2 Replies Latest reply on Apr 27, 2018 2:24 PM by Brandyn Moody

    User permission changed by any administrators

    John MaliackalVarkey

      Hi,

       

      In our environment there are 3 administrators working in different time zones.There are chances that an administrator has changed the access of a user from Publisher to interactor and missed to update other 2 administrators .Would it be possible to check the Tableau logs to understand which administrator changed the access of a user from publisher to interactor .

      This will help to educate other administator.

       

      Thanks,

      John MV

        • 1. Re: User permission changed by any administrators
          patrick.byrne.0

          Hello John,

           

          This is not a feature that is currently built into Tableau Server. My suggestion would be to open communication between the admins and create a best practices for user permissions changes, user additions, and user removals.

           

          An idea could be submitted to have this information readily available to other Tableau Server administrators.

           

          + Ideas

           

          Hope this helps!

           

          Cheers,

          Byrne, Patrick

          • 2. Re: User permission changed by any administrators
            Brandyn Moody

            Patrick is completely correct, this is not a feature built in to Tableau Server currently.  And post-hoc investigation of this kind of thing is no replacement for good communication and a well defined process.

             

            But there is a (hacky) way to do this.  It will not provide perfect resolution, you can't see exactly which changes were made, but it will give you most of what you want.

             

            So you would need to know the general time frame of when the change was made.  Then we open the "VizPortal#.log" file located at C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizportal\ .  (Change the # to a number, if you have more than one VizPortal process, you may need to search multiple log files.)

             

            Then search for "updateUsersSiteRole".  You should get a hit that looks something like the lines below, which were taken from my Tableau Server.  Anything in <> is a substitution that I put there to obscure my real username or to make it easier to understand.

             

            <Date+Timestamp>  (<SiteName>,<Username>,<SessionID>,<ApacheID>) catalina-exec-5 : INFO  com.tableausoftware.instrumentation.InstrumentationUtil - Instrumenting 'public com.tableausoftware.api.webclient.viewmodels.BatchedUserIdActionResultViewModel com.tableausoftware.api.webclient.impl.WebClientUserAppService.updateUsersSiteRole(com.tableausoftware.domain.user.IAuthenticatedUser, java.util.List, java.lang.String)' as 'com.tableausoftware.instrumentation:00=api,01=webClient,name=updateUsersSiteRole'.

             

            So for instance, the first part of the example above without any changes would look like -

             

            2018-04-27 11:45:43.003 -0700 (TestSite,Brandyn'sUsername,Mkyq9KTOH1zn9E6m1HGumdUzwv27GQya,WuNv1wrUDB4AABbITnUAAAE9) catalina-exec-5 :

             

            So that gives us the username of the person who did the changing.  But who did they change, and to what?  That's on the next lines:

             

            <Date+Timestamp>  (<SiteName>,<Username>,<SessionID>,<ApacheID>) catalina-exec-5 : INFO  com.tableausoftware.domain.user.service.InternalUserActions - Site role was updated to SiteAdministrator for user <OtherUser> in domain <MyDomainName>

            <Date+Timestamp>  (<SiteName>,<Username>,<SessionID>,<ApacheID>)  catalina-exec-5 : INFO  com.tableausoftware.domain.user.service.InternalUserActions - User '<OtherUser>' has been given role 'SITE_ADMIN' on site '<SiteName>'

             

             

            IMPORTANT CAVEAT: Changing a user to or from Server Admin will not show up with this method.  Instead, search for "Request received: /v1/updateUsersAdminStatus".  Below this line, there will be others that have a similar logging structure, so you can see who did it and when.  It will also list whether we are giving or revoking System Admin privileges.

             

            Hope this helps!

            1 of 1 people found this helpful