User Management in Deployments with External Identity Stores
This topic describes important technical details that you should be familiar with if you use an external identity store to manage users for Tableau Server. Tableau Server supports connecting to an external directory using LDAP. In this scenario, Tableau Server imports users from the external LDAP directory into the Tableau Server repository as system users.
Arbitrary LDAP directories
The system username in Tableau is whatever attribute you set as part of LDAP configuration, for example "cn". This is true for both individual user import and group sync functionality. See External Identity Store Configuration Reference.
User binding behaviour on sign-in
You may need to update your LDAP configuration to allow binding with usernames appended with the DN. Specifically, you will need to update your LDAP configuration when Tableau Server is configured with an arbitrary LDAP directory. (e.g. OpenLDAP that uses UPN or email addresses as usernames.)
Tableau Server will search for a given user based on the username that is supplied during sign-in. Tableau Server will then attempt to bind with the username appended with the DN. In the case where Tableau Server has been configured with GSSAPI, then the username@REALM (domain name) will be used.
Active Directory
This content in rest of this topic assumes that you are familiar with Active Directory user management and basic Active Directory schema and domain concepts.
Note: In the context of user and group synchronisation, Tableau Server configured with LDAP identity store is equivalent to Active Directory. Active Directory synchronisation features in Tableau Server function seamlessly with properly configured LDAP directory solutions.
Active Directory user authentication and Tableau Server
Tableau Server stores all user names in the Tableau Server identity store, which is managed by the repository. If Tableau Server is configured to use Active Directory for authentication, you must first import user identities from Active Directory to the identity store. When users sign in to Tableau Server, their credentials are passed to Active Directory, which is responsible for authenticating the user; Tableau Server does not perform this authentication. (By default, NTLM is used for authentication, but you can enable Kerberos or SAML for single sign-on functionality – however, in all these cases, authentication is left to Active Directory.) However, the Tableau user names stored in the identity store are associated with rights and permissions for Tableau Server. Therefore, after authentication is verified, Tableau Server manages user access (authorisation) for Tableau resources.
Active Directory user name attributes and Tableau Server
Active Directory uniquely identifies user objects using several attributes. (For details, see User Naming Attributes(Link opens in a new window) on the MSDN website.) Tableau Server relies on two Active Directory user naming attributes:
sAMAccountName
. This attribute specifies the logon name that was originally designed for use with older versions of Windows. In many organisations, this name is combined with the NetBIOS name for authentication, using a format likeexample\jsmith
, whereexample
is the NetBIOS name andjsmith
is thesAMAccountName
value. Due to the original design in Windows, thesAMAccountName
value must be less than 20 characters.In the Windows Active Directory Users and Computers administrative console, this value is in the field labeled User logon name (pre-Windows 2000) on the Account tab of the user object.
userPrincipalName
(UPN). This attribute specifies a user name in the formatjsmith@example.com
, wherejsmith
is the UPN prefix and@example.com
is the UPN suffix.In the Windows Active Directory Users and Computers administrative console, the UPN is a concatenation of two fields on the Account tab of the user object: the User logon name field, and the domain drop-down list next to it.
Adding users from Active Directory
You can add users individually from Active Directory, either by typing them in the server environment or by creating a CSV file and importing the users. You can also add Active Directory users by creating a group via Active Directory and importing all of the group's users. The result can be different depending on which approach you're using.
Importing UPN prefix as username
You cannot import the whole UPN as a username.
In most cases, the username that Tableau Server will import into the identity store will be the sAMAccountName value. For more information about exceptions to this behaviour, see the Importing UPN Prefix as Username in Non-Standard Scenarios with Active Directory(Link opens in a new window) in the Tableau knowledge base.
Adding user groups
If you import an Active Directory user group, Tableau will import all users from the group using the sAMAccountName
.
Sync behaviour when removing users from Active Directory
Users cannot be automatically removed from Tableau Server through an Active Directory sync operation. Users that are disabled, deleted or removed from groups in Active Directory remain on Tableau Server so that you can audit and reassign the user's content before removing the user's account completely.
However, Tableau Server will act upon user objects differently based how the status of that user object changes in Active Directory. There are two scenarios: deleting/disabling users in Active Directory or removing users from synchronised groups in Active Directory.
When you delete or disable a user in Active Directory and then synchronise that user's group on Tableau Server, the following occurs:
- The user is removed from the Tableau Server group you synchronised.
- The user's role is set to ‘unlicensed’.
- The user will still belong to the All Users group.
- The user is unable to sign in to Tableau Server.
When you remove a user from a group in Active Directory and then synchronise that group on Tableau Server, the following occurs:
- The user is removed from the Tableau Server group you synchronised.
- The users role is retained: it is not set to ‘unlicensed’.
- The user will still belong to the All Users group.
- The user will still have permission to the Tableau Server with access to everything that the All Users group is granted permission to use.
In both instances, to remove a user from Tableau Server, the server administrator must delete the user from the Server Users page in Tableau Server.
Domain nicknames
In Tableau Server, domain nickname is equivalent to the Windows NetBIOS domain name. In a Windows Active Directory forest, a fully qualified domain name (FQDN) can have an arbitrary NetBIOS name. The NetBIOS name is used as the domain identifier when a user logs in to Active Directory.
For example, the FQDN west.na.corp.lan
might be configured with a NetBIOS name (nickname) of SEATTLE
. The user jsmith
in that domain could log on to Windows using either of the following user names:
west.na.corp.example.com\jsmith
SEATTLE\jsmith
If you want your users to sign in to Tableau Server with a NetBIOS name instead of the FQDN, then you'll need to verify that the nickname value for each domain where users log in is set. See editdomain for information on how to view and set the nickname value for each domain.
Support for multiple domains
You can add users and groups from a domain that's different from the domain of the Tableau Server computer in these cases:
Two-way trust has been established between the server’s domain and the users’ domain.
The server's domain trusts the users’ domain (one-way trust). See Domain Trust Requirements for Active Directory Deployments.
The first time you add a user or group from the non-server domain, you must specify the fully qualified domain name with the user/group name. Any additional users or groups you add from that domain can be added using the domain’s nickname, provided that the nickname matches the NetBIOS name. If Tableau Server connects to multiple domains, you must also specify the other domains that Tableau Server connects to by setting the wgserver.domain.whitelist
(version 2020.3 and earlier) or wgserver.domain.accept_list
(version 2020.4 and later) option with TSM. For more information, see wgserver.domain.allowlist or wgserver.domain.accept_list.
Duplicate display names
If user display names are not unique across multiple domains, then managing users with the same display name in Tableau can be confusing. Tableau Server will display the same name for two users. For example, consider an organisation with two domains, example.lan and example2.lan. If user John Smith exists in both domains, then adding that user to groups and other administrative tasks will be confusing in Tableau Server. In this scenario, consider updating the display name in Active Directory for one of the users to differentiate the accounts.
Sign in to Tableau Server with NetBIOS name
Users can sign in to Tableau Server using the domain nickname (NetBIOS name), for example, SEATTLE\jsmith
.
Tableau Server cannot query for NetBIOS name for a given FQDN. As a result, Tableau sets the nickname of a given FQDN according to the first entry in the namespace. For example, given the FQDN west.na.corp.lan
, Tableau sets the nickname to west
.
Therefore, you might need to update the domain nickname on Tableau Server before users can sign in using the nickname. If you do not update the nickname, users will have to sign in using a fully qualified domain name. For more information, see Users From New Domain Unable to Log In and Do Not Appear in User List (Link opens in a new window)in the Tableau Knowledge Base.