Identity Store
Tableau Server requires an identity store to manage user and group information. There are two kinds of identity stores: local and external. When you install Tableau Server you must configure either a local identity store or an external identity store.
For information about configuration options for the identity store, see identityStore Entity and External Identity Store Configuration Reference. For more information about adding more flexibility to the single identity store model, see Provision and Authenticate Users Using Identity Pools.
Local identity store
When you configure Tableau Server with a local identity store, all user and group information is stored and managed in the Tableau Server repository. In the local identity store scenario, there is no external source for users and groups.
External identity store
When you configure Tableau Server with an external store, all user and group information is stored and managed by an external directory service. Tableau Server must synchronize with the external identity store so that local copies of the users and groups exist in the Tableau Server repository, but the external identity store is the authoritative source for all user and group data.
If you have configured the Tableau Server identity store to communicate with an external LDAP directory, then all users (including the initial admin account) that you add to Tableau Server must have an account in the directory.
When Tableau Server is configured to use an external LDAP directory, you must first import user identities from the external directory into the Tableau Server repository as system users. When users sign in to Tableau Server, their credentials are passed to the external directory, which is responsible for authenticating the user; Tableau Server does not perform this authentication. However, the Tableau user names stored in the identity store are associated with rights and permissions for Tableau Server. Therefore, after authentication is verified, Tableau Server manages user access (authorization) for Tableau resources.
Active Directory is an example of an external user store. Tableau Server is optimized to interface with Active Directory. For example, when you install Tableau Server on an Active Directory domain-joined computer using the Configure Initial Node Settings, Setup will detect and configure most Active Directory settings. If, on the other hand, you are using TSM CLI to install Tableau Server, you must specify all the Active Directory settings. In this case, be sure to use the LDAP - Active Directory template to configure identity store.
If you are installing into Active Directory, we recommend that you review User Management in Deployments with External Identity Stores before you deploy.
For all other external stores, Tableau Server supports LDAP as a generic way to communicate the identity store. For example, OpenLDAP is one of several LDAP server implementations with a flexible schema. Tableau Server can be configured to query the OpenLDAP server. To do so, the directory administrator must provide information about the schema. During setup, you must use Configure Initial Node Settings to configure a connection to other LDAP directories.
LDAP bind
Clients that wish to query a user store using LDAP must authenticate and establish a session. This is done by binding. There are multiple ways to bind. Simple binding is authenticating with a username and password. For organizations that connect to Tableau Server with simple bind, we recommend configuring an SSL encrypted connection, otherwise the credentials are sent over the wire in plaintext. Another type of binding Tableau Server supports is GSSAPI binding. GSSAPI uses Kerberos to authenticate. In Tableau Server’s case, Tableau Server is the client and the external user store is the LDAP server.
LDAP with GSSAPI (Kerberos) bind
We recommend binding to LDAP directory with GSSAPI using a keytab file to authenticate to the LDAP server. You will need a keytab file specifically for the Tableau Server service. We also recommend encrypting the channel with the LDAP server using SSL/TLS. See see Configure Encrypted Channel to LDAP External Identity Store.
If you are installing into Active Directory, and the computer where you are installing Tableau Server is already joined to the domain, then the computer may already have a configuration file and a keytab file. In this case, the Kerberos files are for the operating system functionality and authentication. Strictly speaking, you can use these files for GSSAPI bind, but we don't recommend using them. Instead, contact your Active Directory administrator and request a keytab specifically for the Tableau Server service. See Understanding Keytab Requirements.
Assuming your operating system has a properly configured keytab for authentication to the domain, then the Kerberos keyfile for GSSAPI bind is all you need for the base installation of Tableau Server. If you plan to use Kerberos authentication for users, then configure Kerberos for user authentication and Kerberos delegation to data sources after installation is complete.
LDAP over SSL
By default, LDAP with simple bind to arbitrary LDAP servers is not encrypted. User credentials that are used to establish the bind session with the LDAP server are communicated in plaintext between Tableau Server and the LDAP server. We strongly recommend that you encrypt the channel between Tableau Server and the LDAP server.
Beginning with version 2021.2, Tableau Server on Linux requires an encrypted LDAP channel when you use Active Directory as an identity store. You must install a valid SSL/TSL certificate before installing or upgrading to 2021.2 or newer. Although not recommended, you can also disable the default encrypted LDAP channel. For more information about enabling or disabling encryption for Active Directory and other LDAP servers, see Configure Encrypted Channel to LDAP External Identity Store.
System user and groups
Tableau Server on Linux uses one user, and two groups for proper operation. The user and groups can be local or from an LDAP directory service.
User
Tableau Server requires a service account. This account is an unpriviledged user with normal login privileges. By default, Tableau Server installation will created a local user, tableau, for the service account.
If you want to use an existing user account for the Tableau Server service account then you must disable account creation during installation.
Specifically, you will need to set the --disable-account-creation option when you run the initialize-tsm script. You will also need to specify the account name with the --unprivileged-user option. If the account that you specify does not exist, then the initialize-tsm script will create it. See Help Output for initialize-tsm Script for more details.
If you want to specify an existing account with the --unprivileged-user option, verify that the user account is an unprivileged user with normal login privileges. Configure the account with the following characteristics:
-
Shell set to
/bin/bash. -
For convenience, consider setting the home directory to the data directory path. The account must have ownership and write privileges to the home directory.
If you specify a different unprivileged account during setup, you must manually add that same user to the systemd-journal group. The unprivileged user must be a member of the systemd-journal group so that Tableau Server can collect logs from some services (such as Ask Data) when running the tsm maintenance ziplogs command. If the unprivileged user is not a member of the group, ziplogs will not contain logs from the affected services
Groups
Tableau Server requires two groups for operation.
In a default installation, the local tableau service account belongs to a primary group named tableau. However, if you specify an alternate unprivileged user during installation, then the primary group for that alternate account will be used. As a convenience, any account can be added to this group to be able to read the Tableau Server log files (without becoming root).
The second group is used to authorize which users are authorized to authenticate to Tableau Services Manager (TSM). Any user in this group will be able to send commands to TSM, so it should be restricted to Tableau Server administrators. By default, this group is named tsmadmin.
If you are not going to use the default name, you will need to specify the group name with the --tsm-authorized-group option when you run initialize-tsm. See Help Output for initialize-tsm Script for more details.
Authenticating clients
Basic user authentication in Tableau Server is by username and password sign-in for both local and external user stores. In the local case, user passwords are stored as a hashed password in the repository. In the external case, Tableau Server passes the credentials to the external user store and awaits a response as to whether the credentials are valid. External user stores can also handle other kinds of authentication like Kerberos, but the concept is still the same, Tableau Server delegates the credentials or user to the external store and awaits a response.
You can configure Tableau Server such that username-password sign-in is disabled. In these scenarios other authentication methods, such as trusted authentication, OpenID, or SAML can be used. See Authentication.
In some cases, you may need to update LDAP external directories to allow bind operations with username + DN format from Tableau Server. See User binding behavior on sign in.