2 of 2 people found this helpful
Hey Susan -
You can. There's a tool called tabcmd which allows you to sync an active directory group. Just set this sucker to run on a schedule using the "scheduling software" of your choice.
Note that tabcmd syncgroup only ADDS new users - it doesn't remove users. More details here: http://community.tableau.com/ideas/1993
I have used tabcmd for taking backups, starting/stopping server etc, I can see there is some info on this on the knowledge base so will look into that further, thanks for that :-) I can't seem to access the idea link you have pasted above, I am getting an error on this? I would be interested to read this as ideally would like to synch the group and any changes, not just additions....
3 of 3 people found this helpful
Strange - that link isn't working for me any more, either.
Here's the text.
The "synchronization" group option within Tableau Server that works with Active Directory only imports new users to from the Active Directory group to the Tableau Server group. If persons are removed from an Active Directory group and a synchronization is performed, those users are not removed from the Tableau Server group that is based on the Active Directory.
Per this discussion on the forums (http://community.tableau.com/thread/124775), it would appear that the server admin has to do one of two things:
- Stay abreast of all changes within each Active Directory group that is used to create Tableau Server groups and then manually go in and remove the individual(s) from each group within Tableau Server
- Delete the users from each group, 'synchronize' the group to bring folks back, then reassign all previous permissions (license, admin, publisher) to all users because those attributes were removed when you deleted the users from the group in the first step mentioned (all the while hoping not to reassign folks the wrong permissions)
My company has close to 30,000 employees; of which, close to 10% have access to Tableau Server. This percentage may increase throughout the year as more folks continue to see the benefits of Tableau. As most companies with Tableau Server, I have both production and development server environments; but each of my environments contain around 50 groups. I have at least 5 groups with over 100 people, and another 20-30 groups with close to 50 persons in them. Through attrition, new hires, and movement within the company, I may need to update these groups on a monthly basis - doing either approach mentioned above would take a considerable amount of time within a large company. I would like the following to happen when a synchronization takes place:
- the ability to synchronize and have Tableau Server mimic the Active Directory group
- new members added
- old members removed
- allow current TS group members to retain their permissions (if they still belong to the AD group).
- the ability to establish a 'default' group permission that new users of that group would come in with (instead of them coming in with unassigned license status and manually changing their permissions).
I think this is a valid idea, if the link comes active again I would certainly vote up also :-)
It's active - but for some reason you can't get "directly" to it. If you go to the Ideas forum and search for "Active Directory" it'll be the 3rd or 4th item that shows up in search results.
Great, done, thanks again.
I think the link was just a little malformed - it has some extra stuff at the beginning. This forum software is annoying - it's trying to be "smart" about an internal link, but just making it invalid in the process. Had to edit the HTML of my post to get it correct.
I upvoted this - I'm surprised it doesn't work this way already (as most AD integrated products do).
Valid link: http://community.tableau.com/ideas/1993
I know this is an old thread, but it looks like when I sync the AD group the users are added as unlicensed. Does this mean my tabcmd script needs to run back through the group and license everyone appropriately or is there a way to set that in the application?
Did you get a response to this at all? As this is something I am now wondering also.
Susan, the syncgroup command now has a --role parameter that allows you to specify which role new users should be added with (see tabcmd Commands). It also seems change existing users in that group to that role, so this wouldn't be suitable if for some reason you wanted a mixture of roles within one group.
This 'role' parameter is applied to whole group.
This is minimal site role for this group
- if current user role is weaker then specified, user will be given this role
- if current user role is stronger then specified, user role will not change.
New user (added on sync) could be given this role if they are new on server. If these users are already members of current site, their current role will be compared with specified by same rules give above.
This prevents user role degradation if user is member of several groups. If these groups are imported, user's role will be as strongest role specified for those groups.
So, mixture is possible. But there are some rules..
Ah, that is pretty handy. Thanks Alexey!