Impersonate with a Run As Service Account

Impersonating via a Run As service account is the recommended way to perform impersonation. The Run As service account is an Active Directory user account the Tableau Server service can run under on the machine hosting Tableau Server. This same account must have IMPERSONATE permission for the database user accounts in SQL Server. From a data security standpoint, using the Tableau Server Run As service account for impersonation gives the administrator the most control.

To set up impersonation with a Run As User account:

  1. Enable Kerberos Service Account Access.

  2. Create a workbook in Tableau Desktop. When you create the data connection, select Use Windows NT Integrated security for the workbook's live connection to a SQL Server database:

  3. In Tableau Desktop, publish the workbook to Tableau Server (Server > Publish Workbook).

  4. In the Publish dialog box, click Authentication, then in the Authentication dialog box, select Impersonate via server Run As account from the drop-down list:

  5. Click OK.

  6. Test the connection by signing into Tableau Server as a user. When you click a view, you should not be prompted for database credentials and you should only see the data the user is authorized to see.