11 Replies Latest reply on Oct 19, 2016 3:23 PM by Sourav Dasgupta

    Removing Users Added by Group Synch

    Sam Underland

      I currently synchronize with an Active Directory group that constitutes my licensed Tableau Server users. I have a process that periodically runs tabcmd to import new users and license them. All's well so far. The trouble is that when users are removed from this AD group, they remain licensed users in Tableau.

       

      Is there any mechanism to automatically remove or un-license these users when they are removed from the AD group? The only thing I can think of is to periodically do a manual side-by-side comparison of the licensed users in Tableau with the group membership and manually remove the non-entitled users. I'm naturally lazy so I'm trying to avoid all manual labor.

       

      Any ideas? What have other people done? I'm running Tableau Server V8.1

        • 1. Re: Removing Users Added by Group Synch
          Toby Erkson

          I'm now entering into this territory and am looking for what others have done, too.  The current tabcmd "sync" is sooooo not a true sync

           

          Posting the batch file would be very helpful for those who have a solution that works for them

          • 2. Re: Removing Users Added by Group Synch
            Toby Erkson

            Another thread to help explain our situation:

            http://community.tableau.com/thread/124775

            • 3. Re: Removing Users Added by Group Synch
              Sam Underland

              The link to the previous thread was helpful, but it looks like the situation now is somewhat different - dare I say better. When doing a group sync, group members in the internal Tableau server group are successfully added and removed to match what is found in Active Directory. This seems to be in contrast to what is described in the March 2013 time frame.

               

              My problem is that users removed from AD and removed from the Tableau group as a result of the group sync, remain as users in the Tableau system. These users retain all their previous licensed status. I would like to be able to remove these users for good from Tableau, or at least un-license them. What will happen is that user accounts that drop out of AD entirely are retained in Tableau, consuming a user license on the server. Tableau has a lot to learn about enterprise-ready software.

              • 4. Re: Removing Users Added by Group Synch
                Toby Erkson

                Sam Underland wrote:

                 

                The link to the previous thread was helpful, but it looks like the situation now is somewhat different - dare I say better. When doing a group sync, group members in the internal Tableau server group are successfully added and removed to match what is found in Active Directory...

                Sam, you mis-read the content there.  It's still the same, users are added but not deleted.

                • 5. Re: Removing Users Added by Group Synch
                  Ken Patton

                  There's not going to be any automagic way baked into Server, today, to handle your use case precisely. There are at least three avenues of attack.

                   

                  1.)

                  Depending on your AD administration -- and it seems you have some influence over that if there is an AD group defined for just the users you want -- then your AD Admin could do the mirror image for you, and create an AD group of usernames for which Tableau license will now be revoked.  Sync your Tableau Server to that Group, with the users in said group set to unlicensed. It has the side effect that then you have a running list of people that used to have a license and now do not.

                   

                  2.)

                  Use a .csv file and tabcmd to Delete the users in question. Then they no longer exist as valid userid's on the Server, at any license level.

                   

                  3.) You can build a data connection to read the Repository (server internal postGRE) to retrieve the userids that exist on the Server (or Site) but do not belong to the Group in question. You can then Export a Crosstab with those users in it, to feed to tabcmd for unlicensing.

                   

                  --

                   

                  There are probably other ways.  I'm sure your Tableau rep would be happy to sell you a Core Server license, so that you can add as many usernames as you'd like, at which point, unlicensing  becomes less urgent.

                   

                   

                  Good luck,

                  Ken

                  Server8-Cert-PNG-Small.png

                  1 of 1 people found this helpful
                  • 6. Re: Removing Users Added by Group Synch
                    Sam Underland

                    Thanks for the great ideas. We do have a core license so this is not terribly urgent. Still, I hate the idea of accounts removed from AD remaining forever in the Tableau server.

                     

                    I think I'll go with idea #3. There's a bit of manual work, but not too much and I only have to do it once in awhile.

                    • 7. Re: Removing Users Added by Group Synch
                      Toby Erkson

                      Ken,

                      Yes, we already know there isn't a way...catch up with us.

                       

                      We ARE a core-based server.  Licensing IS important for security reasons. Deleting uses is not viable because they may exist in other AD groups.  I'm already working on a solution to remove users from specific groups, just need time to code

                      • 8. Re: Removing Users Added by Group Synch
                        Ken Patton

                        Toby,

                         

                        I'll confess to being slow / dumb here, but my posts were keyed off Sam's question,and I did not go and read the other thread to which you pointed. and he did want to delete users.

                         

                        For Group sync, at least on my deployment, I do see users removed from the Group when they have been expunged from the AD tree, so I am not understanding what need is left unmet. Apparently that is in the other thread.

                         

                        For this thread, I was trying to help Sam, and sorry that that does not meet your expectations.

                        • 9. Re: Removing Users Added by Group Synch
                          Sourav Dasgupta

                          Great options there but this is where it beats me.

                           

                          To completely sync with AD automatically, #2 option, I believe, would be ideal. Okay, so Tableau hasn't provided us with an option to completely sync AD other than through TabCmd. That's fine - I can use tabcmd. I would first remove the users (all except maybe the server admins) and then once removed, I would sync the groups to add the latest set of users per group. To remove users, tableau specifies that you need a csv file with user names - okay that's fine too. What beats me is why would Tableau not allow us to create the CSV file with usernames from its existing set of users! If that step had been allowed (even through tabcmd), it would have made life much easier. I would have used that as step #1; then step 2 would be to remove users based on that CSV and then step 3 would be to sync the AD groups! My job would be done.


                          As a workaround, I was thinking of downloading usernames from the AD database based on group names that have been added in tableau server, through an SQL export wizard option scheduled daily. Then I could use this csv file to perform the above steps. Once done, the next day's SQL Export dump would recreate the CSV with the latest set of users. Do you think that could work?

                           

                          Anyone out there who's doing something like this?

                          • 10. Re: Removing Users Added by Group Synch
                            Toby Erkson

                            Sourav Dasgupta,

                            What version are you on and what licensing model is your Tableau Server?

                            • 11. Re: Removing Users Added by Group Synch
                              Sourav Dasgupta

                              Hi Toby, I am on Tableau 10 and its a user based licencing model.