you run the tsm maintenance jmx enable command and answer y when prompted to require client authentication (mTLS):

tsm maintenance jmx enable
...
Would you like to require client authentication (mTLS)?
(y/n): y

To complete configuration you must have a client cert and place this in the correct location on your client computer.

jmx.ssl.user.name

Version: Added in version: 2022.1.

Default value: tsmjmxuser

This is set when you install or upgrade Tableau Server.

jmx.ssl.user.password

Version: Added in version: 2022.1.

Default value: <generated>

This is set when you install or upgrade Tableau Server.

jmx.user.access

Version: Added in version: 2022.1.

Default value: readonly

You can change this to readwrite when you run the tsm maintenance jmx enable command and answer y when prompted to add readwrite access:

tsm maintenance jmx enable
...
JMX access is readonly by default. Would you like to add readwrite access?
(y/n): y

licensing.login_based_licence_management.default_requested_duration_seconds

Default value: 0

Set to the duration (in seconds) that a user's login-based licence can be offline with no connection to Tableau Server before they are prompted to activate again. This duration is always refreshed when Tableau Desktop is in use and can connect to Tableau Server.

licensing.login_based_license_management.enabled

Default value: true

Set to true to enable login-based licence management. Set to false to disable login-based licence management.

Note: In order to use login-based licence management, you must activate a product key that is enabled for login-based licence management. You can use the tsm licenses list to see which product keys have login-based licence management enabled.

licensing.login_based_licence_management.max_requested_duration_seconds

Default value: 7776000

Set to the maximum duration (in seconds) that a user’s login-based licence can be offline with no connection to Tableau Server before they are prompted to activate Tableau again. The maximum value is 7776000 seconds (90 days). This duration is always refreshed when Tableau Desktop is in use and can connect to Tableau Server.

maestro.app_settings.sampling_max_row_limit

Default value: 1000000

Sets the maximum number of rows for sampling data from large data sets with Tableau Prep on the web.

maestro.input.allowed_paths

Default value: ""

By default, access to any directory will be denied, and only publishing to Tableau Server with content that is included in the tflx file is allowed.

A list of allowed network directories for flow input connections. You must enable Tableau Prep Conductor to schedule flows on your Tableau Server. For more information, see Tableau Prep Conductor.

The following rules apply and must be considered when configuring this setting:

  • Paths should be accessible by Tableau Server. These paths are verified during server startup and at flow run time.

  • Network directory paths have to be absolute and cannot contain wildcards or other path traversing symbols. For example \\myhost\myShare\* or \\myhost\myShare* are invalid paths and would result in all the paths as disallowed. The correct way to allowlist any folder under myShare would be \\myhost\myShare or \\myhost\\myShare\.

    Note: The \\myhost\myShare configuration will not allow \\myhost\myShare1. In order to safe list both of these folders, one would have to safe list them as \\myhost\myShare; \\myhost\myShare1.

  • The value can be either * meaning that any path, including local (with the exception of some system paths configured using “native_api.internal_disallowed_paths”), or a list of paths, delimited by “;”.

    Note: If a path is both on the flows allowed list and internal_disasslowed list, internal_disallowed takes precedence.

Important:
This command overwrites existing information and replaces it with the new information you provided. If you want to add a new location to an existing list, you must provide a list of all the locations, existing and the new one you want to add. Use the following commands to see the current list of input and output locations:

tsm configuration get -k maestro.input.allowed_paths
tsm configuration get -k maestro.output.allowed_paths

For more information and details about configuring allowed directories for flow input and output connections, see Step 4: Safe list Input and Output locations(Link opens in a new window).

maestro.output.allowed_paths

Default value: ""

By default, access to any directories will be denied.

A list of allowed network directories for flow output connections. You must enable Tableau Prep Conductor to schedule flows on your Tableau Server. For more information, see Tableau Prep Conductor.

The following rules apply and must be considered when configuring this setting:

  • Paths should be accessible by Tableau Server. These paths are verified during server startup and at flow run time.

  • Network directory paths have to be absolute and cannot contain wildcards or other path traversing symbols. For example \\myhost\myShare\* or \\myhost\myShare* are invalid paths and would result in all the paths as disallowed. The correct way to allowlist any folder under myShare would be \\myhost\myShare or \\myhost\\myShare\.

    Note: The \\myhost\myShare configuration will not allow \\myhost\myShare1. In order to safe list both of these folders, one would have to safe list them as \\myhost\myShare; \\myhost\myShare1.

  • The value can be either * meaning that any path, including local (with the exception of some system paths configured using “native_api.internal_disallowed_paths”), or a list of paths, delimited by “;”.

    Note: If a path is both on the flows allowed list and internal_disasslowed list, internal_disallowed takes precedence.

For more information and details about configuring allowed directories for flow input and output connections, see Step 4: Safe list Input and Output locations(Link opens in a new window).

maestro.output.write_to_mssql_using_runas

Version: Added in version: 2022.3.1

Default value: false

When enabled, flow outputs published to Tableau Server are allowed write access to a Microsoft SQL Server database using Run As credentials. The credentials used by the Run As service account must have write permission to the database. Evaluate your security and deployment requirements before enabling the maestro.output.write_to_mssql_using_runas setting. For more information, see Run As Service Account.

Note: This command requires the --force-keys option. For example: tsm configuration set -k maestro.output.write_to_mssql_using_runas -v true --force-keys.

maestro.sessionmanagement.maxConcurrentSessionPerUser

Default value: 4

Sets the maximum number of flow web editing sessions that a user can have open at one time.

metadata.ingestor.blocklist

Default value: null

When configured, Tableau Catalogue blocks specified content from being ingested. To specify which content to block, you must identify the blocklist values, which is a combination of both the site ID, content type and content ID of the content you want to block, from the server “noninteractive” log files. Blocklist values must be separated by a comma.

Important: You should only use this option when directed to do so by Tableau Support.

For example, you can use the tsm configuration set --force-keys -k metadata.ingestor.blocklist to block ingestion of a combination of data sources, workbooks and flows using the following command:

tsm configuration set --force-keys -k metadata.ingestor.blocklist -v "sites/1/datasources/289, sites/2/datasources/111, sites/1/workbooks/32, sites/3/workbooks/15, sites/1/flows/13, sites/1/flows/18”

To validate blocked content, review the server “noninteractive” log files for the following events:

  • Skipping ingestion for
  • Successfully updated blocklist to

For example:

Skipping ingestion for contentType [Workbook], contentId [sites/1/datasources/289], siteDisabled [false], swallowEvent [false], contentBlocked [true]

Skipping ingestion for contentType [Workbook], contentId [sites/3/workbooks/15], siteDisabled [false], swallowEvent [false], contentBlocked [true]

and

Successfully updated blocklist to: [sites/1/datasources/289, sites/1/workbooks/32, sites/2/datasources/111]

metadata.ingestor.pipeline.throttleEventsEnable

Default value: false

Controls whether indexing of new and updated content, also called eventing, is regulated across all sites on the server. By default, event throttling is turned off. To turn on event throttling, change this setting to true using the following command: 

tsm configuration set -k metadata.ingestor.pipeline.throttleEventsEnable -v true --force-keys

For more information about event throttling, see Enable Tableau Catalog.

metadata.ingestor.pipeline.throttleLimit

Default value: 20

When event throttling is enabled, this is the maximum number of new and updated content items that can be indexed during a specified period of time. Once the specified limit is reached for a specific item, indexing is deferred.

By default, the limit is set to 20 and can't be set to lower than 2. You can use the following command to change the limit: 

tsm configuration set -k metadata.ingestor.pipeline.throttleLimit -v 25 --force-keys

Throttled events can be identified in the server "noninteractive" log files as ingestor event flagged for removal by throttle filter.

metadata.ingestor.pipeline.throttlePeriodLength

Default value: 20

When event throttling is enabled, this is the period of time, in minutes, a specified maximum number of new and updated content items can be indexed. Once the specified time is reached, indexing of any additional new and updated content is deferred.

By default, the time is set to 30 minutes. You can use the following command to change the time:

tsm configuration set -k metadata.ingestor.pipeline.throttlePeriodLength -v PT45M --force-keys

metadata.query.limits.time

Default value: 20

This is the longest allowable time, in seconds, for a Catalogue or Metadata API query to run before a timeout occurs and the query is cancelled. Tableau recommends incrementally increasing the timeout limit to no more than 60 seconds using the following command:

tsm configuration set -k metadata.query.limits.time –v PT30S --force-keys

Important: This option should be changed only if you see the error described here, Timeout limit and node limit exceeded messages. Increasing the timeout limit can utilise more CPU for longer, which can impact the performance of tasks across Tableau Server. Increasing the timeout limit can also cause higher memory usage, which can cause issues with the interactive microservices container when queries run in parallel.

metadata.query.limits.count

Default value: 20000

This is the number of objects (which can loosely map to the number of query results) that Catalogue can return before the node limit is exceeded and the query is cancelled. Tableau recommends incrementally increasing the timeout limit, to no more than 100,000 using the following command:

tsm configuration set -k metadata.query.limits.count –v 3000 --force-keys

Important: This option should be changed only if you see the error described here, Timeout limit and node limit exceeded messages. Increasing the node limit can cause higher memory usage, which can cause issues with the interactive microservices container when queries run in parallel.

metadata.query.throttling.enabled

Version: Added in version 2023.3

Default value: true

Controls whether Metadata API(Link opens in a new window) query throttling is enabled. Metadata API query throttling is a feature designed to prevent a server's API responses from negatively impacting overall performance. When set to true (the default), if a request to the Metadata API exceeds the defined threshold, a RATE_EXCEEDED error is returned.

If Metadata API users are seeing frequent RATE_EXCEEDED errors, an administrator can try to adjust throttling using the metadata.query.throttling.tokenRefilledPerSecond and metadata.query.throttling.queryCostCapacity settings. Alternatively, the administrator can disable throttling entirely by setting the metadata.query.throttling.enabled value to false. Doing so would prevent the performance-protecting benefits of the feature, however.

metadata.query.throttling.queryCostCapacity

Version: Added in version 2023.3

Default value: 20000000

A number representing the capacity that the Metadata API(Link opens in a new window) has for answering queries. Each request to the Metadata API has a calculated cost that is subtracted from this number when it's executed. (Using a token bucket model, this is the maximum amount of tokens that can be in the bucket.)

If Metadata API users are seeing frequent RATE_EXCEEDED errors, an administrator can adjust throttling settings. They should adjust metadata.query.throttling.tokenRefilledPerSecond and test the results before trying to adjust metadata.query.throttling.queryCostCapacity. Alternatively, the administrator can disable throttling entirely by setting metadata.query.throttling.enabled to false. Doing so would prevent the performance-protecting benefits of the feature, however.

metadata.query.throttling.tokenRefilledPerSecond

Version: Added in version 2023.3

Default value: 5555

A number representing the amount of Metadata API(Link opens in a new window) query capacity that's regenerated every second. (Using a token bucket model, this is the number of tokens that are put into the bucket every second.)

If Metadata API users are seeing frequent RATE_EXCEEDED errors, an administrator can adjust throttling settings. They should adjust metadata.query.throttling.tokenRefilledPerSecond and test the results before trying to adjust metadata.query.throttling.queryCostCapacity. Alternatively, the administrator can disable throttling entirely by setting metadata.query.throttling.enabled to false. Doing so would prevent the performance-protecting benefits of the feature, however.

metricsservices.checkIntervalInMinutes

Version: Retired in version 2024.2.

Default value: 60

Controls the interval, in minutes, between refreshes for metrics that rely on live data sources. A metric refreshes when the server checks for new data via the metric’s connected view.

metricsservices.enabled

Version: Added in version: 2022.3. Retired in version 2024.2.

Default value: true

When set to false, the metrics content type is disabled for all sites on a server. For more information, see Disable metrics for a server.

Retirement of the legacy metrics feature

Tableau's legacy metrics feature was retired in Tableau Cloud in February 2024 and in Tableau Server version 2024.2. In October 2023, Tableau retired the ability to embed legacy metrics in Tableau Cloud and in Tableau Server version 2023.3. With Tableau Pulse, we've developed an improved experience to track metrics and ask questions of your data. For more information, see Create Metrics with Tableau Pulse to learn about the new experience and Create and Troubleshoot Metrics (Retired) for the retired feature.

metricsservices.failureCountToWarnUser

Version: Retired in version 2024.2.

Default value: 10

Controls the number of consecutive refresh failures that must occur before the metric owner is warned. When set to the default of 10, a metric refresh must fail 10 times in a row before the owner is sent a notification about the failure.

metricsservices.maxFailedRefreshAttempts

Version: Retired in version 2024.2.

Default value: 175

Controls the number of consecutive refresh failures that must occur before a metric refresh is suspended.

mobile.deep_linking.on_prem.enabled

Default value: true

Controls whether links to Tableau Server are treated as deep links by the Tableau Mobile app. When set to true, links to supported content types open in the app. When set to false, links open in the mobile browser. For more information see, Control deep linking for Tableau Mobile.

monitoring.dataengine.connection_timeout

Default value: 30000

The length of time, in milliseconds, that Cluster Controller will wait for the data engine, before determining that a connection timeout occurred. The default is 30,000 milliseconds (30 seconds).

native_api.allowed_paths

Default value: ""

Note: In Tableau Server releases (including maintenance releases) before October 2023, this setting was configured to allowed access to all paths by default.

Use this setting to specify an allowlist for access to files stored on Tableau or on remote shares. This scenario allows authorised Tableau Server users to build workbooks that use files on the server as file-based data sources (such as spreadsheets).

This setting allows you to limit access only to those directories that you specify. The tableau system account access is therefore limited to the directory paths where you host data files.

tsm configuration set -k native_api.allowed_paths -v "path" , where path is the directory to add to the allowlist. All subdirectories of the specified path will be added to the allowlist. If you want to specify multiple paths, separate them with a semicolon, as in this example:

tsm configuration set -k native_api.allowed_paths -v "/datasources;/HR/data"

Important: Make sure the file paths you specify in this setting exist and are accessible by the system account.

native_api.connection.limit.<connection class>

Set parallel query limit for the specified data source (connection class). This overrides the global limit for the data source.

native_api.connection.globallimit

Default value: 16

Global limit for parallel queries. Default is 16 except for Amazon Redshift which has a default of 8.

native_api.ExplainDataEnabled

Default value: true

This option controls whether Explain Data is enabled or disabled for the server. For more information about Explain Data, see Get Started with Explain Data(Link opens in a new window) in the Tableau Help.

This option was added beginning with Tableau Server version: 2019.3.

native_api.force_alternative_federation_engine

Default value: false

Override the operation restrictions when joining data from a single file connection and a single SQL database connection. Set this option to True to force Tableau to process the join using the live database connection.

native_api.ProtocolTransitionLegacyFormat

Default value: false

Use the legacy name format for constrained delegation.

The name format was changed in version 10.1 to allow cross-domain protocol transition (S4U). If this causes problems with existing configurations and you don't need cross-domain protocol transition, configure Tableau Server to use the old behaviour by setting this to true.

native_api.unc_mountpoints

Default value: none

Specifies UNC and FQDN path for shared Windows directories that are accessed by Tableau Server on Linux. Each path must also be referenced in a corresponding auto.cifs file. Separate each path by a semicolon, for example:

'//filesrv01/development;/mnt/filesrv01/development;//filesrv01.example.lan/development;/mnt/filesrv01/development'

Subsequent updates to the native_api.unc_mountpoints value will overwrite the existing value. Therefore, each time you add a Windows share, you must include all shares in the updated value.

For more information, see the Community wiki topic, Connecting to a Windows Shared Directory(Link opens in a new window).

native_api.InitializeQueryCacheSizeBasedOnWeights

Default value: True

Controls whether the query cache size is initialised automatically based on the amount of available system memory. The query cache consists of the logical query cache, metadata cache and native query cache. By default, this functionality is enabled.

native_api.QueryCacheMaxAllowedMB

The maximum size of the query cache in megabytes. This value varies based on the amount of system memory. The query cache consists of the logical query cache, metadata cache and native query cache. Use the table below to determine your default value:

System MemoryDefault Value for Tableau ServerDefault Value for Tableau Desktop
64 GB and more3200 MB1600 MB
From 32 GB to 64 GB2400 MB1200 MB
From 16 GB to 32 GB1600 MB800 MB
16 GB and less800 MB400 MB

native_api.LogicalQueryCacheMaxAllowedWeight

Default value: 70

The weight of logical query cache size limit in the total query cache size.

native_api.MetadataQueryCachMaxAllowedWeight

Default value: 4

The weight of metadata query cache size limit in the total query cache size.

native_api.NativeQueryCacheMaxAllowedWeight

Default value: 26

The weight of native query cache size limit in the total query cache size.

native_api.QueryCacheEntryMaxAllowedInPercent

Default value: 60

Specifies the maximum size of query results that can be put into the query cache. It is set as the percentage of the total query cache size. For example, if the logical query cache size is 100 MB and native_api.QueryCacheEntryMaxAllowedInPercent is set to 60 percent, then only query results that are smaller than 60 MB can be put into the logical query cache.

native_api.UserInfoInGeneratedSQLEnabled

Default value: false

Determines whether query tagging is enabled for all content on a Tableau Server. When true, queries sent from Tableau to customer SQL databases will include metadata about the source of the query. The resulting content in customer database logs can be used for troubleshooting performance or other issues.

nlp.concepts_shards_count

Default value: 1

Note: The default shard count value is sufficient for most Tableau Server installations.

Controls the number of data shards for the Concepts index of Ask Data, field names, field synonyms and analytical terms stored in shards in:

  • The Index and Search Server for 2022.1 and later versions.
  • Elastic Server for 2019.1 - 2021. 4

The shard count partitions the search index to reduce total index size, which may improve the performance of Ask Data's semantic parser. Adjusting the shard count is another performance enhancement measure that you can take along with increasing the heap size through elasticserver.vmopts or indexandsearchserver.vmopts, depending on the version of Tableau Server that you are running.

Tableau recommends increasing the shard count by 1 for every 50 GB. To reduce the number of times you need to adjust the shard count, calculate the total index size by adding 50% to the current index. For example, if the total index size is less than 50 GB, then 1 shard is sufficient. Actual performance will vary depending on the server, the rate at which the index size grows and other factors.

  • 0 to 50 GB: 1
  • 50 GB to 100 GB: 2
  • 100 GB to 150 GB: 3

You can use the following command to increase the Concepts index shard count from default to 2:

tsm configuration set -k nlp.concepts_shards_count -v 2

nlp.values_shards_count

Default value: 1

Controls the number of data shards for the Concepts index of Ask Data, field names, field synonyms and analytical terms stored in shards in:

  • The Index and Search Server for 2022.1 and later versions.
  • Elastic Server for 2019.1 - 2021. 4

The shard count partitions the search index to reduce total index size, which may improve the performance of Ask Data's semantic parser. Adjusting the shard count is another performance enhancement measure that you can take along with increasing the heap size through elasticserver.vmopts or indexandsearchserver.vmopts, depending on the version of Tableau Server that you are running.

Tableau recommends increasing the shard count by 1 for every 50 GB. To reduce the number of times you need to adjust the shard count, calculate the total index size by adding 50% to the current index. For example, if the total index size is less than 50 GB, then 1 shard is sufficient. Actual performance will vary depending on the server, the rate at which the index size grows and other factors.

  • 0 to 50 GB: 1
  • 50 GB to 100 GB: 2
  • 100 GB to 150 GB: 3

You can use the following command to increase the Values index shard count from default to 2:

tsm configuration set -k nlp.values_shards_count -v 2

nlp.defaultNewSiteAskDataMode

Default value: disabled_by_default

Use this option to set the initial value of the Ask Data Mode when a site is created. For more information see Disable or Enable Ask Data for a Site.

Valid options are disabled_by_default and disabled_always.

This option was added beginning with Tableau Server versions: 2019.4.5, 2020.1.3.

noninteractive.vmopts

Default value: "-XX:+UseConcMarkSweepGC -Xmx<default_value>g -XX:+ExitOnOutOfMemoryError"

The default value varies based on the amount of system memory. The JVM maximum heap size is scaled to be 6.25% of the total system RAM.

This option controls the JVM maximum heap size for Tableau Catalogue ingestion. Because the default value scales automatically, use this option to override the default value only when absolutely necessary by modifying the -Xmx<default_value>g argument. For example, you can use the following command to increase the max heap size to 2 GB:

tsm configuration set -k noninteractive.vmopts -v "-XX:+UseConcMarkSweepGC -Xmx2g -XX:+ExitOnOutOfMemoryError"

For more information, see Memory for non-interactive microservice containers.

pgsql.port

Default value: 8060

Port that PostgreSQL listens on.

pgsql.preferred_host

Specifies the computer name of the node with the preferred repository installed. This value is used if the --preferred or -r option is specified with the tsm topology failover-repository command.

Example:

tsm configuration set -k pgsql.preferred_host -v "<host_name>"

Note: The host_name is case-sensitive and must match the node name shown in the output of tsm status -v.

pgsql.ssl.ciphersuite

Default value: HIGH:MEDIUM:!aNULL:!MD5:!RC4

Specifies the cipher algorithms that are allowed for SSL for the Repository.

For acceptable values and formatting requirements, see ssl_ciphers(Link opens in a new window) on the Postgres website.

pgsql.ssl.max_protocol_version

Default value:TLSv1.3

Sets the maximum SSL/TLS protocol version to use when connecting to the repository over SSL.

Valid values: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3

pgsql.ssl.min_protocol_version

Default value:TLSv1.2

Sets the minimum SSL/TLS protocol version to use when connecting to the repository over SSL.

Valid values: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3

pgsql.verify_restore.port

Default value: 8061

Port used to verify the integrity of the PostgreSQL database. See tsm maintenance backup for more information.

ports.blocklist

Version: Added in version 2021.1

Default value: no ports blocked in the range used for automatic port assignment.

Used to specify ports within the port assignment range that should not be used by Tableau when dynamically assigning ports. This is useful when you know that another application is using a port within the range. Separate multiple ports with commas, for example:

tsm configuration set -k ports.blocklist -v 8000,8089, 8090

For more information on using the ports.blocklist key, see Blocking specific ports within the range

recommendations.enabled

Default value: true

Controls the recommendations feature, which powers recommendations for data sources and tables (for Tableau Desktop) and recommendations for views (for Tableau Server). Recommendations are based on the popularity of content and on content used by other users determined to be similar to the current user.

recommendations.vizrecs.enabled

Default value: true

Controls recommendations for views for Tableau Server users. This option is a child of recommendations.enabled and will have no effect if the parent option is set to false. When the parent option is set to true, and this option is set to false, data sources and tables will still be recommended to Tableau Desktop users, but recommendations for views on Tableau Server will be disabled.

redis.max_memory_in_mb

Default value: 1024

Specifies the size in megabytes of the cache server external query cache.

refresh_token.absolute_expiry_in_seconds

Default value: 31536000

Specifies the number of seconds for absolute expiration of refresh tokens and personal access tokens (PATs).

Refresh tokens are used by connected clients (Tableau Desktop, Tableau Prep Builder, Tableau Mobile, etc.) for authentication to Tableau Server after initial sign-in.

To remove limits set the value to -1. To disable refresh tokens and PATs, see Disable Automatic Client Authentication.

refresh_token.idle_expiry_in_seconds

Default value: 1209600

Specifies the number of seconds when idle refresh tokens expire. The refresh tokens are used by connected clients (Tableau Desktop, Tableau Prep Builder, Tableau Mobile, etc.) for authentication to Tableau Server after initial sign-in. To remove limits set the value to -1.

refresh_token.max_count_per_user

Default value: 24

Specifies the maximum number of refresh tokens that can be issued for each user. If the maximum number of user sessions is not enough, increase this value or set it to -1 to entirely remove this refresh token limit.

rsync.timeout

Default value: 600

Longest allowable time, in seconds, for completing file synchronisation (600 seconds = 10 minutes). File synchronisation occurs as part of configuring high availability, or moving the data engine and repository processes.

schedules.display_schedule_description_as_name

Default value: false

Controls whether a schedule name displays when creating a subscription or extract refresh (the default), or the "schedule frequency description" name describing the time and frequency of the schedule displays. To configure Tableau Server to display timezone-sensitive names for schedules, set this value to true.

When true, the "schedule frequency description" is also displayed after the schedule name on the schedule list page.

schedules.display_schedules_in_client_timezone

Default value: true

Shows the "schedule frequency description" in the timezone of the user when true (uses the client browser timezone to calculate the "schedule frequency description").

schedules.ignore_extract_task_priority

Default value (boolean): False

This setting controls whether or not task priority is considered for determining the job rank which determines when to pull jobs off the queue. Setting this to true disables editing the task priority on tasks, and only schedule priority will be considered for determining the job rank.

searchserver.connection_timeout_milliseconds

Version: Added in version 2019.1. Deprecated in version 2022.3. Retired in version 2023.3.

Default value, in milliseconds: 100000

Specifies, in milliseconds, the amount of time Search & Browse clients will wait to establish a connection to the Search & Browse server.

On especially busy Tableau Server computers, or if you see log errors "Failed zookeeper health check. Refusing to start SOLR." increase this value.

For more information, see Client session timeouts.

searchserver.index.bulk_query_user_groups

Version: Retired in version 2022.3.

Default value: true

Specifies whether querying of site users is done in bulk when importing or deleting users with a CSV file. When set to true (the default), indexing is done as in bulk.

searchserver.javamemopts

Version: Added in version 2019.1. Retired in 2023.3

Default value: -Xmx512m -Xms512m -XX:+ExitOnOutOfMemoryError -XX:-UsePerfData

Determines JVM options for SOLR.

Of all configurable options, the maximum heap memory, configured by the -Xmx parameter, is the most important when tuning the searchserver. In most cases this should be set as high as is possible, up to 24 GB, based on available physical memory on the Tableau Server computer. To change only the max heap memory, specify the entire default string but only change the value for -Xmx.

Valid values for -Xmx depend on available memory on the Tableau Server computer, but cannot be greater than 24 GB. For more information, see Search & Browse Max Heap Memory.

searchserver.startup.zookeeper_healthcheck_timeout_ms

Version: Added in version 2020.1. Retired in version 2023.3.

Default value, in milliseconds: 300000

Specifies, in milliseconds, the amount of time Tableau Server should wait for a successful Zookeeper health check on startup.

On especially busy Tableau Server computers, or if you see log errors "Failed zookeeper health check. Refusing to start SOLR." increase this value.

For more information, see Zookeeper connection health check timeout at startup.

searchserver.zookeeper_session_timeout_milliseconds

Version: Retired in version 2022.3.

Default value, in milliseconds: 100000

Specifies, in milliseconds, the amount of time Search & Browse clients will wait to establish a connection to the Coordination Service (Zookeeper).

For more information, see Client session timeouts.

ServerExportCSVMaxRowsByCols

Version: Added in version 2020.3.

Default value: 0 (no limit)

Specifies the maximum number of cells of data that can be downloaded from View Data into a CSV file. By default, there is no limit. Specify the number of cells. For example to set a limit of 3 million: 

tsm configuration set -k ServerExportCSVMaxRowsByCols -v 3000000 
tsm pending-changes apply

service.jmx_enabled

Default value: false

Setting to true enables JMX ports for optional monitoring and troubleshooting.

service.max_procs

Default value: <number>

Maximum number of server processes.

service.port_remapping.enabled

Default value: true

Determines whether or not Tableau Server will attempt to dynamically remap ports when the default or configured ports are unavailable. Setting to false disables dynamic port remapping.

sheet_image.enabled

Default value: true

Controls whether you can get images for views with the REST API. For more information, see REST API Reference.

ssl.ciphersuite

Default value: HIGH:MEDIUM:!EXP:!aNULL:!MD5:!RC4:!3DES:!CAMELLIA:!IDEA:!SEED

Specifies the cipher algorithms that are allowed for SSL for Gateway.

For acceptable values and formatting requirements, see SSLCipherSuite(Link opens in a new window) on the Apache website.

ssl.client_certificate_login.blocklisted_signature_algorithms

Default value:

  • Version 2020.4.0: 

    sha1withrsaencryption,
    sha1withrsa

  • Version 2020.4.1 and later:

    sha1withrsaencryption,
    sha1withrsa,
    sha1withrsaandmgf1,
    sha1withdsa,
    sha1withecdsa

The default value blocks certificates with the SHA-1 signing algorithm. Specifies the client signing algorithms that are blocked for SSL. To disable blocking of all signature algorithms, run this key with an empty set of quotes.

For more information about this key, see the Knowledge Base article, Mutual SSL Fails After Upgrading if Certificates Signed with SHA-1(Link opens in a new window).

ssl.client_certificate_login.min_allowed.elliptic_curve_size

Default value: 256

Specifies the minimum elliptic curve size required for ECDSA client certificates that are authenticating with Tableau Server over mutual SSL If a client presents an ECDSA client certificate that does not satisfy this minimum curve size, the authentication request will fail.

This option was introduced in Tableau Server version 2021.1.

ssl.client_certificate_login.min_allowed.rsa_key_size

Default value: 2048

Specifies the minimum key size for RSA client certificates that are authenticating with Tableau Server over mutual SSL If a client presents an RSA client certificate that does not satisfy this minimum key size, the authentication request will fail.

This option was introduced in Tableau Server version 2021.1.

ssl.protocols

Default value: all +TLSv1.2 -SSLv2 -SSLv3 -TLSv1.3

Specifies the SSL protocols that Tableau Server supports for TLS connections for Gateway. Acceptable values derive from the Apache SSLPrtocol Directive(Link opens in a new window). We recommend following SSL protocol configuration as described in Security Hardening Checklist.

storage.monitoring.email_enabled

Default value: false

Controls whether email notifications are enabled for server disk space monitoring. By default, email notifications are enabled. To enable notifications for disk space monitoring, set this to true.

SMTP must be configured for notifications to be sent. For details, see Configure SMTP Setup.

storage.monitoring.warning_percent

Default value: 20

Warning threshold of remaining disk space, in percentage of total disk space. If disk space falls below this threshold, a warning notification is sent.

storage.monitoring.critical_percent

Default value: 10

Critical threshold of remaining disk space, in percentage of total disk space. If disk space falls below this threshold, a critical notification is sent.

storage.monitoring.email_interval_min

Default value: 60

How often, in minutes, that email notifications should be sent when disk space monitoring is enabled and a threshold is crossed.

storage.monitoring.record_history_enabled

Default value: true

Determines whether free disk space history is saved and available to view in Administrative Views. To disable history storage for monitoring, set storage.monitoring.record_history_enabled to false.

subscriptions.enabled

Default value: false

Controls whether subscriptions are configurable system-wide. See Set Up a Site for Subscriptions.

subscriptions.timeout

Default value: 1800

Length of time, in seconds, for a view in a workbook subscription task to be rendered before the task times out. If this time limit is reached while a view is being rendered, the rendering continues, but any subsequent view in the workbook is not rendered, and the job ends in error. In the case of a single-view workbook, this value will never result in the rendering being halted due to a timeout.

svcmonitor.notification.smtp.enabled

Default value: false

Controls whether email notifications are enabled for server process events. By default notifications are sent when processes go down, fail over or restart. To enable server process notifications, set this to true.

SMTP must be configured for notifications to be sent. For details, see Configure SMTP Setup.

svcmonitor.notification.smtp.mime_use_multipart_mixed

Version: Added in version: 2020.1.8, 2020.2.5, 2020.3.1

Default value: false

Controls whether subscription HTML MIME attachments are sent as multipart/related (the default) or multipart/mixed.

In rare cases, email clients may not properly parse emails sent by Tableau Server. Many times this can be fixed by setting this property to true. Known clients include iOS Mail and Microsoft Outlook (when paired with Exchange S/MIME encryption).

tabadmincontroller.auth.expiration.minutes

Default value: 120

Controls how long session cookies are valid. By default this is set to 120 minutes. This value also determines how long the embedded credentials in a node bootstrap file are valid. For more information, see tsm topology nodes get-bootstrap-file.

tdsservice.log.level

Version: Added in version 2020.3.0

Default value: info

The logging level for the Data Source Properties service. This is dynamically configurable, so if you are only changing this you do not have to restart Tableau Server. For more information, see Change Logging Levels.

tomcat.http.maxrequestsize

Default value: 16380

The maximum size (bytes) of header content that is allowed to pass through the Apache gateway on HTTP requests. Headers that exceed the value set on this option will result in browser errors, such as HTTP Error 413 (Request Entity Too Large) or authentication failures.

A low value for tomcat.http.maxrequestsize may result in authentication errors. Single sign-on solutions that integrate with Active Directory (SAML and Kerberos) often require large authentication tokens in HTTP headers. Be sure to test HTTP authentication scenarios before deploying into production.

We recommend setting gateway.http.request_size_limit option to the same value that you set for this option.

tomcat.http.proxyHost

Specifies forward proxy host name for OpenID requests to the IdP. See Configure Tableau Server for OpenID Connect.

tomcat.http.ProxyPort

Specifies forward proxy port for OpenID requests to the IdP. See Configure Tableau Server for OpenID Connect.

tomcat.https.proxyHost

Specifies forward proxy host name for OpenID requests to the IdP. See Configure Tableau Server for OpenID Connect.

tomcat.https.ProxyPort

Specifies forward proxy port for OpenID requests to the IdP. See Configure Tableau Server for OpenID Connect.

tomcat.https.port

Default value: 8443

SSL port for Tomcat (unused).

tomcat.server.port

Default value: 8085

Port that tomcat listens on for shutdown messages.

tomcat.useSystemProxies

Default value: false

Specifies whether tomcat components (OpenID) require access to the forward proxy configuration on the local Windows operating system. See Configure Tableau Server for OpenID Connect.

tomcatcontainer.log.level

Default value: info

The logging level for microservices in the Interactive Microservice Container and Non-Interactive Microservice Container. This is dynamically configurable starting in version 2020.4, so if you are only changing this, you do not have to restart Tableau Server. For more information, see Change Logging Levels.

tsm.log.level

Default value: info

Logging level for TSM services. These logs include information that can be useful if you have problems with TSM services: Administration Agent, Administration Controller, Client File Service, Cluster Controller, Service Manager and Licence Service. This configuration key does not change the logging level for Coordination Service or for maintenance processes. For more information, see Change Logging Levels and Tableau Server Processes.

tsm.controlapp.log.level

Default value: info

Logging level for control_<app> services. These logs include information that can be useful if you are running into problems starting or reconfiguring a TSM or Tableau Server process. For more information, see Change Logging Levels.

usernotifications.reap_after_days

Default value: 30

Number of days after which a user notification will be deleted from the server.

vizportal.adsync.update_system_user

Default value: false

Specifies whether email addresses and display names of users are changed (even when changed in Active Directory) when an Active Directory group is synchronised in Tableau Server. To ensure that user email addresses and display names are updated during synchronisation, set vizportal.adsync.update_system_user to true, and then restart the server.

Version: Added in version 2021.3.0

Default value: false

Specifies whether the Copy Link option should include the "embed=y" parameter. Starting in version 2019.4, by default, it does not include this parameter. Setting this configuration key to true changes the behaviour so that the "embed=y" parameter is included. For details about using the Copy Link option to share links for embedding in web pages, see Embed Views into Webpages(Link opens in a new window) in the Tableau Desktop and Web Authoring Help.

vizportal.art_skip_list

Version: Added in version 2024.2.

Default value: null

Use this configuration key to specify aspects of Tableau Server functionality that do not use Activity and Resource Tracing (ART) and will generate large amounts of unnecessary data while ART is enabled.

This key is used together with vizportal.log_art_java and vizportal.enable_art for troubleshooting issues with Application Server (VizPortal). When set to [need info here about what it gets set to.] To learn how to use this configuration setting, see Troubleshooting problems with Application Server.

vizportal.commenting.delete_enabled

Default value: true

When set to true, lets users delete comments on views. You can delete a comment if you created it, are the content owner, a project leader with an appropriate site role or are an administrator. To learn which site roles are required for full project leader access, see Project-level administration.

vizportal.csv_user_mgmt.index_site_users

Version: Deprecated in version 2022.3. Retired (removed entirely) in version 2023.3.

Default value: true

Specifies whether indexing of site users is done user by user when importing or deleting users with a CSV file. When set to true(the default) indexing is done as each user is added or deleted. To delay the indexing of the site users until after the entire CSV file has been processed, set this to false.

vizportal.csv_user_mgmt.bulk_index_users

Version: Deprecated in version 2022.3. Retired (removed entirely) in version 2023.3.

Default value: false

Specifies whether indexing of site users is done in bulk when importing or deleting users with a CSV file. When set to false (the default), indexing is done individually. To have the indexing done in bulk after the CSV file has been processed, set this to true.

vizportal.enable_art

Version: Added in version 2024.2.

Default value: false

This configuration key is used together with vizportal.log_art_java and vizportal.art_skip_list for troubleshooting issues with Application Server (VizPortal). When set to true, this enables Activity and Resource Tracing in Application Server. To learn how to use this configuration setting, see Troubleshooting problems with Application Server.

vizportal.log_art_java

Version: Added in version 2024.2.

Default value: false

This configuration key is used together with vizportal.enable_art and vizportal.art_skip_list for troubleshooting issues with Application Server (VizPortal). When set to true, this enables Activity and Resource Tracing in Application Server. To learn how to use this configuration setting, see Troubleshooting problems with Application Server.

vizportal.log.level

Default value: info

The logging level for vizportal Java components. Logs are written to /var/opt/tableau/tableau_server/data/tabsvc/logs/vizportal/*.log.

Set to debug for more information. Using the debug setting can significantly impact performance, so you should only use this setting when directed to do so by Tableau Support.

Beginning with version 2020.4.0, this is dynamically configurable, so if you are only changing this, you do not have to restart Tableau Server. For more information, see Change Logging Levels.

vizportal.oauth.connected_apps.max_expiration_period_in_minutes

Version: Added in version 2021.4.

Default value: 10

The maximum period of time, in minutes, the JSON web token (JWT) is valid. At the time the JWT is verified, Tableau Server checks that the time period specified in the JWT doesn’t exceed this default value. This setting is used when a Tableau-connected app has been configured on Tableau Server using the Tableau REST API(Link opens in a new window).

For example, to change maximum period to 5 minutes, run the following command:

tsm configuration set -k vizportal.oauth.external_authorization_server.max_expiration_period_in_minutes -v 5

vizportal.oauth.external_authorization.enabled

Version: Added in version 2021.4.

Default value: false

In Tableau Server 2024.2 and later, the Enable connected apps option is enabled for Tableau Server. In Tableau Server 2023.2 and earlier, it is specified whether the Enable OAuth Access for Embedding Content option is enabled for Tableau Server.

Use this option to register an external authorisation server (EAS) with Tableau Server so that you can enable application integration. For more information, see Configure Connected Apps with OAuth 2.0 Trust.

To enable this option, run the following command:

tsm configuration set -k vizportal.oauth.external_authorization.enabled -v true

vizportal.oauth.external_authorization_server.blocklisted_jws_algorithms

Version: Added in version 2021.4.

Default value: ES256K

When an external authorisation server (EAS) is registered or connected app is configured, you can use this command to specify the signing algorithm used in JSON web token (JWT) header. For more information, see Configure Connected Apps with OAuth 2.0 Trust or Use Tableau Connected Apps for Application Integration.

For example, if needed, you might run the following command to remove the algorithm:

tsm configuration set - k vizportal.oauth.external_authorization_server.blocklisted_jws_algorithms -v

Important: The example command above allows unsafe signing algorithms and should only be used to troubleshoot errors.

vizportal.oauth.external_authorization_server.issuer

Version: Added in version 2021.4.

Default value: null

Required. Use this command to specify the issuer URL. The issuer URL is required to register the external authorisation server (EAS) with Tableau Server. For more information, see Configure Connected Apps with OAuth 2.0 Trust.

For example, if your EAS is Okta, you might run a command similar to the following:

tsm configuration set -k vizportal.oauth.external_authorization_server.issuer -v "https://dev-12345678.okta.com/oauth2/abcdefg9abc8eFghi76j5"

vizportal.oauth.external_authorization_server.jwks

Version: Added in version 2021.4.

Default value: null

When an external authorisation server (EAS) is registered, you can use this command to specify the JSON web key set (JWKS) URL. The JWKS URL is required if the identity provider (IdP) doesn’t expose the external authorisation server metadata endpoint.

For example, if your IdP is Amazon Cognito, you might run a command similar to the following:

tsm configuration set -k vizportal.oauth.external_authorization_server.jwks -v "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_Ab129faBb/.well-known/jwks.json"

vizportal.oauth.external_authorization_server.max_expiration_period_in_minutes

Version: Added in version 2021.4.

Default value: 10

The maximum period of time, in minutes, the JSON web token (JWT) is valid. At the time the JWT is verified, Tableau Server checks that the time period specified in the JWT doesn’t exceed this default value. This setting is used when an EAS has been registered with Tableau Server. For more information, see Configure Connected Apps with OAuth 2.0 Trust.

For example, to change maximum period to 5 minutes, run the following command:

tsm configuration set -k vizportal.oauth.external_authorization_server.max_expiration_period_in_minutes -v 5

vizportal.openid.client_authentication

Specifies custom client authentication method for OpenID Connect.

To configure Tableau Server to use the IdPs that require the client_secret_post, set this value to client_secret_post.

An example would be when connecting to the Salesforce IDP, which requires this.

vizportal.openid.essential_acr_values

Version: Added in version 2020.4.

Specifies a list of authentication context class reference (ACR) values to provide the OpenID Connect IdP as an essential claim request. The IdP is responsible for ensuring that authentication meets the expected criteria. If the vizportal.openid.essential_acr_values configuration key is populated, Tableau Server acts as the relying party and will inspect the ACR claim in the token response. Tableau Server will only warn if the ACR claim doesn't match the expected configuration key value.

To set this option, enter the ACR values in order of preference, enclosed by double-quotes. You must separate multiple values by a comma and space, as in this example:

tsm configuration set -k vizportal.openid.essential_acr_values -v "value1, value2"

vizportal.openid.full_server_request_logging_enabled

Default value: false

Specifies whether to do full logging of OpenID activity.

Set this to true when troubleshooting OpenID Connect issues to gather more detailed logs and allow you to better troubleshoot.

As with all logging-related configurations, we recommend that after you have finished troubleshooting and collecting logs, you reset this key to its default (false). This limits the amount of information logged and keeps the log file sizes to a minimum.

vizportal.openid.voluntary_acr_values

Version: Added in version 2020.4.

Specifies a list of authentication context class reference (ACR) values to provide the OpenID Connect IdP as a voluntary claim request. The IdP is responsible for ensuring that authentication meets the expected criteria. If the vizportal.openid.voluntary_acr_values configuration key is populated, Tableau Server acts as the relying party and will inspect the ACR claim in the token response. The authentication request will fail if the ACR claim is missing or the provided claim value doesn't match the expected configuration key value.

To set this option, enter the ACR values in order of preference, enclosed by double-quotes. You must separate multiple values by a comma and space, as in this example:

tsm configuration set -k vizportal.openid.voluntary_acr_values -v "value1, value2"

vizportal.password_reset

Version: Replaces features.PasswordReset in version 2024.2.

Default value: false

Applies only to servers that use local authentication. Set to trueto let users reset their passwords with a "Forgot password" option on the sign-in page.

vizportal.rest_api.cors.allow_origin

Specifies the origins (sites) that are allowed access to the REST API endpoints on Tableau Server when vizportal.rest_api.cors.enabled is set to true. You can specify more than one origin by separating each entry with a comma (,).

tsm configuration set -k vizportal.rest_api.cors.allow_origin -v https://mysite, https://yoursite

If vizportal.rest_api.cors.enabled is false, the origins listed by this option are ignored. For more information, see Enabling CORS on Tableau Server.

Note: You can use an asterisk (*) as a wild card to match all sites. This is not recommended as it allows access from any origin that has access to the server and can present a security risk. Do not use an asterisk (*) unless you fully understand the implications and risks for your site.

vizportal.rest_api.cors.enabled

Default value: false

Controls whether Tableau Server allows Cross Origin Resource Sharing (CORS). When set to true, the server allows web browsers to access the Tableau REST API endpoints. You can use this option and the REST API to create custom portals. By default, this functionality is not enabled. To specify which origins (sites) have access, use the vizportal.rest_api.cors.allow_origin option. Only the origins specified with this option are allowed to make requests to the Tableau Server REST API. For more information, see Enabling CORS on Tableau Server.

vizportal.site_user_group_count_enabled

Version: Added in version 2022.3.5 and later, 2023.1.0 and later.

Default value: false

Controls whether Site Users page will include a column showing the group count for each user.

vizqlserver.allow_insecure_scripts

Default value: false

Allows a workbook to be published to the server from Tableau Desktop, and to be opened from the server, even if the workbook contains SQL or R expressions that are potentially unsafe (for example, a SQL expression that could potentially allow SQL injection). When this setting is false (the default), publishing a workbook or opening it from the server results in an error message, and the workbook is blocked. Before you set this value to true review the Knowledge Base article, Blocking or Allowing Insecure Scripts in Tableau Server(Link opens in a new window).

vizqlserver.browser.render

Default value: true

Views under the threshold set by vizqlserver.browser.render_threshold or vizqlserver.browser.render_threshold_mobile are rendered by the client web browser instead of by the server. See Configure Client-Side Rendering for details.

vizqlserver.browser.render_threshold

Default value: 100

The default value represents a high level of complexity for a view displayed on a PC. Complexity factors include number of marks, headers, reference lines and annotations. Views that exceed this level of complexity are rendered by the server instead of in the PC's web browser.

vizqlserver.browser.render_threshold_mobile

Default value: 60

The default value represents a high level of complexity for a view displayed on a tablet. Complexity factors include number of marks, headers, reference lines and annotations. Views that exceed this level of complexity are rendered by the server instead of in the tablet's web browser.

vizqlserver.clear_session_on_unload

Default value: false

Determines whether or not VizQL sessions are kept in memory when a user navigates away from a view or closes their browser. The default value (false) keeps sessions in memory. To close VizQL sessions on leaving a view or closing a browser, set this to true.

vizqlserver.force_maps_to_offline

Version: Added in version 2020.4.0.

Default value: false

Determines whether Tableau Server runs in offline mode for maps. This is useful in disconnected environments where access to the internet and the map server is restricted. To enable offline mode for maps, set this value to true. For more information about installing and configuring Tableau Server in an environment without internet access, see Install Tableau Server in a Disconnected (Air-Gapped) Environment.

vizqlserver.geosearch_cache_size

Default value: 5

Sets the maximum number of different geographic search locale/language data sets that can be loaded into server memory at the same time. When the server receives a geographic search request for locale/language data set that is not in memory, it will load the set into memory. If loading the data set will exceed the specified limit, the least recently used locale/language data set is cleared from memory so the requested one can be loaded. The minimum value is 1. Each cache takes approximately 60 MB in memory (so if you set this to 10, the memory usage would be 600 MB (60 * 10).

vizqlserver.initialsql.disabled

Default value: false

Specify whether to ignore initial SQL statements for all data sources. Set this to true to ignore initial SQL:

tsm configuration set -k vizqlserver.initialsql.disabled -v true

vizqlserver.log.level

Default value: info

The logging level for VizQL Server Java components. Logs are written to /var/opt/tableau/tableau_server/data/tabsvc/logs/vizqlserver/*.log.

Set to debug for more information. Using the debug setting can significantly impact performance, so you should only use it when directed to do so by Tableau Support.

Beginning with version 2020.3.0, this is dynamically configurable, so if you are only changing this you do not have to restart Tableau Server. For more information, see Change Logging Levels.

vizqlserver.NumberOfWorkbookChangesBetweenAutoSaves

Default value: 5

Auto recover configuration for web authoring. Specifies the number of changes that a user must make to trigger auto save. Take care when changing this value. Auto recover functionality may impact the performance of web authoring and other viz-related operations on Tableau Server. We recommend tuning this value by making incremental adjustments over time.

vizqlserver_<n>.port

The port a VizQL server instance (specified by "<n>") is running on.

vizqlserver.querylimit

Default value: 1800

Longest allowable time for updating a view, in seconds. 1800 seconds = 30 minutes. This configuration option impacts VizQL Server and Data Server.

vizqlserver.RecoveryAttemptLimitPerSession

Default value: 3

Auto recover configuration for web authoring. The maximum number of attempts to recover the same session. Take care when changing this value. Auto recover functionality may impact the performance of web authoring and other viz-related operations on Tableau Server. We recommend tuning this value by making incremental adjustments over time.

vizqlserver.session.expiry.minimum

Default value: 5

Number of minutes of idle time after which a VizQL session is eligible to be discarded if the VizQL process starts to run out of memory.

vizqlserver.session.expiry.timeout

Default value: 30

Number of minutes of idle time after which a VizQL session is discarded.

vizqlserver.sheet_image_api.max_age_floor

Default value: 1

The amount of time, in minutes, to cache images that are generated by the Query View Image method of the REST API. For more information, see the REST API Reference(Link opens in a new window) in the REST API help.

vizqlserver.showdownload

Default value: true

Controls the display of the Tableau Workbook option of the Download menu in views. When set to false, the Tableau Workbook option is unavailable.

Note: This setting does not remove the option for users in Web Edit mode.

vizqlserver.showshare

Default value: true

Controls the display of Share options in views. To hide these options, set to false.

Note: Users can override the server default by setting the "showShareOptions" JavaScript or URL parameter.

vizqlserver.url_scheme_allowlist

Specifies one or more URL schemes to allow (safe list) when using URL actions(Link opens in a new window) on views and dashboards. The schemes http, https, gopher, mailto, news, sms, tel, tsc and tsl are allowed (safe listed) by default. This command can contain multiple comma and space-separated values, as in this example:

tsm configuration set -k vizqlserver.url_scheme_whitelist -v scheme1, scheme2

The values you specify overwrite previous settings. Therefore, you must include the full list of schemes in the set command. (You cannot amend the list of schemes by running the set command repeatedly.)

vizqlserver.web_page_objects_enabled

Default value: true

Controls whether Web Page objects in dashboards can display target URLs. To prevent web pages from appearing, set to false.

vizqlserver.WorkbookTooLargeToCheckpointSizeKiB

Default value: 5120

Auto recover configuration for web authoring. Size limit (KB) for a workbook that will auto save. Workbooks larger than this value will not be auto-saved. Take care when changing this value. Auto recover functionality may impact the performance of web authoring and other viz-related operations on Tableau Server. We recommend tuning this value by making incremental adjustments over time.

Note: Older versions of Server use a default value: 1024

vizqlserver.workflow_objects_enabled

Default value: true

Determines whether the Tableau External Actions Workflow object can be added to dashboards.

webdataconnector.refresh.enabled

Deprecated. Use tsm data-access web-data-connectors allow instead.

Determines whether extract refreshes for web data connectors (WDCs) are enabled in Tableau Server. To disable refresh for all WDCs, set the value for this key to false, as shown below:

tsm configuration set --key webdataconnector.refresh.enabled --value false

To learn more, see Web Data Connectors in Tableau Server.

webdataconnector.allowlist.fixed

Deprecated. Use tsm data-access web-data-connectors add instead.

Specifies one or more web data connectors (WDCs) that can be used by to access data connections that are accessible over HTTP or HTTPS. This command is formatted as JSON data on a single line, with all double-quotes (") escaped using a backslash (\).

For example to add a San Francisco Film Locations WDC to the safe list:

tsm configuration set --key webdataconnector.whitelist.fixed --value "'{\"https://tableau.data.world:443\": {\"properties\": { \"secondary_whitelist\": [\"(https://data.world/)(.*)\"] } } }'"

To learn more, see Web Data Connectors in Tableau Server.

webdataconnector.enabled

Deprecated. Use tsm data-access web-data-connectors allow instead.

Default value: true

When set to true, you can use tsm commands to manage web data connectors on the server.

webdataconnector.allowlist.mode

Default value: mixed

Determines how Tableau Server can run web data connectors. Supported modes are:

  • mixed. Users can run connectors that are on an allowlist (safe list) of URLs. This mode originally also allowed users to run WDCs that had been imported. Importing WDCs is no longer supported.
  • fixed. Users can run connectors that are on an allowlist (safe list) of URLs.
  • insecure. Users can run any connector.

Important: Use the insecure option only for development and testing. Because connectors run custom code, running connectors that have not been vetted can pose a security threat.

wgserver.audit_history_expiration_days

Default value: 183

Specifies the number of days after which historical events records are removed from the PostgreSQL database (the Tableau Server database).

wgserver.authentication.legacy_identity_mode.enabled

Version: Added in version 2022.1

Default value: false for Tableau Server 2022.1 and later. For pre-2022.1 Tableau Server deployments upgraded to 2022.1 or later, default value is true.

Set to false to use identity pools.

For more information, see Troubleshoot identity pools.

wgserver.authentication.identity_pools.default_pool_description

Version: Added in version 2023.1

Default value: Null

Optionally, you can add a description for the initial pool (TSM configured) to the Tableau Server landing page and is visible to all users. When one or more identity pools are created, this description is added below the primary sign-in option and can be used to help guide users that belong to the initial pool (TSM configured) to the correct sign-in option.

For example, to add a “Regular employees sign in here” description, you can use the following command:

tsm configuration set -k wgserver.authentication.identity_pools.default_pool_description -v “Regular employees sign in here"

Note: The initial pool (TSM configured) description is different from the Sign-In Customisation note. The Sign In Customisation note is displayed on the Tableau Server landing page below all sign-in options and on the page where your initial pool (TSM configured) users enter their username and password.

wgserver.change_owner.enabled

Default value: true

Controls whether the ownership of a workbook, data source or project can be changed. Other options include false and adminonly.

wgserver.clickjack_defense.enabled

Default value: true

When set to true, helps prevents a malicious person from "clickjacking" a Tableau Server user. In a clickjack attack, the target page is displayed transparently over a second page, and the attacker gets the user to click or enter information in the target page while the user thinks he or she is interacting with the second page.

For more information, see Clickjack Protection.

wgserver.domain.accept_list

Version: This was added in version 2020.4.0 and replaces wgserver.domain.whitelist.

Default value: null

Allows connection from Tableau Server to secondary Active Directory domains. A secondary domain is one that Tableau Server connects to for user synchronisation, but is a domain where Tableau Server is not installed. Tableau Server will attempt to connect to secondary domains for user and group synchronisation. In some cases, Tableau Server may be unable to connect to the secondary domain, which will result in the error, "Domain not in accept list (errorCode=101015)."

Setting the wgserver.domain.accept_list option is required by a fix for the security vulnerability, [Important] ADV-2020-003: Tableau Server Forced Authentication(Link opens in a new window). As of February 2020, the fix for this vulnerability is included in all latest versions and maintenance releases of Tableau Server.

To set this option, enter the secondary domain enclosed by double-quotes. Multiple domains must be separated by a comma and a space. For example, tsm configuration set -k wgserver.domain.accept_list -v "example.org, domain.com".

Wildcard functionality is not supported. For example, if Tableau connects to sub1.example.org and sub2.example.org, then both domains must be added.

Updating the wgserver.domain.accept_list option overwrites the existing value. Therefore, if you are adding a new domain to an existing set of domains stored in the value, include all existing domains with the new domain when you set the option. You can retrieve the full list of existing domains by running tsm configuration get –k wgserver.domain.accept_list.

wgserver.domain.ldap.domain_custom_ports

Default value: null

Allows you to map child domains and their LDAP ports. Domain and port are separated by a colon (:) and each domain:port pair is separated by a comma (,) using this format: FQDN1:port,FQDN2:port

Example: tsm configuration set -k wgserver.domain.ldap.domain_custom_ports -v childdomain1.lan:3269,childdomain2.lan:3269,childdomain3.lan:389

wgserver.domain.password

Default value: null

Specifies password for the user account that is used for LDAP connection. See External Identity Store Configuration Reference.

wgserver.domain.username

Default value: null

Specifies name for the user account that is used for LDAP connection. See External Identity Store Configuration Reference.

wgserver.domain.allowlist

Important: This key has been deprecated as of version 2020.4.0. Use wgserver.domain.accept_list instead.

Default value: null

Allows connection from Tableau Server to secondary Active Directory domains. A secondary domain is one that Tableau Server connects to for user synchronisation, but is a domain where Tableau Server is not installed. Tableau Server will attempt to connect to secondary domains for user and group synchronisation. In some cases, Tableau Server may be unable to connect to the secondary domain, which will result in the error, “Domain not in allowlist (errorCode=101015)”.

wgserver.extended_trusted_ip_checking

Default value: false

Enforces IP client matching for trusted ticket requests.

wgserver.ignore_domain_in_username_for_matching

Version: Added in versions 2021.4.21, 2022.1.17, 2022.3.9 and 2023.1.5

Default value: false

When you enable SAML, you can configure Tableau Server to ignore the domain portion of the SAML username attribute when matching the identity provider (IdP) user name to a user account on Tableau Server. You might ignore the domain portion of the username attribute when you already have users defined in Tableau Server that match the prefix portion of a username attribute but not the domain portion of the username attribute. For more information, see the Ignore domain when matching SAML username attribute section in the SAML Requirements topic.

For example, to ignore the domain name in the SAML username attribute, run the following command:

tsm configuration set -k wgserver.ignore_domain_in_username_for_matching -v true

Important:

  • We do not recommend ignoring the domain name without taking precautions. Specifically, verify that user names are unique across the configured domains that you've created in your IdP.
  • This command only works in Tableau Server deployments that are in legacy-identity-mode or deployments that have not been updated through the identity migration(Link opens in a new window) to use the Identity Service.

wgserver.restrict_options_method

Default value: true

Controls whether Tableau Server accepts HTTP OPTIONS requests. If this option is set to true, the server returns HTTP 405 (Method Not Allowed) for HTTP OPTIONS requests.

wgserver.saml.blocklisted_digest_algorithms

Version: Added in version 2021.1.

Default value: SHA1

Specifies the hashing algorithms that are not allowed for any relevant SAML certificate signatures or SAML assertion digest method or signature methods . When set, certificates or assertions that are signed & hashed with a blocklisted algorithm will be rejected and fail.

There are multiple places where SHA-1 could be used on both the Tableau and IdP side. For example:

  • Certificates uploaded with TSM that are used by Tableau Server to sign the request that is sent to the IdP.
  • Certificates in the IdP metadata used to verify the AuthnResponse (signature) received from the IdP using the public key in the Certificate.
  • Incoming assertions signed and hashed with SHA-1 (DigestMethod set to SHA-1 and SignatureMethod set to SHA-1).

The default value was changed to (SHA1 in Tableau Server 2021.2. For more information about upgrading to 2021.2 with SAML configured, see the Knowledge Base article, Tableau Server Using SAML Authentication Fails to Start or Rejects Login After Upgrade to Tableau Server 2021.2.

wgserver.saml.forceauthn

Version: Added in version 2019.3.

Default value: false

When set to true, if the Tableau user session expires, Tableau Server will re-authenticate the user with the IdP. This option can also be used to ask the IdP to prompt the user for re-authentication, even if the user has an active IdP session.

wgserver.saml.idpattribute.username

Specifies the name of the attribute in which your SAML IdP stores usernames. By default, this is set to username. If the attribute name that your IdP uses contains spaces, enclose it in quotation marks. For more information, see Configure Server-Wide SAML or Configure Site-Specific SAML.

wgserver.saml.iframed_idp.enabled

Default value: false

Default of false means that when users select the sign-in button on an embedded view, the IdP’s sign-in form opens in a pop-up window.

When you set it to true, and a server SAML user who is already signed in navigates to a web page with an embedded view, the user will not need to sign in to see the view.

You can set this to true only if the IdP supports signing in within an iframe. The iframe option is less secure than using a pop-up, so not all IdPs support it. If the IdP sign-in page implements clickjack protection, as most do, the sign-in page cannot display in an iframe, and the user cannot sign in.

If your IdP does support signing in via an iframe, you might need to enable it explicitly. However, even if you can use this option, it disables Tableau Server clickjack protection for SAML, so it still presents a security risk.

wgserver.saml.maxassertiontime

Default value: 3000

Specifies the maximum number of seconds, from creation, that a SAML assertion is usable.

wgserver.saml.min_allowed.elliptic_curve_size

Default value: 256

Version: Added in version 2021.1 but did not include a default value. In 2021.2, the default value was set to 256.

This option specifies the minimum allowed ECDSA curve size for the certificate used for SAML authentication. If you upload a certificate that has an ECDSA curve size less than 256, TSM will log an error when you apply changes.

If you are upgrading to Tableau Server 2021.2 or later and your SAML certificate uses an ECDSA curve size less than 256, Tableau Server will not start after upgrading. We recommend uploading a new certificate with 256 (or larger) ECDSA curve size before upgrading. Alternatively, you can run this command to set a lower ECDSA curve size on older versions (pre-2021.1) of Tableau Server before you upgrade. If you are running this command on a version prior to 2021.1, you must include the --force-keys option with the command. For more information about upgrading to 2021.2 with SAML configured, see the Knowledge Base article, Tableau Server Using SAML Authentication Fails to Start or Rejects Login After Upgrade to Tableau Server 2021.2.

wgserver.saml.min_allowed.rsa_key_size

Default value: 2048

Version: Added in version 2021.1 but did not include a default value. In 2021.2, the default value was set to 2048.

This option specifies the minimum allowed RSA key length for the certificate used for SAML authentication. If you upload a certificate that has an RSA key length less than 2048, TSM will log an error when you apply changes.

To run SAML authentication with a 1024 RSA key length (not recommended), set this value to 1024.

If you are upgrading to Tableau Server 2021.2 or later and your SAML certificate uses a key length less than 2048, Tableau Server will not start after upgrading. We recommend uploading a new certificate with 2048 (or larger) key length before upgrading. Alternatively, you can run this command to set a lower key strength on older versions (pre-2021.1) of Tableau Server before you upgrade. If you are running this command on a version prior to 2021.1, you must include the --force-keys option with the command. For more information about upgrading to 2021.2 with SAML configured, see the Knowledge Base article, Tableau Server Using SAML Authentication Fails to Start or Rejects Login After Upgrade to Tableau Server 2021.2.

wgserver.saml.responseskew

Default value: 180

Sets the maximum number of seconds difference between Tableau Server time and the time of the assertion creation (based on the IdP server time) that still allows the message to be processed.

wgserver.saml.sha256

Default value: true

When set to true, Tableau Server will hash message signatures and digests with SHA-256 in SAML assertions to the IdP. Set this option to false only if your IdP rejects assertions containing SHA-256 hashed content.

wgserver.session.apply_lifetime_limit

Default value: false

Controls whether there is a session lifetime for server sessions. Set this to trueto configure a server session lifetime.

wgserver.session.idle_limit

Default value: 240

The number of minutes of idle time before a sign-in to the web application times out.

wgserver.session.lifetime_limit

Default value: 1440

The number of minutes a server session lasts if a session lifetime is set. The default is 1440 minutes (24 hours). If wgserver.session.apply_lifetime_limit is false (the default) this is ignored.

wgserver.unrestricted_ticket

Default value: false

Specifies whether to extend access to server resources for users authenticated by trusted tickets. Default behaviour allows users to access views only. Setting this to true allows users with valid trusted tickets to access server resources (projects, workbooks and so on) as if they had signed in using their credentials.

workerX.gateway.port

Default value: 80 (443 if SSL)

External port that Apache listens on for workerX (where a “worker” is the term used for subsequent server nodes in the cluster). worker0.gateway.port is Tableau Server’s external port. In a distributed environment, worker0 is the initial Tableau Server node.

workerX.vizqlserver.procs

Default value: <number>

Number of VizQL servers.

zookeeper.config.snapCount

Specifies the number of transactions necessary to cause the Coordination Service to create a snapshot of the logs. By default this value is 100,000 transactions. If your Coordination Service is not writing enough transactions to result in snapshots, the automatic cleanup of snapshots older than five days will not take place, and you may lose disk space to the transaction logs. By default transaction logs and snapshots are created in the Tableau data directory.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!