Windows Accounts and Permissions
This topic describes the accounts used by Tableau Server and the folder permissions set by Tableau Server Setup.
The following accounts are used by Tableau Server:
Local administrator account: The account that you use to install Tableau Server must be a member of the local administrators group. To run TSM commands or to access the TSM Web UI, the account must be a member of the local administrator's group. See Sign in to Tableau Services Manager Web UI.
The Run As service account: Many services run under the account that is configured as the Run As service account. By default, the Network Service account is configured as the Run As service account. However, if Tableau Server must access resources in Active Directory, then you will need to configure the Run As service account to use an Active Directory user account. When you specify a domain user account for the Run As service account, Tableau Server will set appropriate permissions on the local computer for the user account that you have specified. The account should not be a member of the local administrators group. For more information, see Run As Service Account.
Network Service: The following services always run as Network Service:
- Tableau Server Coordination Service
- Tableau Server Client File Service
- Tableau Server Administration Controller
Local Service: The licensing service runs under the Local Service account.
System: The Tableau Server Administration Agent service runs under the System account. The Administration Agent service is responsible for service installation, configuration, and monitoring.
Windows assigns default permissions to the root of each hard drive. Those permissions are set to be inherited by subfolders and files. Tableau Server functionality relies on these permission models for default installations:
- Local administrators group: this group is given full permission to all directories on the computer. The System account implicitly belongs to the local administrators group. As noted in the previous section, the account that you use to install and run TSM must have full access to the computer as granted by membership in the local administrators group.
- The local users group is given read-execute permissions. The account that you specify as the Run As service account must be a member of the local users group. Network Service and Local Service implicitly belong to the local users group.
If your organization requires a stricter scope of permissions, then we recommend a custom installation. In a custom installation, Tableau Server is installed into a non-default location. Installing into a non-default location allows you to set permissions for the installation folder before you install Tableau Server.
Rather than modifying the default permissions on the system drive, the %ProgramData% folder and %ProgramFiles% folder, install Tableau Server into a directory with the following permissions:
- The user account that is used to install Tableau Server must be given full control.
- The account used to run TSM commands must be given full control.
- The System account must be given full control.
- The Run As service account, Network Service, and Local Service must be given read-execute permissions.
- All permissions need to be inherited by the installation folder, subfolders, and files.
For more information about how directory structure is implemented in a custom installation, see Before you install....