1 2 Previous Next 17 Replies Latest reply on Feb 3, 2017 8:03 AM by Jonathan Macdonald

    clarification on process for Tableau server Authorizing AD groups

    Mohmed Shaik

      Hi,

       

      I need some clarification on how tableau server authorizes groups, users that are imported from AD group takes place. Lets say users are added from AD group. Later, when users are logging into the server, although users metadata info gets added into tableau repository, still for the users name and password conformation, server interacts with AD (i am assuming am right till here). This process is taking place since tableau server doesn't store user credentials information.

       

      Later groups are imported through actual Active Dir group. also existing users will be added into one of imported group(AD) existing in server. From here the (AD imported) groups are added into projects. Now my confusion lies here. When users access the projects, does (imported AD)groups present in tableau server checks with all groups, or the groups that the users has been assigned with with groups existing in actual Active Dir for the users to get authorized into projects. Or since groups info gets stored in repository, no need for server to cross check tableau server groups with actual Active Dir groups each time users access their assigned projects.  

       

      Moreover, would be really nice if anyone can drill down more technical on interaction between Application server process, repository, Actual Active Dir based on my above question.     

        • 1. Re: clarification on process for Tableau server Authorizing AD groups
          Jonathan Macdonald

          Hi Mohmed,

           

          My understanding is that when you import an AD group, tableau server simply scans the username metadata in the repository and puts those users into groups on Tableau Server. If a user in the AD group is not yet a user on Tableau Server then they are added as part of this process. This group then remains static until an AD group synchronisation takes place - with recent (9.1+) versions of Tableau Server, you can schedule this sync job in the web interface.

           

          In terms of authentication, again my understanding is AD does all of it. Tableau Server only stores the AD username, then hands off the entered credentials to AD and waits for a successfully authenticated message to come back, at which time Tableau Server will allow the action.

           

          Jonathan

          2 of 2 people found this helpful
          • 2. Re: clarification on process for Tableau server Authorizing AD groups
            Mohmed Shaik

            ahh man thanks for the clarification in terms of authentication. So, it means all the tableau imported AD groups, will ultimately interacts with actual Active Dir each time to check for the credentials when an individual users access projects in tableau that one has access too.

             

            Any idea if this process creates any performance issue if there are thousands of users present in hundreds of groups ?.

            Also any idea how in terms of tableau processes - application server, repository, and AD this will takes place. From your reply am assuming repository will be interacting with actual Active Dir for authentication each times user access workbooks.

             

            Thanks again

            • 3. Re: clarification on process for Tableau server Authorizing AD groups
              Jonathan Macdonald

              Hi, sorry if I wasn't clear - AD would not get involved when checking user permissions on a project. Those permissions are controlled in Tableau Server, once the user is authenticated (logged in) to the Tableau Server, then the Server handles authorisation on projects, data sources and workbooks etc. The distinction here is between authentication (is the user who they say they are?) which is handled by AD, and authorisation (can that user access that workbook?) which is handled by Tableau Server.

               

              So there is no performance issue. In the past I've added an AD group containing 60,000 users with no discernable change in performance on the front end, although is does increase the size of the repository quite a bit.

              • 4. Re: clarification on process for Tableau server Authorizing AD groups
                Toby Erkson

                AD is used for authentication only:  Can the user log on to the Tableau Server or not?

                 

                Once logged in the user has a session and it remains active until the user is logged out or times out.

                Once logged in the user name is then used for permissioning and AD is no longer necessary.

                 

                You can confirm this by the Actions by Recent Users report in the Tableau Server Status report:

                1 of 1 people found this helpful
                • 5. Re: clarification on process for Tableau server Authorizing AD groups
                  Mohmed Shaik

                  Jonathan your responses are very clear, and helpful for me

                  Yes, you made it clear that once the authentication takes place the permissions will take care at tableau server level. 

                   

                  Let's say I belong to group A in tableau server, which has been added to project A. When I access project A, then tableau group A that I belongs to, will interact with AD to get credentials?. I am assuming yes here . To continue, I belong to 10 groups for 10 (different)projects. When I access each project, will those 10 different groups will interact with AD to authenticate credentials ?.

                  Overall does tableau groups will interact with AD groups to check credentials ?

                   

                   

                  From Toby i am clear on "Once logged in the user name is then used for permissioning and AD is no longer necessary".

                  • 6. Re: clarification on process for Tableau server Authorizing AD groups
                    Toby Erkson

                    Mohmed Shaik wrote:

                     

                    Let's say I belong to group A in tableau server, which has been added to project A. When I access project A, then tableau group A that I belongs to, will interact with AD to get credentials?.(1) I am assuming yes here . To continue, I belong to 10 groups for 10 (different)projects. (2)When I access each project, will those 10 different groups will interact with AD to authenticate credentials ?.

                    (3)Overall does tableau groups will interact with AD groups to check credentials ?

                     

                    AD is only used for Tableau Server authentication. Once logged in then all communication with AD is done.  So...

                    (1) No.  Authorization is being used here, not authentication.

                    (2) No.  Authorization is being used here, not authentication.

                    (3) No.  Authorization is being used here, not authentication.

                    • 7. Re: clarification on process for Tableau server Authorizing AD groups
                      Mohmed Shaik

                      Jonathan, I liked your responses and were helpful as well.  

                      • 8. Re: clarification on process for Tableau server Authorizing AD groups
                        Mohmed Shaik

                        Toby, thanks.

                        So, if its authorization at that stage, more likely tableau permissions are involved. so question of AD getting involved. 

                        • 9. Re: clarification on process for Tableau server Authorizing AD groups
                          Toby Erkson

                          Okay, we need to look at this in a different way.  I hope this illustrates the difference between authentication (are you who you say you are) and authorization (do you have access to stuff inside the Tableau Server).

                           

                          You are arriving at work (Tableau Server web site).  You show the security guard your employee ID badge.  He looks at it and at you; the picture on the badge matches your face so the guard lets you in to the building.  You have been AUTHENTICATED.

                               You are now in the building (Tableau Server) and there is the general cubicle space where your sit and work (the "default" Site).  There are rooms around the building that you can go to for meetings, get supplies, etc. (Projects).

                               While you're working you run out of notebook paper and your pencil breaks so you go to the Supply room to get the necessary supplies.  Because you are an employee you have free access to the Supply room so the door is unlocked.  You do not have to go to the guard and ask their permission to get supplies because you've already proven you're an employee when you first entered the building and the guard let you pass.

                               You go back to your desk and continue working when suddenly your laptop squeals and then dies.  Hard drive froze up!  So you go to the IT Equipment room to get a new laptop.  The door to that room is locked.  You swipe your badge at the card reader, it beeps, the red light turns green, and the door unlocks.  You have permission (AUTHORIZATION) to access that room.  There's no need to go back to the guard and show them your badge to get into the room because you've already proven you're an employee when you first entered the building and the guard let you pass.

                               Jack the Janitor, who is an employee and has a badge so he can enter the building (AUTHENTICATION), saw you get a new laptop and decides he wants one as well.  He goes to the IT Equipment room and swipes his badge at the card reader and it the red light doesn't change color!  He is not AUTHORIZED to access that room.  Jack is confused because he does have access to the Supply room.  So he goes to the guard and asks to be let into the room.  The guard says that they only can let people into the building or not (AUTHENTICATION), the guards have no control as to has access (AUTHORIZATION) to the rooms (Projects) within the building (Tableau Server).  The guard tells Jack that if he wants access to the IT Equipment room then he needs to talk to the company CIO for permission (Server Administrator, Site Administrator, or Project Leader).

                             So the day is over and you leave work (log off Tableau Server).  You realize that you forgot to get a paperclip.  You can't go from the parking lot directly to the Supply room; you have to enter the building and show the guard your badge (log in to the Tableau Server (AUTHENTICATION)) before you can get to the Supply room.  "To heck with it!", you think and decide you'll get that paperclip tomorrow.

                               The End

                          1 of 1 people found this helpful
                          • 10. Re: clarification on process for Tableau server Authorizing AD groups
                            Matt Coles

                            Beautifully explained! Can't wait for the sequel!

                            • 11. Re: clarification on process for Tableau server Authorizing AD groups
                              Mohmed Shaik

                              lollllll some day, one has to compile references/explanations from guys like you, and others helpful in this community. and release a separate booklet beside tableau manuals, to get clear cut picture inside out of tableau.

                              That would be the beginning of the sequel !!

                               

                              Thanks all.

                              • 12. Re: clarification on process for Tableau server Authorizing AD groups
                                Mohmed Shaik

                                Toby, I swear this will be my last question for this discussion , hope so.

                                 

                                question - I belong to 10 different tableau groups. When I am logging in for the first time, and authentication process taking place, how/where does it checks. As u said ""You are arriving at work (Tableau Server web site)." - for first time. does it gets check against all groups/ or groups i belong to/ or groups are not involved.

                                Your explanation made it clear that once i login, no more need of auth process again, nor does it check against AD.

                                 

                                My dilemma is lets say I import all users via AD. Then create groups locally at server. This will make Adding, modifying groups at server level much easier, and flexible for site admins. no need to depend on AD team, and keep on creating groups for teable at AD level. And my major concern/assumption is performance will be much better for some reason here than groups imported via AD into tableau.  And from here the first login will get authenticated against AD, and rest of the story as u explained, I can access as I need in server that i am authorized to.        

                                 

                                AD imported groups at tableau VS locally created tableau groups  --- performance ?

                                • 13. Re: clarification on process for Tableau server Authorizing AD groups
                                  Toby Erkson

                                  Mohmed Shaik wrote:

                                   

                                  ...

                                  My dilemma is lets say I import all users via AD. Then create groups locally at server. This will make Adding, modifying groups at server level much easier, and flexible for site admins. no need to depend on AD team, and keep on creating groups for teable at AD level. And my major concern/assumption is performance will be much better for some reason here than groups imported via AD into tableau.  And from here the first login will get authenticated against AD, and rest of the story as u explained, I can access as I need in server that i am authorized to.        

                                   

                                  AD imported groups at tableau VS locally created tableau groups  --- performance ?

                                  There is no performance hit.  Being in an AD group or a local Group makes no difference because Tableau Groups -- no matter how they are created -- are only used for authorization (can User Xyz see that Site/Project/Workbook/View?) and authorization only comes after authentication

                                   

                                  We use AD for authentication.  We use locally created Groups as well as imported AD groups.  I much prefer AD groups because my end users don't have to rely upon our Tableau Support team to add individuals to various Groups in Server.  However, AD groups are used here quite a bit for authentication for a variety of things so getting someone in an AD group isn't a big deal.  Maintenance is much easier, too, since users are added/deleted according to their presence in AD (e.g., they leave the company).  With locally created Groups there is more manual maintenance involved.

                                   

                                  Also, you don't pull in every single person into the Server and then start placing them into Groups.  You add people to the Server when they need access.  You either (1) automatically add them via AD and synchronization with Tableau Server (where they automatically become a Tableau Group) or (2) manually add them and then you then place them into the necessary [locally created] Tableau Group.

                                  2 of 2 people found this helpful
                                  1 2 Previous Next