Synchronise External Directory Groups on the Server
As a server administrator, you can synchronise all external directory (such as Active Directory) groups (that have been configured on Tableau Server) on a regular schedule or on-demand on the General tab of the Settings page for the server.
Note: In the context of user and group synchronisation, Tableau Server configured with LDAP identity store is equivalent to Active Directory. Active Directory synchronisation features in Tableau Server function seamlessly with properly configured LDAP directory solutions.
Before you begin
Before synchronising groups as described in this topic, you must first import the external directory group into Tableau Server. See Create Groups via Active Directory.
Synchronise external directory groups on a schedule
Single-site: Click Settings> General.
Multisite: In the site menu, click Manage All Sites and then click Settings> General.
Scroll down the page to Active Directory Synchronisation, and then select Synchronise Active Directory groups on a regular schedule.
Select the frequency and time of synchronisation.
Note: Beginning in versions 2021.1.23, 2021.2.21, 2021.3.20, 2021.4.15, 2022.1.11, 2022.3.3 and 2023.1, a default time limit of 4 hours limits how long a scheduled group synchronisation can take before it is cancelled. A server administrator can change this time limit if your scheduled synchronisation is of very large groups, or taking longer than the default. For more information, see Synchronise All Active Directory Groups on a Schedule and backgrounder.timeout.sync_ad_group.
Synchronise all external directory groups on demand
At any time, you can synchronise external directory (such as Active Directory) groups with Tableau Server to ensure that new users and changes in the external directory are reflected in all external directory groups on Tableau Server.
Single-site: Click Settings> General.
Multisite: In the site menu, click Manage All Sites, and then click Settings> General.
Under Active Directory Synchronisation, click Synchronise All Groups.
View synchronisation activity
You can view the results of synchronisation jobs in the Background Tasks for Non Extracts administrative view. Queue Active Directory Groups Sync is the task that queues and indicates the number of Sync Active Directory Group tasks to be run.
Single-site: Click Status.
Multisite: In the site menu, click Manage All Sites and then click Status.
Click the Background Tasks for Non Extracts link.
Set the Task filter to include Queue Active Directory Groups Sync and Sync Active Directory Group.
You can quickly navigate to this administrative view by clicking the View synchronisation activity link in the Settings page for the server.
Set the minimum site role for users in an external directory group
In the Groups - Details page, you can set the minimum site role for group users to be applied during Active Directory synchronisation.
This setting does not run synchronisation; instead, it sets the minimum site role to applied to the group every time synchronisation runs. The result is that when you synchronise external directory groups, new users are added to the site with the minimum site role. If a user already exists, the minimum site role is applied if it gives the user more access in a site. If you don't set a minimum site role, new users are added as Unlicensed by default.
Note: A user's site role can be promoted but never demoted based on the minimum site role setting. If a user already has the ability to publish, that ability will always be maintained. For more information on minimum site role, see Site roles and Active Directory import and synchronisation.
In a site, click Groups.
On the Groups page, select a group.
Click Actions > Minimum Site Role.
Select the minimum site role, and then click Change Site Role.
What happens when users are removed in the source external directory?
Users cannot be automatically removed from the Tableau Server through an external directory sync operation. Users that are disabled, deleted or removed from groups in the external directory remain on Tableau Server so that administrators can audit and reassign the user's content before removing the user's account completely. For more information, see Sync behaviour when removing users from Active Directory.
External directory synchronisation is performed by the backgrounder process. The Backgrounder process is the same process that is used for managing and creating extracts, and is also used to generate subscription content. In large organisations with dynamic group membership and heavy extract usage, the external directory group synchronisation process may be disruptive. We recommend running group synchronisation during non-business hours.
By default, the Backgrounder process performs synchronisation in a serial operation. This means that each group is synchronised, one after the other, in a single Backgrounder process. If you are running multiple instances of Backgrounder processes either on a single Tableau Server or across a distributed deployment, consider enabling parallel processing for external directory synchronisation. When parallel Backgrounder processing is enabled, the group synchronisation is distributed across multiple Backgrounder processes for better performance.
To enable parallel backgrounder processing for group synchronisation, open TSM CLI and enter the following commands:
tsm configuration set -k backgrounder.enable_parallel_adsync -v true
tsm pending-changes apply