I'm now entering into this territory and am looking for what others have done, too. The current tabcmd "sync" is sooooo not a true sync
Posting the batch file would be very helpful for those who have a solution that works for them
The link to the previous thread was helpful, but it looks like the situation now is somewhat different - dare I say better. When doing a group sync, group members in the internal Tableau server group are successfully added and removed to match what is found in Active Directory. This seems to be in contrast to what is described in the March 2013 time frame.
My problem is that users removed from AD and removed from the Tableau group as a result of the group sync, remain as users in the Tableau system. These users retain all their previous licensed status. I would like to be able to remove these users for good from Tableau, or at least un-license them. What will happen is that user accounts that drop out of AD entirely are retained in Tableau, consuming a user license on the server. Tableau has a lot to learn about enterprise-ready software.
Sam Underland wrote:
The link to the previous thread was helpful, but it looks like the situation now is somewhat different - dare I say better. When doing a group sync, group members in the internal Tableau server group are successfully added and removed to match what is found in Active Directory...
Sam, you mis-read the content there. It's still the same, users are added but not deleted.
1 of 1 people found this helpful
There's not going to be any automagic way baked into Server, today, to handle your use case precisely. There are at least three avenues of attack.
Depending on your AD administration -- and it seems you have some influence over that if there is an AD group defined for just the users you want -- then your AD Admin could do the mirror image for you, and create an AD group of usernames for which Tableau license will now be revoked. Sync your Tableau Server to that Group, with the users in said group set to unlicensed. It has the side effect that then you have a running list of people that used to have a license and now do not.
Use a .csv file and tabcmd to Delete the users in question. Then they no longer exist as valid userid's on the Server, at any license level.
3.) You can build a data connection to read the Repository (server internal postGRE) to retrieve the userids that exist on the Server (or Site) but do not belong to the Group in question. You can then Export a Crosstab with those users in it, to feed to tabcmd for unlicensing.
There are probably other ways. I'm sure your Tableau rep would be happy to sell you a Core Server license, so that you can add as many usernames as you'd like, at which point, unlicensing becomes less urgent.
Thanks for the great ideas. We do have a core license so this is not terribly urgent. Still, I hate the idea of accounts removed from AD remaining forever in the Tableau server.
I think I'll go with idea #3. There's a bit of manual work, but not too much and I only have to do it once in awhile.
Yes, we already know there isn't a way...catch up with us.
We ARE a core-based server. Licensing IS important for security reasons. Deleting uses is not viable because they may exist in other AD groups. I'm already working on a solution to remove users from specific groups, just need time to code
I'll confess to being slow / dumb here, but my posts were keyed off Sam's question,and I did not go and read the other thread to which you pointed. and he did want to delete users.
For Group sync, at least on my deployment, I do see users removed from the Group when they have been expunged from the AD tree, so I am not understanding what need is left unmet. Apparently that is in the other thread.
For this thread, I was trying to help Sam, and sorry that that does not meet your expectations.
Great options there but this is where it beats me.
To completely sync with AD automatically, #2 option, I believe, would be ideal. Okay, so Tableau hasn't provided us with an option to completely sync AD other than through TabCmd. That's fine - I can use tabcmd. I would first remove the users (all except maybe the server admins) and then once removed, I would sync the groups to add the latest set of users per group. To remove users, tableau specifies that you need a csv file with user names - okay that's fine too. What beats me is why would Tableau not allow us to create the CSV file with usernames from its existing set of users! If that step had been allowed (even through tabcmd), it would have made life much easier. I would have used that as step #1; then step 2 would be to remove users based on that CSV and then step 3 would be to sync the AD groups! My job would be done.
As a workaround, I was thinking of downloading usernames from the AD database based on group names that have been added in tableau server, through an SQL export wizard option scheduled daily. Then I could use this csv file to perform the above steps. Once done, the next day's SQL Export dump would recreate the CSV with the latest set of users. Do you think that could work?
Anyone out there who's doing something like this?
Hi Toby, I am on Tableau 10 and its a user based licencing model.