If the server is configured to use local identity store, then Tableau Server authenticates users. When users sign-in and enter their credentials, either through Tableau Desktop, tabcmd, API or web client, Tableau Server verifies the credentials. Tableau user names stored in the identity store are associated with rights and permissions for Tableau Server. After authentication is verified, Tableau Server manages user access (authorisation) for Tableau resources.
To use local authentication, you must configure Tableau Server with a local identity store during Setup. You cannot use local authentication if your Tableau Server has been configured with an external identity store (LDAP, Active Directory, etc).
Note: Identity pools, which is a tool designed to complement and support additional user provisioning and authentication options you might need in your organisation, supports OpenID Connect (OIDC) authentication only. For more information, see Provision and Authenticate Users Using Identity Pools.
When local authentication is used, the user’s salted and hashed password is stored in the repository. Passwords are never stored directly, rather, the result of salting and hashing the password is stored. Server uses the PBKDF2 derivation function with the HMAC SHA512 hashing function.
After you install Tableau Server with local authentication, you can use Tableau Server Manager (TSM) to configure a number of password-related settings:
Password policies: these policies define the requirement for password structure, such as length, character types and other requirements.
Password expiration: enable and specify password expiry.
Login rate limit: Tableau Server throttles the time between sign-in attempts after users enter 5 incorrect passwords. Users will need to wait a few seconds before attempting another sign-in. If users continue to enter incorrect passwords, then they must wait for exponentially longer periods of time in between sign-in attempts. By default, the maximum time between sign-in attempts is 60 minutes.
Lock out account access after too many failed attempts. You can specify how many failed attempts users are allowed to enter before they are locked out. For information on how to unlock access to a locked account, see View and manage users on a site.
User password reset: Enable users to reset passwords. Enabling password reset will configure Tableau Server to display a link on the sign-in page. Users who forget passwords or want to reset a password can click the link to initiate a reset-password workflow. Password reset must be configured using TSM CLI, as described below.
Open TSM in a browser:
https://<tsm-computer-name>:8850. For more information, see Sign in to Tableau Services Manager Web UI.
Click on User Identity & Access on the Configuration tab and then click Authentication Method.
Select Local authentication from the drop-down menu to display the password settings.
Configure the password settings and then click Save Pending Changes.
Click Pending Changes at the top of the page:
Click Apply Changes and Restart.
For the initial configuration of password policies, we recommend that you use the configuration file template below to create a json file. You can also set any single configuration key listed below with the syntax described in tsm configuration set.
Copy the following json template to a file. Fill in the key values with your password policy configuration. See the reference section that follows for more information about key options.
{
"configKeys": {
"wgserver.localauth.policies.mustcontainletters.enabled": false
,
"wgserver.localauth.policies.mustcontainuppercase.enabled": false
,
"wgserver.localauth.policies.mustcontainnumbers.enabled": false
,
"wgserver.localauth.policies.mustcontainsymbols.enabled": false
,
"wgserver.localauth.policies.minimumpasswordlength.enabled": false
,
"wgserver.localauth.policies.minimumpasswordlength.value": 8
,
"wgserver.localauth.policies.maximumpasswordlength.enabled": false
,
"wgserver.localauth.policies.maximumpasswordlength.value": 255
,
"wgserver.localauth.passwordexpiration.enabled": false
,
"wgserver.localauth.passwordexpiration.days": 90
,
"wgserver.localauth.ratelimiting.maxbackoff.minutes": 60
,
"wgserver.localauth.ratelimiting.maxattempts.enabled": false
,
"wgserver.localauth.ratelimiting.maxattempts.value": 5,
"vizportal.password_reset": false
}
}
Run the tsm settings import -f file.json
to pass the json file with the appropriate values to Tableau Services Manager to configure Tableau Server.
Run the tsm pending-changes apply
command to apply the changes. See tsm pending-changes apply.
Configuration file reference
This section lists all of the options that can be used to configure password polices.
wgserver.localauth.policies.mustcontainletters.enabled
Default value: false
Require at least one letter in passwords.
wgserver.localauth.policies.mustcontainuppercase.enabled
Default value: false
Require at least one upper-case letter in passwords.
wgserver.localauth.policies.mustcontainnumbers.enabled
Default value: false
Require at least one number letter in passwords.
wgserver.localauth.policies.mustcontainsymbols.enabled
Default value: false
Require at least one special character in passwords.
wgserver.localauth.policies.minimumpasswordlength.enabled
Default value: false
Enforce minimum-length passwords.
wgserver.localauth.policies.minimumpasswordlength.value
Default value: 8
The minimum number of characters passwords must have. Enter a value between 4
and 255
, inclusive. You must set wgserver.localauth.policies.minimumpasswordlength.enabled
to true
to enforce this value.
wgserver.localauth.policies.maximumpasswordlength.enabled
Default value: false
Enforce maximum-length passwords.
wgserver.localauth.policies.maximumpasswordlength.value
Default value: 255
The maximum number of characters passwords may have. Enter a value between 8
and 225
, inclusive. You must set wgserver.localauth.policies.maximumpasswordlength.enabled
to true
to enforce this value.
wgserver.localauth.passwordexpiration.enabled
Default value: false
Enforce password expiry.
wgserver.localauth.passwordexpiration.days
Default value: 90
The number of days before a password expires. Enter a value between 1
and 365
, inclusive. You must set wgserver.localauth.passwordexpiration.enabled
to true
to enforce this value.
wgserver.localauth.ratelimiting.maxbackoff.minutes
Default value: 60
Maximum time between sign-in attempts after a user enters multiple incorrect passwords. Enter a value between 5
and 1440
, inclusive.
wgserver.localauth.ratelimiting.maxattempts.enabled
Default value: false
Enforce account lock out after 5 incorrect passwords are entered. To change the number of incorrect passwords that will trigger account lock out, you set wgserver.localauth.ratelimiting.maxattempts.value
.
wgserver.localauth.ratelimiting.maxattempts.value
Default value: 5
The number of incorrect passwords that a user may enter to trigger account lock out. Enter a value between 5
and 100
, inclusive. You must set wgserver.localauth.ratelimiting.maxattempts.enabled
to true
to enforce this value.
vizportal.password_reset
Default value: false
Enable users to reset passwords. Tableau Server must be configured to send email for this feature to operate. See Configure SMTP Setup.