Verify Folder Permissions

The account the Tableau Server service runs under is referred to as the Run As service account. The Run As service account needs permission to specific folder resources on the Windows computer.

This topic provides:

  • An accounting of the permissions that are required by the Run As service account.
  • Information about installing Tableau Server in non-default locations.
  • How to reapply permissions on an existing Run As service account using TSM.

This topic refers to the drive where Windows is installed as the system drive. The system drive is equivalent to the Windows environmental variable, %WINDIR%. The drive where Tableau Server is installed is referred to as the install drive.

Resource System or install drive File Path Permissions required
folder system SYSTEMROOT:\windows\system32 Read, List folder contents
executable system SYSTEMROOT:\windows\system32\cmd.exe Read & execute, List folder contents
Drive root install root, for example, Local Disk (C:) Read, List folder contents
folder install PROGRAMFILES\Tableau\Tableau Server Modify
folder install (on system drive) \ProgramData\Tableau\Tableau Server\ Modify
folder install (on non-system drive) \Tableau\Tableau Server\data\ Modify

When you update the Run As service account in TSM, a background process will configure the folder permissions on the Tableau computer for the Run As service account that you specify.

In this case, where you are installing on the system drive into the default folder (C:\Program Files\Tableau), the configuration of folder permissions will be handled by TSM. You do not need to verify or change any folder permissions for this scenario. If you install Tableau Server onto a different drive, you will need to manually configure some permissions.

Installing in a non-default location

If you have installed Tableau Server in a non-default location on a different drive, then you will need to configure permissions on the installation folder for Run As service account as well as the predefined local accounts: Network Service Local Service, and System,.

The following table describes the additional permissions that you need to configure if you install Tableau Server in a non-default location. If you have changed the Run As service account to use a domain user account, then set all of the permissions in the table below. All of these permissions are set on the installation folder, and must be inherited by the subfolders and files in the installation folder.

Set permissions for this account: Permissions required
Run As domain user Read & execute
System Full control
Local Service Read & execute
Network Service Read & execute

This procedure shows how to modify permissions where the Windows system drive is the C:\ drive and the Tableau install drive is on D:\. Use this procedure to set the permissions specified in the table above.

  1. On the computer hosting Tableau Server (and on additional nodes, if distributed), use Windows Explorer to right-click the Tableau Server install folder, for example Local Disk (D:)\Tableau, and select Properties.

  2. Select the Security tab.

  3. Click Edit, then Add.

  4. In the Select Users, Computers, Service Accounts, or Groups dialog box, type the <domain>\<username> for the Tableau Server Run As service account.

  5. Click Check Names to resolve the account, then OK to confirm.

  6. With the Tableau Server Run As service account highlighted, select List folder contents and Read.

  7. On the bottom of the Security tab, click Advanced.

  8. In the Advanced Security Settings, click Change Permissions.

  9. In the Advanced Security Settings for Tableau dialog box, highlight the Run As service account and select the Replace all child object permissions with inheritable permissions from this object check box.

  10. Click OK to apply changes to all subfolders and files - this may take a few minutes.

    Note: You may encounter one or more warning messages from Windows when you apply these changes. Verify that the warnings are acceptable given the context and continue with the procedure.

  11. Click OK to confirm changes.

  12. Repeat the steps above to apply all of the permissions specified in the table above.

  13. Click OK to exit.

    Note: In some cases, Windows will display a Recycle Bin error: "The Recycle Bin is corrupted. Do you want to empty the Recycle Bin for this drive?" Click Yes.

Reapplying folder permissions

In some organizations, Group Policy or other system management solutions are used to standardize permissions and accounts on application servers. If your organization runs a such a solution, be sure to configure the system to accommodate the folder permissions required by the Run As service account. If the folder permissions for the Run As service account have been changed, you can use TSM to reapply the permissions. See Changing an existing domain Run As service account to a different account.

Thanks for your feedback! There was an error submitting your feedback. Try again or send us a message.