This is not a feature that is currently built into Tableau Server. My suggestion would be to open communication between the admins and create a best practices for user permissions changes, user additions, and user removals.
An idea could be submitted to have this information readily available to other Tableau Server administrators.
Hope this helps!
1 of 1 people found this helpful
Patrick is completely correct, this is not a feature built in to Tableau Server currently. And post-hoc investigation of this kind of thing is no replacement for good communication and a well defined process.
But there is a (hacky) way to do this. It will not provide perfect resolution, you can't see exactly which changes were made, but it will give you most of what you want.
So you would need to know the general time frame of when the change was made. Then we open the "VizPortal#.log" file located at C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizportal\ . (Change the # to a number, if you have more than one VizPortal process, you may need to search multiple log files.)
Then search for "updateUsersSiteRole". You should get a hit that looks something like the lines below, which were taken from my Tableau Server. Anything in <> is a substitution that I put there to obscure my real username or to make it easier to understand.
<Date+Timestamp> (<SiteName>,<Username>,<SessionID>,<ApacheID>) catalina-exec-5 : INFO com.tableausoftware.instrumentation.InstrumentationUtil - Instrumenting 'public com.tableausoftware.api.webclient.viewmodels.BatchedUserIdActionResultViewModel com.tableausoftware.api.webclient.impl.WebClientUserAppService.updateUsersSiteRole(com.tableausoftware.domain.user.IAuthenticatedUser, java.util.List, java.lang.String)' as 'com.tableausoftware.instrumentation:00=api,01=webClient,name=updateUsersSiteRole'.
So for instance, the first part of the example above without any changes would look like -
2018-04-27 11:45:43.003 -0700 (TestSite,Brandyn'sUsername,Mkyq9KTOH1zn9E6m1HGumdUzwv27GQya,WuNv1wrUDB4AABbITnUAAAE9) catalina-exec-5 :
So that gives us the username of the person who did the changing. But who did they change, and to what? That's on the next lines:
<Date+Timestamp> (<SiteName>,<Username>,<SessionID>,<ApacheID>) catalina-exec-5 : INFO com.tableausoftware.domain.user.service.InternalUserActions - Site role was updated to SiteAdministrator for user <OtherUser> in domain <MyDomainName>
<Date+Timestamp> (<SiteName>,<Username>,<SessionID>,<ApacheID>) catalina-exec-5 : INFO com.tableausoftware.domain.user.service.InternalUserActions - User '<OtherUser>' has been given role 'SITE_ADMIN' on site '<SiteName>'
IMPORTANT CAVEAT: Changing a user to or from Server Admin will not show up with this method. Instead, search for "Request received: /v1/updateUsersAdminStatus". Below this line, there will be others that have a similar logging structure, so you can see who did it and when. It will also list whether we are giving or revoking System Admin privileges.
Hope this helps!