Automatically sync Tableau groups with the AD

Version 2

    UPDATE: Jan 2017 - following our server upgrade to v10.1.1 we no longer have a need to run this script, as the functionality to schedule a sync to the AD is now part of the out of the box product offering (configurable on the settings tab of the server UI if you're a server admin).

     

    ======================================================================================

     

    Background

    At our organisation we have a relatively simple set up.  We have an enterprise licence so are not restricted by the number of users on our server.  Every employee (circa 2000) should have access to the server with the ability to view and interact with reports and to create/edit reports through the browser.  We already have automated processes outside of Tableau that creates the AD account for new starters in our HR system.  As part of this process we ensured that every new starter also got added to a new AD group called Tableau Report Viewers.

     

    On our Tableau Server (single site), the Tableau Report Viewers group has been granted interactor rights on a number of 'standard' projects that exist on the server, and granted 'publisher' rights on an 'adhoc' project (so everybody can view & interact with most published reports, but have limited access to where they can save stuff they create via the web authoring function).

     

    Note - we also use 'local' groups on Tableau to manage more elevated access for specific users eg to allow a user to publish into the 'standard' projects.  This is all administered manually on the server as this affects roughly 30 users.

     

    Issue

    Ensuring every new starter was able to access & use Tableau required us to remember to manually run the 'Synchronise with AD' job daily on our Tableau server, and then set the licence level to 'Interactor' and grant publish rights to every new user imported.  This quickly became a task that didn't happen daily, and usually only occurred when someone reported they didn't have access.

     

    Resolution

    To resolve this we looked around the web and initially came across this Interworks blog post which gave us the bones of a powershell script to work on (attached)

     

    Generate Encrypted Password

    • prompts for the password of the username defined within and saves an encrypted version of that password to the location specified within
    • means the password does not have to be stored in plain text within the other script
    • should be run on the machine where the scheduled task will run

    AD Sync Script

    • reads in the encrypted passed from the location specified and unencrypts
    • sets the location of TabAdmin
    • logs in to the server passing username & password
    • synchronises the relevant AD Group setting all the records to the relevant licence level and with publish rights

     

    The AD Sync script is then set up as a scheduled task on our Tableau server to run daily.

     

    Misc

    I personally didn't write any of the script files or fine tune the process to work for us.  I'm writing this purely as a way of sharing what we've done as its not that complex and works well for us.  For a more functional solution, you may find Toby Erkson's Tableau Active Directory Solution works for you.

     

    Also I'm pretty convinced there were other blog posts/published content that helped define the password generation/encryption processes, so big thanks if this was you :-)