1 Reply Latest reply on Jul 26, 2017 3:26 AM by lenaic.ridinger

    Understanding the Difference with Local Groups vs AD Groups

    Amy Garcia

      Hello All,


      I am trying to understand the differences between local groups and active directory groups. I have recently been tasked with ensure our groups are synchronizing. I have managed to figure out how to synchronize our AD group and even set up a schedule to run weekly. The issue I am facing is with the local groups. I am not able to synchronize this manually and nor do I know how this is maintained.


      Let's walkthrough a scenario.


      Steve Garcia is part of domain 123 her account has been converted to a new domain and her name has been updated

      Steven Garcia is now part of domain 456.


      In order for Steve to still have access to his reports I need to manually import "Steven Garcia" because he is only a member of All Users (local group) which I cannot manually synchronize.


      This issue is creeping up on us and I am not sure how to get this local group in sync. Can you someone provide some insight on this?





      Amy Garcia


        • 1. Re: Understanding the Difference with Local Groups vs AD Groups

          Hi Amy Garcia,


          I have found this message from John Mathis which thoroughly explain this topic


          The first piece to understand is distinguishing user management from user authentication. User Management controls which users are a part of your Tableau Server and how their credentials are maintained. User Authentication is the mechanism by which Tableau Server validates who they say they are.

          When you are installing Tableau Server and have this option you are selecting how you wish to manage your users. It is important to note that this has such widespread implications that once selected it cannot be changed.

          Local Authentication
          User accounts (including usernames and passwords) are created and managed on the Tableau Server itself. There are ways to automate this using administrator commands but the key point is the users on the Tableau Server are local to the server itself and will have a separate login and password.

          Active Directory
          When selecting this option you must configure Tableau to connect to your Microsoft Active Directory. The users of Tableau are now controlled and managed via the directory and do not have a separate set of credentials. There are administration commands to leverage groups and synchronization.

          Both methods of user management also have their own method of authentication. With Active Directory, when users access Tableau, they are authenticating against the active directory. Tableau hands the user off to the AD and receives the response. With Local Authentication, Tableau actually checks the username and password against the local user accounts and either grants or denies access.

          In addition to these two authentication options, there are two additional authentication options that can be used in conjunction with either AD or local user management.

          Trusted tickets let you designate a different server to perform the authentication. Once complete Tableau 'trusts' this other server and grants access to anyone it deems authenticated. Regardless of the user management method used, a user must have an account to be authenticated. This is commonly used to embed visualizations in other tools such as Sharepoint.

          SAML is a new feature in Tableau 8.1 which let's you call an Identity Provider to authenticate the user. Again SAML does not manage users, but can be used as an authentication tool for AD and Local User management. It also has the benefit that it can support multiple identity providers enabling external users to authenticate without added 3rd party people to internal systems.



          Lénaïc RIÉDINGER, Global Community Engineer Tableau

          Tableau Community Forums | Knowledge Base

          If you see a Helpful or Correct response, please mark it thanks to the buttons below the targeted post!