Changing the Identity Store
Infrastructure or business changes may require you to change the identity store on Tableau Server. There are two kinds of identity stores: local and external. When you installed Tableau Server you configured either a local identity store or an external identity store.
When you configure Tableau Server with a local identity store, all user and group information is stored and managed in the Tableau Server repository. In the local identity store scenario, there is no external source for users and groups.
When you configure Tableau Server with an external store, all user and group information is stored and managed by an external directory service. Tableau Server must synchronise with the external identity store so that local copies of the users and groups exist in the Tableau Server repository, but the external identity store is the authoritative source for all user and group data. Examples of external identity stores are OpenLDAP and Active Directory.
For more information about the Tableau identity store, see Identity Store.
You can change from local store to an external store, or you can change from an external store to a local store. In either case, to change the identity store type, you complete these steps:
- Uninstall and then reinstall Tableau Server. The procedures for full uninstall and clean install are at the end of this topic.
Restore content and permissions.
In these steps, the term "restore" does not refer to using the
TSM maintenance restore
command to restore the backup you are making. You cannot restore a backup (.tsbak
) created on a Tableau Server instance that uses a different identity store than the target Tableau Server. The backup is a best practice safeguard, in case you need to go back to your original Tableau Server configuration.
Warning
Changing the installation type on Tableau Server can be a complicated and time-consuming process. To avoid data loss or orphaning of content or users, you'll need to plan this process carefully. In all cases, user filters applied to workbooks and data sources will need to be updated manually after the change.
Most importantly, determine how you will transition content and permissions to the new identity store after you reinstall Tableau Server.
Methods for restoring content and permissions
The following list describes two methods for restoring content and permissions after you reinstall Tableau Server. Select the method that best fits with your environmental requirements.
Method 1: Use site export and import – In this method, you start by exporting each site in your existing deployment. Then, you install the new server and configure it for the new identity store type. Next, you create new users in the default site on the new server. Finally, you import all the original sites. During the import stage, you can map the original identities to the new users that you created in the default site.
Note: When migrating sites between instances of Tableau Server, the target site must be on a version of Tableau Server that is the equal to or later than the version of Tableau Server for the source site. Both the source and target sites must be from supported versions of Tableau Server.
Because this method exports all content and permissions at each site, it is the best method for organisations that require a high fidelity replica of the content and permissions after the identity store change is complete. Some organisations require an identity store change as the result of an authentication change. In these cases, a different user name syntax is a often a requirement in the new model. This method, which includes a process of mapping original user names to new names, provides flexibility for such scenarios.
Method 2: Fresh installation; users republish content – In this method, you install a new version of Tableau Server and select the new identity store type during setup. You also create new sites. You then create users and give them access, and they republish their workbooks and data sources. Unlike the other method, in this one, you do not reuse any of your existing Tableau Server infrastructure.
This method is most appropriate for smaller deployments with fairly autonomous and data savvy users. From an administrative perspective, this method is the simplest, since you're not actively porting over content. However, because you rely entirely on users to republish content, this method may not be successful for large organisations or for those where centralised oversight of content is required.
User filters
User filters are domain-specific. Therefore, when the domain of Tableau Server changes or authentication type changes, filters no longer function as expected. Although the user filters are generated by Tableau Server, after they are set by the user, the filters are stored in the workbooks and data sources. Neither of these methods for changing the identity store modifies the contents of the workbooks or data sources.
As you plan the identity store change, you must also include a final task to correct user filtering in all workbooks and data sources with Tableau Desktop.
User names and the Tableau Identity store
If you are using Method 1, it's helpful to understand how Tableau Server stores user names in the Tableau identity store. Tableau stores all user identities in the repository, which coordinates content permissions and site membership with various services in Tableau Server. Generally, an identity store configured for Active Directory store user names in the format, domain\username
. Some organisations use a UPN (jsmith@domain.lan
).
On the other hand, organisations that configure Tableau Server with local identity store usually create standard, truncated user names, such as jsmith
.
In all cases, these user names are literal strings that must be unique in the Tableau identity store. If you are changing from one identity store type to another, then your target authentication, SSO, or user provisioning solution may require a specific user name format.
Therefore, to maintain all permissions, content, and user viability, one of the following must be true after you change the identity store type:
- The new user names must match the original user names, or
- The original user names must be updated to match a new format.
If an authentication change is driving the identity store change, then the target authentication scheme will likely impose a user name syntax that is different than your original user names. Method 1 includes a process where you can map original user names to new user names.
It's possible that the original user name format will work with the new authentication type. For example, if you used UPN names in a local identity store deployment, you might be able to use the same user names in an Active Directory deployment. You could also use the domain\username
format for local identity store, as long as users continue to use that format to sign in to Tableau Server.
If you are changing from local identity store to an external Active Directory store, review the topic, User Management in Deployments with External Identity Stores, as part of your planning process.
Method 1: Use site export and import
You must use the same version of Tableau Server for the export and import operations.
- Export all sites on your server. See Export or Import a Site.
- Back up, remove, and then reinstall.
- Create new users on Tableau Server. You should have a new user that corresponds to each user on the original server.
- Import the sites that you exported in Step 1. See Export or Import a Site. During import, you will be prompted to map the new users to the original users.
Method 2: Fresh installation—users republish content
Even if you do not plan to port content as part of your identity store change, we recommend that you back up the server.
- Back up, remove, and then reinstall.
- Create users, sites, and groups.
- Inform your users of the new Tableau Server, provide them with credentials, and allow them to republish their content.
Back up, remove, and then reinstall
Both methods include the following steps:
- Back up Tableau Server
- Remove Tableau Server.
- Reinstall Tableau Server with the new identity store type.
Step 1: Back up Tableau Server
As a best practice, you should back up the server before proceeding.
Follow the procedure, Create a backup using the TSM command line interface (CLI). Run the backup
command with the –d
option. The –d
option adds the datestamp.
When you are finished, copy the backup file (.tsbak
) to a safe location that is not a part of your Tableau Server installation.
Step 2: Remove Tableau Server
You must completely remove Tableau Server from the computer. See Remove Tableau Server from Your Computer.
Step 3: Reinstall Tableau Server with new authentication type
- Go to the Tableau Customer Portal, sign in with your Tableau user name and password, and then download Tableau Server.
- Install Tableau Server. See Install and Configure Tableau Server more information. During installation, you will select the new identity store type. See Configure Initial Node Settings.