Self-service security in Tableau Server via Outlook Groups
Managing Tableau Server security can be a lot of work, especially when you’re dealing with tons of users from all over the enterprise. Fortunately, Tableau has an easy way to set this up once and let users manage it themselves using Active Directory Groups (aka Outlook Groups).
- Tableau Server with Active Directory integration
- Exchange Server with Outlook Web Access (OWA)
Process when complete
- Users browse to OWA and join groups
- Owners of the outlook groups, usually department heads, approve access to the groups
- Tableau has an automated sync job (attached) that imports the users to Tableau Server
Outlook Group Setup
- Browse to your OWA site, typically mail.yourcompany.com
- Click on ‘options’
- Click ‘All Options’
- Click on ‘New’ under ‘Public Groups I Own’
- This is a good time to start a best practice in your group naming convention. I recommend something starting with ‘Tableau – ‘ and then maybe the department or group name.
- Ideally you have a group for every project which also loosely match your org structure
- It’s important to set the correct membership approval option for the group. If the group will have access to sensitive information then make it either owner approval or closed. Then you can assign the business owner of the group who will manage membership (aka self-service)
- *I also recommend creating a ‘Tableau – Users’ and ‘Tableau – Publishers’ groups which are totally self-service w/o any approval required
Add the Outlook Groups to Tableau Server
- Browse to the import groups page in your Tableau Server environment (http://your-tableau-url/import/groups)
- Search for the groups (it may take ~10min after creating the groups for Tableau Server to find them)
- Select the groups, then click ‘Import’. If you get 0 records found it may be because of an AD setting (more here)
- Go into the projects in your environment and add these new groups to them with the appropriate level of security
- With all of the groups imported and groups setup, it’s time to automate the process
Automate the Outlook Group sync to Tableau Server
- Login to your Tableau Server (usually using Remote Desktop)
- Create a new folder c:tasks
- Save the following script into this directory and rename it, removing the .txt file extension Tableau_SyncADGroups_2.0.bat
- Edit the script, replacing and adding the ‘tabcmd syncgroup’ command for every group you wish to import automatically.
- Now is a good time for a test run. Right click on the .bat file and choose ‘Run’. If all goes well, check the server in the background tasks view (http://your-tableau-url/admin/views/tabbed_admin_views/BackgroundTasks) to make sure it actually performed the sync.
- Lastly, we need to schedule this to run on a regular basis. I recommend nightly as to not conflict with active sessions of users. For detailed steps on creating a windows task go here: http://technet.microsoft.com/en-us/library/cc748993.aspx
- In the step for choosing an Action select ‘Start a Program’ and browse to our script. It should look like this
There will be some maintenance of this script to add the new groups you import to Tableau but it should only be a fraction of what the maintenance is of adding users manually to Tableau Server. As always if you have any questions about this or want to have a chat about the approach feel free to reach out to us.