Windows Accounts and Permissions
This topic describes the accounts used by Tableau Server and the folder permissions set by Tableau Server Setup.
The following accounts are used by Tableau Server:
Local administrator account: The account that you use to install Tableau Server must be a member of the local administrators group. To run TSM commands or to access the TSM Web UI, the account must be a member of the local administrator's group. See Sign in to Tableau Services Manager Web UI.
The Run As service account: Many services run under the account that is configured as the Run As service account. By default, the Network Service account is configured as the Run As service account. However, if Tableau Server must access resources in Active Directory, then you will need to configure the Run As service account to use an Active Directory user account. When you specify a domain user account for the Run As service account, Tableau Server will set appropriate permissions on the local computer for the user account that you have specified. The account should not be a member of the local administrators group. For more information, see Run As Service Account.
Network Service: The following services always run as Network Service:
- Tableau Server Coordination Service
- Tableau Server Client File Service
- Tableau Server Administration Controller
Local Service: The licensing service runs under the Local Service account.
System: The Tableau Server Administration Agent service runs under the System account. The Administration Agent service is responsible for service installation, configuration, and monitoring.
Windows assigns default permissions to the root of each hard drive. Those permissions are set to be inherited by subfolders and files. Tableau Server functionality relies on these permission models for default installations:
- Local administrators group: this group is given full permission to all directories on the computer. The System account implicitly belongs to the local administrators group. As noted in the previous section, the account that you use to install and run TSM must have full access to the computer as granted by membership in the local administrators group.
- The local users group is given read-execute permissions. The account that you specify as the Run As service account must be a member of the local users group. Network Service and Local Service implicitly belong to the local users group.
For more information about how directory structure is implemented in a custom installation, see Before you install....