tabadmin set options
tabadmin set to change configuration options, you need to run a
tabadmin config command to update configuration files on all Tableau Server nodes.
||Allows access to the Tableau Server REST API. By default, this functionality is enabled.|
||Allows access to the PostgreSQL (Tableau Server's own database) historical auditing tables. See Collect Data with the Tableau Server Repository for details.|
||Controls the caching of workbook query results after scheduled extract refresh tasks. See Configure Workbook Performance after a Scheduled Refresh.|
|backgrounder.externalquerycachewarmup.view_threshold||2.0||The threshold for caching workbook query results after scheduled extract refresh tasks. The threshold is equal to the number of views that a workbook has received in the past seven days divided by the number of refreshes scheduled in the next seven days. See Configure Workbook Performance after a Scheduled Refresh.|
|backgrounder.extra_timeout_in_seconds||1800||The number of seconds beyond the setting in
|backgrounder.failure_threshold_for_run_prevention||5||The number of consecutive failures of a subscription or extract job before that job is suspended. Suspending continuously failing jobs helps preserver backgrounder resources for other jobs.
To disable suspension of failing background tasks, set this to
Note: To reenable a suspended job, click Try again from the alert menu, or republish the data source or a workbook using the data source, or change the connection properties of the data source.
|backgrounder.querylimit||7200||Longest allowable time, in seconds, for completing a single extract refresh task or subscription task. 7200 seconds = 2 hours.
Note: If a background task reaches this time limit, it may continue to run for an additional several minutes while being canceled.
|| Controls when to run background tasks that were scheduled to run at a time when the server was stopped. When set to
||Controls whether extract refresh alerts are enabled for all sites on the server. By default alerts are enabled. To disable extract refresh alerts for all sites on a server, set this to
Extract alerts can be enabled or disabled on a site basis by site administrators in site settings, or at the user level in user settings.
|backgrounder.sort_jobs_by_run_time_history_observable_hours||-1||Controls the time window used when determining duration of the last full extract job.
Tableau Server can sort full extract refresh jobs so they are executed based on the duration of their "last run," executing the fastest full extract refresh jobs first.
The "last run" duration of a particular job is determined from a random sample of a single instance of the full extract refresh job in last <n> hours. Full extract jobs are then prioritized to run in order from shortest to longest based on their "last" run duration. By default this is sorting is disabled (-1). If enabling this, the suggested value is 36 (hours).
Controls the time window that identifies backgrounder jobs which are determined to have the same scheduled start time.
The backgrounder process orders work that is scheduled at the same time to be executed by job type, running the fastest category of jobs first: Subscriptions, then Incremental Extracts, then Full Extracts.
Jobs are batched to determine which jobs are scheduled at the “same time”. A value 60,000 milliseconds (the default) indicates jobs for schedules starting within a 1 minute window should be classified in the same batch and so are ordered by type within that batch.
Controls whether backgrounder will cache images that are generated for subscriptions. Cached images do not have to be regenerated each time so caching improves subscription performance. By default image caching is enabled. To disable image caching for all sites on a server, set this to
||The list of tasks that can be canceled if they run longer than the combined values in
||In a high availability environment, controls whether failover of the PostGRES repository occurs automatically (the default). When set to
|clustercontroller.zk_session_timeout_ms||300000||The length of time, in milliseconds, that Cluster Controller will wait for the Coordination Service (ZooKeeper), before determining that failover is required.|
The frequency, in minutes, at which Tableau Server checks to determine if data-alert conditions are true.
(The server also checks whenever extracts related to data alerts are refreshed.)
|dataengine.port||27042||Port that the data engine runs on.|
|dataserver.port||9700||Port that the data server runs on.|
Determines whether Tableau Server will make additional queries to get updated schema data for a published data source when there have been changes in the underlying schema structure. This is disabled by default for performance reasons, and there is a delay in the display of schema changes. If you want changes in the schema of a live published data source to be reflected quickly, or if you see errors ( for example, "An error occurred while communicating with the data source: Invalid column name. Statement could not be prepared.") set this to
||Controls whether data-driven alerts are enabled for users on the server.|
||Controls whether Desktop License Reporting is enabled on the server. When set to
||The HTTP Strict Transport Security (HSTS) header forces browsers to use HTTPS on the domain where it is enabled.|
||By default, HSTS policy is set for one year (31536000 seconds). This time period specifies the amount of time in which the browser will access the server over HTTPS.|
The maximum size (bytes) of header content that is allowed to pass through the Apache gateway on HTTP requests. Headers that exceed the value set on this option will result in browser errors, such as HTTP Error 413 (Request Entity Too Large) or authentication failures.
A low value for
We recommend setting
||The X-Content-Type-Options response HTTP header specifies that the MIME type in the Content-Type header should not be changed by the browser. In some cases, where MIME type is not specified, a browser may attempt to determine the MIME type by evaluating the characteristics of the payload. The browser will then display the content accordingly. This process is referred to as "sniffing." Misinterpreting the MIME type can lead to security vulnerabilities. The X-Content-Type-Options HTTP header is set to 'nosniff' by default with this option.|
||The HTTP X-XSS-Protection response header is sent to the browser to enable cross-site scripting (XSS) protection. The X-XSS-Protection response header overrides configurations in cases where users have disabled XXS protection in the browser. The X-XSS-Protection response header is enabled by default with this option.|
|gateway.public.host||Name of the machine||The name (URL) of the server, used for
external access to Tableau Server. If Tableau Server is configured
to work with a proxy server or external load balancer, it is the name entered in a browser address bar to reach Tableau Server. For example, if Tableau Server is reached by
|gateway.public.port||80 (443 if SSL)||Applies to proxy server environments only. The external port the proxy server listens on.|
||Enabling this can provide some help in protecting against slow POST (Denial-of-Service) attacks by timing out POST requests that transfer data at extremely slow rates. Note: This will not eliminate the threat of such attacks, and could have the unintended impact of terminating slow connections.|
|gateway.timeout||1800||Longest amount of time, in seconds, that the gateway will wait for certain events before failing a request (1800 seconds = 30 minutes).|
|gateway.trusted||IP address of proxy server machine||Applies to proxy server environments only. The IP address(es) or host name(s) of the proxy server.|
|gateway.trusted_hosts||Alternate names of proxy server||Applies to proxy server environments only. Any alternate host name(s) for the proxy server.|
||Controls whether Tableau Server can add firewall rules. When set to
|java.heap.size||128m||Size of heap for Tomcat (repository and solr). This generally does not need to change except on advice from Tableau.|
|monitoring.dataengine.connection_timeout||30000||The length of time, in milliseconds, that Cluster Controller will wait for the data engine, before determining that a connection timeout occurred. The default is 30,000 milliseconds (30 seconds).|
|native_api.connection.limit.<connection class>||Set parallel query limit for the specified data source (connection class). This overrides the global limit for the data source.|
|native_api.connection.globallimit||16||Global limit for parallel queries. Default is 16 except for Amazon Redshift which has a default of 8.|
Use the legacy name format for constrained delegation.
The name format was changed in version 10.1 to allow cross-domain protocol transition (S4U). If this causes problems with existing configurations and you don't need cross-domain protocol transition, configure Tableau Server to use the old behavior by setting this to
||Applies only to servers that use local authentication. Set to
|pgsql.port||8060||Port that PostgreSQL listens on.|
|pgsql.verify_restore.port||8061||Port used to verify the integrity of the PostgreSQL database. See Verify the Tableau Postgres Database for more information.|
||Shows users server content that’s popular with others at your organization, such as frequently used tables.|
||Specifies the maximum number of refresh tokens that can be issued for each user. If user sessions are expiring more quickly than you expect, either increase this value or set it to
|rsync.timeout||600||Longest allowable time, in seconds, for completing file synchronization (600 seconds = 10 minutes). File synchronization occurs as part of configuring high availability, or moving the data engine and repository processes.|
||Controls whether a schedule name displays when creating a subscription or extract refresh (the default), or the "schedule frequency description" name describing the time and frequency of the schedule displays. To configure Tableau Server to display timezone-sensitive names for schedules, set this value to
When true, the "schedule frequency description" is also displayed after the schedule name on the schedule list page.
||Shows the "schedule frequency description" in the timezone of the user when true (uses the client browser timezone to calculate the "schedule frequency description").|
Determines whether or not Tableau Server will automatically start when operating system of the computer Tableau Server is running on is restarted.
Valid options are
Set this to
|service.max_procs||# of processes||Maximum number of server processes.|
||Determines whether or not Tableau Server will attempt to dynamically remap ports when the default or configured ports are unavailable. Setting to
||Makes client sessions valid only for the IP address that was used to sign in. If a request is made from an IP address different from that associated with the session token, the session token is considered invalid.
In certain circumstances—for example, when Tableau Server is being accessed by computers with known and static IP addresses—this setting can yield improved security.
Note: Consider carefully whether this setting will help your server security. This setting requires that the client have a unique IP address and an IP address that stays the same for the duration of the session. For example, different users who are behind a proxy might look like they have the same IP address (namely, the IP address of the proxy); in that case, one user might have access to another user's session. In other circumstances, users might have a dynamic IP address, and their address might change during the course of the session. If so, the user has to sign in again.
||Controls whether you can you can get images for views with the REST API. For more information, see the REST API Reference in the REST API help.|
|solr.rebuild_index_timeout||3600||When Tableau Server is upgraded or when a .tsbak file is restored, the background task rebuilds the search index. This setting controls the timeout setting for that task (3600 seconds = 60 minutes).|
The Triple-DES cipher suite is no longer considered adequate to encrypt sessions on the internet. Specifically, running Triple-DES ciphers leaves the Tableau Server vulnerable to information disclosure and denial of service attacks. You can learn more at the National Vulnerability Database webpage for CVE-2016-2183.
Triple-DES is enabled by default on the version of OpenSSL that is running on Tableau Server. However, other deprecated cipher suites (MD5 and RC4) are disabled. To add Triple-DES to the list of disabled ciphers, set ssl.ciphersuite to:
Specifies the method to be used for retrieving the user name from the certificate.
The default depends on how Tableau Server is configured for user authentication:
Tableau Server does not allow external clients to use SSL v2 or SSL v3 protocols to connect. We recommend that you only allow external clients to connect to Tableau Server with TLS v1.2.
Specially, we recommend that you disable TLS v1 and TLS v1.1 on Tableau Server. However, before you disable a specific version of TLS, verify that the browsers that your users connect to Tableau Server with support TLS v1.2. In some cases, you may need to preserve support for TLSv1.1.
If you do not need to support TLS v1.2, then we recommend setting ssl.protocols to
This command enables TLS v1.2 (using the "all" parameter) and disables SSL v2, SSL v3, TLS v1, and TLS v1.1 (by prepending the minus [-] character to a given protocol).
|ssl.revocation.file||Specifies the file path for an SSL CA Certificate Revocation List (CRL) file.
||Controls whether subscriptions are configurable system-wide. See Set Up a Server for Subscriptions.|
|subscriptions.timeout||1800||Longest allowable time, in seconds, for a single view in a workbook subscription task to be rendered before the task times out. This value applies separately to each view in the workbook, so the total length of time to render all the views in a workbook (the full subscription task) may exceed this timeout value. 1800 seconds = 30 minutes.|
|tomcat.http.maxrequestsize||16380||The maximum size (bytes) of header content that is allowed to pass through the Apache gateway on HTTP requests. Headers that exceed the value set on this option will result in browser errors, such as HTTP Error 413 (Request Entity Too Large) or authentication failures.
A low value for
We recommend setting
|tomcat.https.port||8443||SSL port for Tomcat (unused).|
|tomcat.server.port||8085||Port that tomcat listens on for shutdown messages.|
||Specifies whether email addresses and display names of users are changed (even when changed in Active Directory) when an Active Directory group is synchronized in Tableau Server. To ensure that user email addresses and display names are updated during synchronization, set
||Specifies whether indexing of site users is done user by user when importing or deleting users with a CSV file. When set to
||The logging level for vizportal Java components. Logs are written to
Specifies custom client authentication method for OpenID Connect.
To configure Tableau Server to use the Salesforce IdP, set this value to
||In Tableau Server 10.3, set to
||Change this value if your IdP does not use the
||Set this to
Set this to
Before you proceed, review the user names that will be used as a result of setting
|vizportal.openid.static_file||file path||Specifies the local path to the static OIDC discovery JSON document. See Configure Tableau Server for OpenID Connect.|
|vizportal.openid.username_claim||Change this value to the IdP claim that your organization will use to match usernames as stored in Tableau Server. For more information, see Requirements for Using OpenID Connect.|
Specifies the origins (sites) that are allowed access to the REST API endpoints on Tableau Server when
Note: You could also use an asterisk (*) as a wild card to match all sites. This is not recommended as it allows access from any origin that has access to the server and could present a security risk. Do not use an asterisk (*) unless you fully understand the implications and risks for your site.
||Controls whether Tableau Server allows Cross Origin Resource Sharing (CORS). When set to
|vizportal.rest_api.view_image.max_age||720||The amount of time, in minutes, to cache images that are generated by the Query View Image method of the REST API. For more information, see the REST API Reference in the REST API help.|
||Allows a workbook to be published to the server from Tableau Desktop, and to be opened from the server, even if the workbook contains SQL or R expressions that are potentially unsafe (for example, a SQL expression that
could potentially allow SQL injection). When this setting is
||Views under the threshold set by
|vizqlserver.browser.render_threshold||100||The default value (100) represents a high level of complexity for a view displayed on a PC. Complexity factors include number of marks, headers, reference lines, and annotations. Views that exceed this level of complexity are rendered by the server instead of in the PC's web browser.|
|vizqlserver.browser.render_threshold_mobile||60||The default value (60) represents a high level of complexity for a view displayed on a tablet. Complexity factors include number of marks, headers, reference lines, and annotations. Views that exceed this level of complexity are rendered by the server instead of in the tablet's web browser.|
||Determines whether or not VizQL sessions are kept in memory when a user navigates away from a view or closes their browser. The default value (false) keeps sessions in memory. To close VizQL sessions on leaving a view or closing a browser, set this to
|vizqlserver.extsvc.connect_timeout_ms||1000||Extends the timeout value, in milliseconds, for connections to Microsoft’s RServer. Raise the value of this setting if Tableau is timing out before the server can respond.|
Specifies an external service host.
Note: In versions of Tableau before version 10.1, this setting was named vizqlserver.rserve.host. Be sure to use this earlier setting name if your Tableau version is older than version 10.1.
This setting, and the other vizqlserver.extsvc settings, support external service functionality in workbooks—in particular, R servers and Python servers.
R is an open source software programming language and a software environment for statistical computing and graphics. In Tableau Desktop, you can use a set of four functions to pass R expressions to an Rserve server and obtain a result. If you upload a workbook that uses any of these functions, you should configure Tableau Server for an Rserve connection, by configuring this option and the three following. Otherwise, any worksheets that use R functionality will be unavailable.
See Pass Expressions to External Services in the Tableau Help for further details.
Specifies an external service port. This setting supports R and Python functionality in workbooks.
Note: In versions of Tableau before version 10.1, this setting was named vizqlserver.rserve.port. Be sure to use this earlier setting name if your Tableau version is older than version 10.1.
Specifies an external service username. This setting supports R and Python functionality in workbooks. Not all Rserve hosts require a username and password.
Note: In versions of Tableau before version 10.1, this setting was named vizqlserver.rserve.username. Be sure to use this earlier setting name if your Tableau version is older than version 10.1.
Specifies an external service password. This setting supports R and Python functionality in workbooks. Not all Rserve hosts require a username and password.
Note: In versions of Tableau before version 10.1, this setting was named vizqlserver.rserve.password. Be sure to use this earlier setting name if your Tableau version is older than version 10.1.
|vizqlserver.geosearch_cache_size||5||Sets the maximum number of different geographic search locale/language data sets that can be loaded into server memory at the same time. When the server receives a geographic search request for locale/language data set that is not in memory, it will load the set into memory. If loading the data set will exceed the specified limit, the least recently used locale/language data set is cleared from memory so the requested one can be loaded. The minimum value is 1. Each cache takes approximately 60 MB in memory (so if you set this to 10, the memory usage would be 600 MB (60 * 10).|
||The logging level for vizqlserver Java components. Logs are written to
|vizqlserver.port||9100||Base port for the VizQL servers.|
||When set to
|vizqlserver.querylimit||1800||Longest allowable time for updating a view, in seconds.|
|vizqlserver.session.expiry.minimum||5||Number of minutes of idle time after which a VizQL session is eligible to be discarded if the VizQL process starts to run out of memory.|
|vizqlserver.session.expiry.timeout||30||Number of minutes of idle time after which a VizQL session is discarded.|
||Controls the display of the Tableau Workbook option of the Download menu in views. When set to
||Controls the display of Share options in views. To hide these options, set to false.
The logging level for trusted authentication. The logs are written to
|vizqlserver.trustedticket.token_length||24||Determines the number of characters in each trusted ticket. The default setting of 24 characters provides 144 bits of randomness. The value can be set to any integer between 9 and 255, inclusive. As of Tableau Server 10.3, this option is ignored unless
When set to
Warning: Setting this option to
|vizqlserver.url_scheme_whitelist||Specifies one or more URL schemes to whitelist when using URL actions on views and dashboards. The schemes
The values you specify overwrite previous settings. Therefore, you must include the full list of schemes in the
When this setting is
||When this setting is
||Determines how Tableau Server can run web data connectors. Supported modes are:
Important: Use the
For more information about how to add connectors to a safe list and import connectors, see Web Data Connectors in Tableau Server.
|wgserver.audit_history_expiration_days||183||Specifies the number of days after which historical events records are removed from the PostgreSQL database (the Tableau Server database). See Collect Data with the Tableau Server Repository for details.|
||Controls whether or not Tableau Desktop uses SAML for authentication. Use this option when your IdP does not use forms-based authentication. Valid options are
||Serves as the above setting for the Tableau Mobile app.|
|wgserver.authentication.login||In Tableau Server 10.2 and earlier, set to
||Controls whether users can sign in to Tableau Server using a Tableau Server username and password. This setting is useful in scenarios where users normally sign in to the server using single sign-on (OpenID Connect or Kerberos, for example). In these cases, if
||Controls whether the ownership of a workbook, data source or project can be changed. Other options include
When set to
For more information, see Clickjack Protection.
||The fully qualified domain name of the Active Directory server to use.|
||Enforces IP client matching for trusted ticket requests.|
||Controls whether Tableau Server accepts HTTP OPTIONS requests. If this option is set to
||In Tableau Server 10.3, set to
||Specifies the attribute used by the IdP for SAML authentication. The default is
When enabled, if you are using embedded views and SAML, this suppresses the Tableau Server Sign In button and redirects the user to the IdP for authentication.
This only works if the IdP does not implement clickjack protection. If the IdP sign in page implements clickjack protection, the page will not display and the user cannot sign in. Most SAML IdPs implement clickjack protection and do not allow their sign in page to display in an <iframe> element.
The default is
Important: Using this option disables Tableau Server clickjack protection for SAML, which can present a security risk..
||Specifies whether SAML logout is enabled for Tableau Server. The default is
|wgserver.saml.logout.redirect_url||Specifies the post-logout landing page for SAML authentication. The default is the standard server sign-in page. You can specify an absolute or a relative URL. For more information, see SAML Requirements.|
|wgserver.saml.maxassertiontime||3000||Specifies the maximum number of seconds, from creation, that an assertion is usable.|
|wgserver.saml.maxauthenticationage||7200||Specifies the maximum number of seconds allowed between user's authentication and processing of the AuthNResponse message.|
|wgserver.saml.responseskew||180||Sets the maximum number of seconds difference between Tableau Server time and the time of the assertion creation (based on the IdP server time) that still allows the message to be processed.|
||Controls whether there is a session lifetime for server sessions. Set this to
|wgserver.session.lifetime_limit||1440||The number of minutes a server session lasts if a session lifetime is set. The default is 1440 minutes (24 hours). If
|wgserver.session.idle_limit||240||The number of minutes of idle time before a sign-in to the web application times out.|
|wgserver.trusted_hosts||IP address or host names of web servers that request trusted tickets from Tableau Server. This command can contain multiple comma and space-separated values enclosed by double quotes, as in this
The values you specify overwrite previous settings. Therefore, you must include the full list of hosts in the
||Specifies whether Tableau Server should return a legacy URL format for trusted ticket requests. The legacy URL format includes a 24 character, Base64-encoded string. Beginning with Tableau Server 10.3, the URL that is returned has been updated and includes a Base64-encoded UUID and a 24 character secure random string. Only set option this to
||Specifies whether to extend access to server resources for users authenticated by trusted tickets. Default behavior allows users to access views only. Setting this to
|workerX.gateway.port||80 (443 if SSL)||External port that Apache listens on for workerX. worker0.gateway.port is Tableau Server’s external port. In a distributed environment, worker0 is the primary Tableau Server.|
|workerX.vizqlserver.procs||# of processes||Number of VizQL servers.|
|workerX.vizqlserver.port||9100||Base port for the vizQL server on workerX.|
Specifies the directory and file path for ZooKeeper transaction logs. By default ZooKeeper transaction logs are written to the Tableau data directory (for example
The drive and path apply to all nodes in a cluster. The location will be created if it does not exist. The drive must exist and be writable on all nodes. This should not be a UNC path to a share.
ZooKeeper recommends that transaction logs be written to a dedicated drive to optimize performance.