Run As Service Account
The Run As service account is a Windows account that Tableau Server uses ("runs as") when it accesses resources. For example, Tableau Server reads and writes files on the computer where Tableau Server is installed. From the perspective of Windows, Tableau Server is doing this as the Run As service account. In some cases, Tableau Server may use the Run As service account to access data from external sources, such as databases or files on a shared network directory.
As you plan your Tableau Server deployment, you need to determine if the default Run As service account, configured to run under the context of the local Network Service account (NT Authority\Network Service), will suffice for your needs. If it does not, then you will need to update the Run As service account to run under a domain account that has access to the resources in your Active Directory domain(s).
Note: Starting in Tableau Server version 2023.3.x, if the Run As service account is configured to use a domain account, administrators must also configure a server allowlist for file access using the tsm configuration set
command. The allowlist limits file-based data source access to specified local or shared directory paths. For more information and steps to configure a server allowlist, see Security Hardening Checklist.
In either case, it’s important to understand the security implications of the account that Tableau Server uses for the Run As service account. Specifically, if Tableau Server needs to access other servers, file shares, or databases that use Windows authentication, then the account that is configured for Run As service account will be used to access those resources. The account that is configured for Run As service account must also have elevated permissions to the local Tableau Server. A general best security practice is to limit the scope of all user accounts to the minimum required permissions. We make the same recommendation to you as you plan Run As service account. For more information, see Data Access with the Run As Service Account
The account you use for the Run As service account should not be a member of the Local Administrators or Domain Administrators account. Instead we recommend using a domain user account that is not an administrator for the Run As service account. Using a domain account that is not a member of these administrator groups is a good security practice and can help avoid access to certain data sources and folders. For information on best practices when creating a Run As service account, see Creating the Run As service account.
You can set the Run As service account during Tableau Server installation, or you can update the Run As service account using the TSM Web UI. Tableau Services Manager sets permissions for the Run As service account, but if you are unsure if the account you want to use for Run As service account satisfies the requirements, or if you have changed the Run As service account and are getting permission errors, see Required Run As Service Account Settings.
Default Run As service account: Network Service
The Network Service account is a predefined local account with limited permissions that exists on all Windows computers. While it has limited administrative access to the local computer on which it runs, it does have more access to resources than members of the Active Directory default Users group. For example the Network Service group can write to the registry, the event log, and has special rights to log on for application services.
By default, the Run As service account is set to a local account called Network Service. Use the default Network Service account when:
-
You are using local authentication for Tableau Server.
- All users in your organization include extracted data in the workbooks that they are uploading to Tableau Server.
- You are running Tableau Server in a single-server deployment.
- External data sources that your users access through Tableau Server do not require Windows NT integrated security or Kerberos. In most data-access scenarios, Microsoft SQL Server, MSAS, Teradata, and Oracle databases require Windows NT integrated security.
While the Network Service account can be used to access resources on remote computers within the same Active Directory domain we do not recommend using the default account for such scenarios. Instead, configure a domain account for Run As service account if Tableau Server must connect to data sources in your environment. See Change the Run As Service Account.
Run As service account: Domain user
For all Active Directory scenarios, we recommend updating the Tableau Server Run As service account with a domain user account. Update the Run As service account to a domain user account when data sources accessed through Tableau Server require Windows NT integrated security or Kerberos.
If you have deployed a distributed deployment of Tableau Server, then you can update the Run As service account with either a domain user or a Windows workgroup user. In either case, you must use the same user account for all server nodes. See Distributed Requirements for more information.
To configure your environment to use a domain account, see Change the Run As Service Account .