8 Replies Latest reply on Jun 13, 2016 3:32 PM by Russell Christopher

    Any way to change a users site role via tabcmd?

    Christian Lam

      My goal is to automate changing a users site role to unlicensed if they have been inactive for a certain period of time.
      I will be constructing the script using python and querying the backend postgres database to determine how long it has been since a user was last active.


      As far as changing a users site role, I do not see any commands in tabcmd that is used specifically for this purpose. There is createsiteusers but that required building a csv file and I am not certain it's possible to simply alter a users site role through this command.

      Is there something I am missing? It seems like there should be a specific command to do this, but I can't find it. Does this simple command exist? If not then what is the simplest workaround to achieve this?

      This will be for server 9.2



        • 2. Re: Any way to change a users site role via tabcmd?
          Christian Lam

          So I tried using the createsiteusers command but I constantly get a errorCode=100081. All users on the server i'm working with are from active directory, so it may be a error coming from my end.
          Is there a way to simply use usernames as values instead of a csv file?

          • 3. Re: Any way to change a users site role via tabcmd?

            We have only two ways of Providing authentication , Via AD or .Csv file these are the only two ways I have used .

            • 4. Re: Any way to change a users site role via tabcmd?
              Toby Erkson

              Interesting.  No method that I'm familiar with.  If you make this into an Idea post here and I'll definitely vote for it since it's a cmd function that is missing for more complete scripting automation

              • 5. Re: Any way to change a users site role via tabcmd?
                Christian Lam

                Thanks for the idea to submit this as an idea. You can find it here: Ability to change user site role via tabcmd

                • 6. Re: Any way to change a users site role via tabcmd?
                  Toby Erkson

                  Christian, you can vote for your own Idea

                  • 7. Re: Any way to change a users site role via tabcmd?
                    Rick Kunkel

                    A few notes here:


                    • createsiteusers will work to overwrite roles.  I just tried it.  The error you're getting might be something else.
                    • syncgroup will also work to overwrite roles.  I know this one from experience.
                    • However -- gotcha here -- "If a user already exists in a Tableau Server site, the site role assigned during the import or sync process will be applied if it gives the user more access in a site. Importing or synchronizing users and groups will promote a user's site role, but not demote a user's site role."  In other words, what's wanted in your case (demotion) doesn't work by default.  But read on.
                    • The syncgroup command has an "--overwritesiterole" switch which WILL let users be demoted.  That would work for your use case of making users unlicensed.  However, "--overwritesiterole" only works for syncgroup, and not for createsiteusers.


                    There might be something you can think of through some combination of removing and then syncgroup that will accomplish what you want.

                    Otherwise, it seems to me that adding "overwritesiterole" (or something like it) to the createsiteusers command (and maybe the createusers command as well) could accomplish what you want.  I'll add this to your ideas post.


                    On a final note, if this is possible with the REST API (and it sounds like it is), I'd shoot for that method if you can.  It's bound to be more well-supported and flexible in the long term.  I've used curl to interact with it an a very manual fashion, and I'm sure it could be done programmatically with not too much effort.

                    • 8. Re: Any way to change a users site role via tabcmd?
                      Russell Christopher

                      Yeah, the UpdateUser method of the REST API will be better for this sort of work:


                      Update User

                      Modifies information about the specified user.

                      If Tableau Server is configured to use local authentication, you can update the user's name, email address, password, or site role.

                      If Tableau Server is configured to use Active Directory for authentication, you can change the user's display name (full name), email address, and site role. However, if you synchronize the user with Active Directory, the display name and email address will be overwritten with the information that's in Active Directory.

                      Any combination of the elements inside the <user> element is valid. Only those elements present will result in updates to their values for the user. If no elements are present, the update will not take effect.


                      PUT /api/api-version/sites/site-id/users/user-id

                      Parameter Values

                      api-versionThe version of the API to use, such as 2.2. For more information, see REST API Versions.
                      site-idThe ID of the site that contains the user.
                      user-idThe ID of the user to update.

                      Request Body

                      <tsRequest> <user fullName="new-full-name" email="new-email" password="new-password" siteRole="new-site-role" authSetting="new-auth-setting" /> </tsRequest>

                      Attribute Values

                      new-full-name(Optional) The new name for the user. Users can change names without affecting the groups they belong to.
                      new-email(Optional) The new email address for the user.
                      new-password(Optional) The new password for the user.
                      new-site-role(Optional) The new site role. Valid role names are Interactor, Publisher, SiteAdministrator,Unlicensed, UnlicensedWithPublish, Viewer, and ViewerWithPublish.

                      Note: You cannot use the REST API to set a user to be a server administrator (ServerAdministrator site role).

                      new-auth-setting(Optional) The new authentication type for the user. You can assign the following values for this attribute: SAML (the user signs in using SAML) or ServerDefault (the user signs in using the authentication method that's set for the server). These values appear on the User page in Tableau Online—the SAML attribute value corresponds to Single sign-on, and theServerDefault value corresponds to TableauID.

                      Note: This setting is available only if you are using Tableau Online.


                      This method can only be called by server administrators or site administrators.

                      Response Code


                      Response Body

                      <tsResponse> <user name="user-name" fullName="new-full-name" email="new-email" siteRole="new-site-role" authSetting="new-auth-setting" /> </tsResponse>

                      The authSetting attribute is returned only if you are using Tableau Online.


                      Version 1.0 and later. For more information, see REST API Versions.


                      HTTP statuserror CodeConditionDetails
                      400400000Bad requestThe content of the request body is missing or incomplete, or contains malformed XML.
                      400400000Invalid email addressThe email attribute does not contain a valid email address.
                      403403009Licensing update on self forbiddenA user cannot update their own licensing role.
                      403403009Guest update forbiddenThe Guest user is a special user and cannot be updated.
                      403403009Server administrator update forbiddenOnly non-administrator users and site admininistrator users can be updated.
                      400400013Invalid site roleThe value of the siteRole attribute must beInteractor, Publisher, SiteAdministrator,Unlicensed, UnlicensedWithPublish, Viewer, orViewerWithPublish.
                      404404000Site not foundThe site ID in the URI doesn't correspond to an existing site.
                      404404002User not foundThe user ID in the URI doesn't correspond to an existing user.
                      405405000Invalid request methodRequest type was not PUT.
                      409409000User conflictThe user with the specified name is already registered on the site in the same domain.
                      409409014Licensing conflictThe request is attempting to update the user to a licensing role that has insufficient capacity.

                      For more information, see Handling Errors.