Create a Local Group
Local groups are created using the Tableau Server internal user management system. After you create a group you can add and remove users, as well as set a minimum site role to grant to users in the group when they sign in.
-
In a site, click Groups, and then click Local Group.
-
Type a name for the group.
-
To set a minimum site role for the group, select Grant site role on sign in and select a minimum site role from the drop-down list.
-
Click Create.
Dynamic group membership using assertions
Beginning in Tableau Server 2024.2, if you have SAML authentication configured or use Tableau connected apps for embedding workflows, you can dynamically control group membership through assertions. When configured, at runtime during user authentication, Tableau receives the assertion and then evaluates membership in groups and thus the content whose permissions are dependent on those groups.
The process to dynamically control group membership through assertions requires 1) enabling the setting and 2) ensuring the group membership claims are included in the assertions.
Step 1: Turn on the setting
This capability has two settings, a server-wide setting and site-level setting. The site-level setting can only be turned on if the server-wide setting has been enabled first. Consider turning on the site-level setting if you have site SAML or connected apps configured.
For security purposes, group membership is only validated in an authentication workflow if the setting is turned on.
-
Sign in to Tableau Server and navigate to the Settings page.
Note: For a multi-site server, navigate to the Settings page for all sites.
-
Under Assertions for Group Membership heading, select the Allow group assertions to enable group membership through SAML or JWT assertions check box.
-
(Optional) If you have site SAML or connected apps configured at the site level, navigate to the site, go to the Settings page, and then under Assertions for Group Membership heading, select the Allow group assertions to enable group membership through SAML or JWT assertions check box.
For more information about the settings, see one of the following topics:
- Server-wide - Server Settings (General and Customization)
- Site-level - Site Settings Reference
Step 2: Ensure group membership claims are included in the assertion
Two custom group membership claims must be included in the respective SAML, OIDC, or JWT assertion to specify group membership. The two custom group membership claims are:
-
Group:
https://tableau.com/groups -
Group names: These names should match local group names in Tableau Server exactly.
For example assertions, refer to one of the following sections:
- Dynamic group membership using SAML assertions:
- Connected apps - direct trust: Dynamic group membership (embedding workflows only)
- Connected apps - OAuth 2.0 trust: Dynamic group membership (embedding workflows only)