Personal Access Tokens
Personal access tokens provide Tableau Server users the ability to create long-lived authentication tokens. The tokens allow users to run automation with Tableau REST APIs without requiring hard-coded credentials or interactive login. More information about using personal access tokens with Tableau REST APIs is at Signing In and Out (Authentication)(Link opens in a new window).
Personal access tokens are not used for generic client access to the Tableau Server web interface, TSM, or tabcmd interfaces.
We recommend creating personal access tokens for automated scripts and tasks that are created with Tableau REST API:
- Improving security: Personal access tokens reduce risk in the event credentials are compromised. In the case where Tableau Server uses Active Directory or LDAP as an identity store, you can reduce the scope of credential compromise by using a personal access token for automated tasks. In this case, using an application-specific token doesn't expose the broader system in the event that automation or script files are compromised. If a token gets compromised or is used in automation that is failing or posing a risk, you can just revoke the token. You do not need to rotate or revoke the user's credentials.
- Auditing and tracking: As an administrator, you can review Tableau Server logs to track when a token is used, what sessions are created from that token, and the actions that are performed in those sessions. You can also determine if a session and the related tasks were performed from a session that was generated from a token or from an interactive login.
- Managing automation: A token can be created for each script or task that is run. This allows you to silo and review automation tasks across your organization. Additionally, by using tokens then password resets or metadata changes (username, email, etc.) on user accounts will not disrupt automation as it would when credentials are hard-coded into the scripts.
Understanding personal access tokens
When a token is created, it is hashed then stored in the repository. After the token is hashed and stored, the original token is deleted. Users are instructed to copy the token to a safe place and to handle it as they would a password. When the token is used at run-time, Tableau Server hashes the token presented by the user and compares it to the hashed value stored in the repository. If a match is made, then an authenticated session is started.
In the context of authorization, Tableau Server handles the authenticated session with same permissions and rights that the user has as an interactive user.
Users with accounts on Tableau Server can create, manage, and revoke personal access tokens on the My Account Settings page. See ManageYour Account Settings(Link opens in a new window) in the Tableau Desktop and Web Authoring Help for more information.
Users must create their own personal access tokens. Administrators cannot create tokens for users.
Personal access tokens will expire if they are not used after 15 consecutive days. If they are used more frequently than every 15 days, an access token will expire after 1 year. After a year, you must create a new token. Expired personal access tokens will not display on the My Account Settings page.
You can change refresh token expiry time span using the refresh_token.absolute_expiry_in_seconds option with the
tsm configuration set command.
Revoking users' tokens
Users are able to revoke their own tokens on the My Account Settings page. As an administrator, you can also revoke personal access tokens.
- Sign in to the Tableau Server Admin Area as a site administrator or server administrator.
- Locate the user whose token you want to revoke. For more information about navigating Server Admin pages and locating users, see View, Manage, or Remove Users.
- Click the user's name to open their profile page.
- On the user's profile page, click the Settings tab.
- In the Personal Access Tokens section, identify the token that you want to revoke and then click Revoke.
- On the verification pop-up, click Delete.
Tracking and monitoring usage
All token-related actions are logged in the Tableau Server Application Server (vizportal) service.
To locate token-related activities, filter log entries containing the string,
Tokens are stored in this format :
Token Guid: <TokenID(Guid)>, where the TokenID is a base64 encoded string. The token secret is not included in the logs. For example:
Token Guid: 49P+CxmARY6A2GHxyvHHAA== (e3d3fe0b-1980-458e-80d8-61f1caf1c700).
The following is an example snippet of two log entries. The first shows how a user is mapped to a token.The second shows a refresh event for the same token:
RefreshTokenService - Issued refresh token to the following user: jsmith. Token Guid: 49P+CxmARY6A2GHxyvHHAA== (e3d3fe0b-1980-458e-80d8-61f1caf1c700) RefreshTokenService - Redeemed refresh token. Token Guid: 49P+CxmARY6A2GHxyvHHAA== (e3d3fe0b-1980-458e-80d8-61f1caf1c700)
To locate key operations, filter log entries containing the string,