4 Replies Latest reply on Jul 21, 2017 10:55 AM by Charles Ayotte-Trépanier

    Management of Tableau Server without Local Admin rights on the OS

    Nathan Miller

      I am working on some questions about division of responsibilities around management of Tableau Server and have run into a question that I'm having trouble finding documentation around.  In short - the "Server" (hardware, OS) and "Tableau Server" (the application installed on the server) may be owned by separate groups.  The first group does not have the skillsets or resourcing to manage the Tableau Server application, and the second group is not allowed to have local admin rights on the server OS.   The only definitive statement that I've found so far about a requirement for OS level Local Admin rights is associated with the installation of the Tableau Server software on the server.  This is a non-issue as it is the ongoing configuration and management of the Tableau Server application that is in flux.   Having the team that owns the OS do the initial install as well as patching / upgrades is not a problem.

       

      Can someone point me to any documentation that clearly defines what a "Tableau Server Administrator" can and can not do on the Tableau Server application without OS level local admin rights?

       

      Thanks in advance...

        • 1. Re: Management of Tableau Server without Local Admin rights on the OS
          Tom W

          You should be able to do pretty much everything as set out in the Tableau help without access to the OS or admin rights to the OS. The services which run on the server would be correctly configured to run using accounts with the proper privileges.

          As you look through that guide it should be pretty obvious - anything "within" Tableau on the web application you will be able to do just fine. Anything outside of that which looks like the configuration is being done in windows, will potentially require assistance of the networking team. Once you've installed and configured once though, you shouldn't need to do much / if anything outside of the web application itself.

          • 2. Re: Management of Tableau Server without Local Admin rights on the OS
            Nathan Miller

            Thanks Tom.   We have "Server Administrator" rights on the server and have used these through the web UI. I should have been more specific.   I'm talking about the use of tabadmin, the Tableau Server Configuration utility, tabcmd, and their respective functionalities.    

             

            We've not yet been able to access this environment and are working to determine what we can and cannot do without local admin rights on the host.

             

            Thanks again...

            • 3. Re: Management of Tableau Server without Local Admin rights on the OS
              Tom W

              tabcmd and the config utility are really the only two things "outside" of the web application I can think of that you would need.

               

              tabcmd doesn't have to run on the server, you could launch it / use it on another server, or another desktop even. Using it locally, you probably just need permission to execute a batch file and execute the tabcmd.exe in "run as adminstrator" mode.

              Same for tabadmin if you chose to use the command line.

               

              I think generally you just want to make sure your admin team give you permission to execute and run everything contained in Start > All Programs > Tableau Server 10.3

              • 4. Re: Management of Tableau Server without Local Admin rights on the OS
                Charles Ayotte-Trépanier

                Hi Nathan,

                 

                Here's the actions I can remember doing in the last year that required me to log into the OS:

                • Upgrades
                • Backups
                • Configure SSL
                • Enabling JMX counters for Tabjolt
                • Whitelisting web connectors
                • Restarting server if a process is down and not coming back
                • Set/modify the ip of a process

                 

                I think your 'Server' team should be handling all of that anyway.

                 

                For the other tasks, as Tom mentionned, your user with 'Tableau Administrator' permissions will be able to use the browser, and also TABCMD and the REST API to script automate/tasks.

                 

                Also,allow your 'Tableau Administrator' to be able to log into the tableau server repository with the 'readonly' user.

                 

                Hope that helps!