1 of 1 people found this helpful
1. Can this account be a service account? or, it has to be a user account?
a. It can be any account until unless that user has the certain functionalities like explained below
if Tableau Server needs to access other servers, file shares, or databases that use Windows authentication, then the account that is configured for Run As service account will be used to access those resources. The account that is configured for Run As service account must also have elevated permissions to the local Tableau Server. A general best security practice is to limit the scope of all user accounts to the minimum required permissions.
2. Does this account need to be in same active directory in which the server is? or, can we specify fully qualified user name (domain\user name) while configuring Admin account? Users in one domain can log into other domain machine, when logging with domain + user name info in case of a typical Windows system. But, does Tableau Server understand same convention?
Yeah You can give the username along with the domain which FQDN\USERNAME best use case would use the same domain user as same server where you are installing
These are the best practices
Create a dedicated account in Active Directory for the Tableau Server Run As service account. In other words, don’t use an existing account. By using a dedicated account you can be sure that the data resources that you permission for Tableau Server are only accessible by Tableau Server Run As service account.
- Do not use an account with any kind of domain administrative permissions. Specifically, when you create an account in Active Directory, create an account in the domain User Group. Do not add the account that you create to any Active Directory security groups that needlessly elevate the permissions for the account.
- Permission the data sources in your directory for this one account. The account that you’ll use for Run As service account only needs Read access to the appropriate data sources and network shares.
- If users in your organization authenticate with smart cards, disable the smart card logon option for the Run As service account.
Hope this helps kindly mark this answer as correct or helpful so that it will help Others
My opinion is:
1. Yes, can be.
2. You can use fully qualified user name.
Thanks, Naveen for detailed response.
But, my question is NOT for 'Run As Service' account but for the Admin account - the administrator account that I will be configuring via browser after the server installation and basic configuration is complete. Can this be a service account instead of a user account?
Tableau documentation says, "If you have configured the Tableau Server identity store to use LDAP or Active Directory, then the initial administrative user that you specify must be an account in the directory. "
Now, this account in the directory, can this be a service account? From Windows Active Directory point of view, service account and a user account are different.
What does Tableau Server need? Will a service account acting as an Admin account suffice?
Now, coming back to 'Run As Service' account as you have already mentioned it. Again, can this be a service account? The details that you mention from Tableau documentation does not specify clearly if a service account will work or not.
Your answer is for admin account or Run As Service account?
My question is for admin account so want to clarify and make sure.
I think it´s necessary be a user account in AD.
Because the user need have the administrator rules.