Was this page helpful?
Yes No

tsm configuration set Options

You can use the following configuration options with the tsm configuration set command.

Essential syntax is:

tsm configuration set -k <config.key> -v <config_value>

After setting a configuration key value you must apply the pending configuration changes using tsm pending-changes apply. Until you do, the new value will not be used by Tableau or show up in the results of a tsm configuration get command. You can view pending changes using tsm pending-changes list. For more information, see tsm pending-changes.

To reset a configuration key back to its default value, use the -d option:

tsm configuration set -k <config.key> -d

Note: Configuration keys are case-sensitive.

Options

adminviews.disabled

Default value: false

Disables access to the Tableau Administrative views. By default, access to views is enabled (this option is set to "false").

api.server.enabled

Default value: true

Allows access to the Tableau Server REST API. By default, this functionality is enabled.

auditing.enabled

Default value: true

Allows access to the PostgreSQL (Tableau Server's own database) historical auditing tables.

backgrounder.externalquerycachewarmup.enabled

Default value: true

Controls the caching of workbook query results after scheduled extract refresh tasks.

backgrounder.externalquerycachewarmup.view_threshold

Default vaule: 2.0

The threshold for caching workbook query results after scheduled extract refresh tasks. The threshold is equal to the number of views that a workbook has received in the past seven days divided by the number of refreshes scheduled in the next seven days.

The following two backgrounder command options determine how long a flow task can run before the flow background task is canceled. These two commands together determine the total timeout value for flow tasks.

backgrounder.extra_timeout_in_seconds

Default value: 1800 or 30 minutes

The number of seconds beyond the setting in backgrounder.querylimit before a background task is canceled. This setting makes sure that tasks do not hold up subsequent jobs if they are stalled. The setting applies to processes listed in backgrounder.timeout_tasks.

backgrounder.default_timeout.run_flow

Default value: 14400 seconds or 4 hours

The number of seconds for a flow run task is canceled.

backgrounder.failure_threshold_for_run_prevention

Default value: 5

The number of consecutive failures of a subscription, extract, or flow run job before that job is suspended. Suspending continuously failing jobs helps preserver backgrounder resources for other jobs. To disable suspension of failing background tasks, set this to -1.

backgrounder.querylimit

Default value: 7200

Longest allowable time, in seconds, for completing a single extract refresh task or subscription task. 7200 seconds = 2 hours.

Note: If a background task reaches this time limit, it may continue to run for an additional several minutes while being canceled.

backgrounder.reset_schedules_on_startup

Default value: true

Controls when to run background tasks that were scheduled to run at a time when the server was stopped. When set to true (the default), tasks are run at their next scheduled time. When set to false, all tasks that were scheduled to run when the server was stopped are run, simultaneously, at server startup, including times when the Tableau Server backup file (.tsbak) is restored.

backgrounder.notifications_enabled

Default value: true

Controls whether extract refresh and flow run alerts are enabled for all sites on the server. By default alerts are enabled. To disable the alerts for all sites on a server, set this to false.

Extract alerts can be enabled or disabled on a site basis by site administrators in site settings, or at the user level in user settings.

backgrounder.sort_jobs_by_run_time_history_observable_hours

Default value: -1

Controls the time window used when determining duration of the last full extract job.

Tableau Server can sort full extract refresh jobs so they are executed based on the duration of their "last run," executing the fastest full extract refresh jobs first.

The "last run" duration of a particular job is determined from a random sample of a single instance of the full extract refresh job in last <n> hours. Full extract jobs are then prioritized to run in order from shortest to longest based on their "last" run duration. By default this is sorting is disabled (-1). If enabling this, the suggested value is 36 (hours).

backgrounder.sort_jobs_by_type_schedule_boundary_heuristics_milliSeconds

Default value: 60000

Controls the time window that identifies backgrounder jobs which are determined to have the same scheduled start time.

The backgrounder process orders work that is scheduled at the same time to be executed by job type, running the fastest category of jobs first: Subscriptions, then Incremental Extracts, then Full Extracts.

Jobs are batched to determine which jobs are scheduled at the “same time”. A value 60,000 milliseconds (the default) indicates jobs for schedules starting within a 1 minute window should be classified in the same batch and so are ordered by type within that batch.

backgrounder.subscription_failure_threshold_for_run_prevention

Default value: 5

Determines the number of consecutive subscription failures that must occur before alerting for a condition is suspended. When set to the default of 5, alerting is suspended after 5 consecutive subscription failures. This threshold is server-wide, so applies to all subscriptions defined on the server.

backgrounder.subscription_image_caching

Default value: true

Controls whether backgrounder will cache images that are generated for subscriptions. Cached images do not have to be regenerated each time so caching improves subscription performance. By default image caching is enabled. To disable image caching for all sites on a server, set this to false.

backgrounder.timeout_tasks

Default value: refresh_extracts,
increment_extracts,
flow runs,
subscription_notify,
single_subscription_notify

The list of tasks that can be canceled if they run longer than the combined values in backgrounder.querylimit and backgrounder.extra_timeout_in_seconds. The list of tasks is delimited with commas. The default list represents all the possible values for this setting.

clustercontroller.zk_session_timeout_ms

Default value: 300000

The length of time, in milliseconds, that Cluster Controller will wait for the Coordination Service (ZooKeeper), before determining that failover is required.

dataAlerts.checkIntervalInMinutes

Default value: 60

The frequency, in minutes, at which Tableau Server checks to determine if data-alert conditions are true.

(The server also checks whenever extracts related to data alerts are refreshed.)

dataAlerts.retryFailedAlertsAfterCheckInterval

Default value: true

Determines how often Tableau Server rechecks failing data alerts. When set to true, the server rechecks failing alerts at the frequency defined by dataAlerts.checkIntervalInMinutes. When set to false, the server rechecks failing alerts every five minutes, more quickly notifying alert recipients if data conditions have changed, but reducing server performance.

(The server also checks whenever extracts related to data alerts are refreshed.)

DataServerRefreshMetadataPerSession

Default value: false

Determines whether Tableau Server will make additional queries to get updated schema data for a published data source when there have been changes in the underlying schema structure. This is disabled by default for performance reasons, and there is a delay in the display of schema changes. If you want changes in the schema of a live published data source to be reflected quickly, or if you see errors ( for example, "An error occurred while communicating with the data source: Invalid column name. Statement could not be prepared.") set this to true. When set to true, Tableau Server makes additional queries to update the schema.

elasticserver.vmopts

Default value: -Xmx256m -Xms256m

Controls the Elastic Server heap size. Tuning these values may help to improve performance. The heap size should usually be less than half of the full machine memory. As a general rule, set initial heap size (-Xms) equal to the maximum heap size (-Xmx) to minimize garbage collections. The default size for these values is measured in bytes. Append the letter 'k' or 'K' to the value to indicate kilobytes, 'm' or 'M' to indicate megabytes, and 'g' or 'G' to indicate gigabytes.

features.AlertOnThresholdCondition

Default value: true

Controls whether data-drive alerts data-driven alerts are enabled for users on the server.

features.DesktopReporting

Default value: false

Controls whether Desktop License Reporting is enabled on the server. When set to false(the default), no Administrative Views related to desktop licenses are available. Set this to true to enable license reporting and make license usage and expiration Administrative Views visible on the Server Status page.

features.PasswordReset

Default value: false

Applies only to servers that use local authentication. Set to trueto let users reset their passwords with a "Forgot password" option on the sign-in page.

gateway.http.cachecontrol.updated

Default value: false

The Cache-Control HTTP header specifies whether the client browser should cache content sent from Tableau Server. To disable caching of Tableau Server data on the client, set this option to true.

gateway.http.hsts

Default value: false

The HTTP Strict Transport Security (HSTS) header forces browsers to use HTTPS on the domain where it is enabled.

gateway.http.hsts_options

Default value: "max-age=31536000"

By default, HSTS policy is set for one year (31536000 seconds). This time period specifies the amount of time in which the browser will access the server over HTTPS.

gateway.http.request_size_limit

Default value: 16380

The maximum size (bytes) of header content that is allowed to pass through the Apache gateway on HTTP requests. Headers that exceed the value set on this option will result in browser errors, such as HTTP Error 413 (Request Entity Too Large) or authentication failures.

A low value for gateway.http.request_size_limit can result in authentication errors. Single sign-on solutions that integrate with Active Directory (SAML and Kerberos) often require large authentication tokens in HTTP headers. Be sure to test HTTP authentication scenarios before deploying into production.

We recommend setting tomcat.http.maxrequestsize option to the same value that you set for this option.

gateway.http.x_content_type_nosniff

Default value: true

The X-Content-Type-Options response HTTP header specifies that the MIME type in the Content-Type header should not be changed by the browser. In some cases, where MIME type is not specified, a browser may attempt to determine the MIME type by evaluating the characteristics of the payload. The browser will then display the content accordingly. This process is referred to as "sniffing." Misinterpreting the MIME type can lead to security vulnerabilities. The X-Content-Type-Options HTTP header is set to 'nosniff' by default with this option.

gateway.http.x_xss_protection

Default value: true

The HTTP X-XSS-Protection response header is sent to the browser to enable cross-site scripting (XSS) protection. The X-XSS-Protection response header overrides configurations in cases where users have disabled XXS protection in the browser. The X-XSS-Protection response header is enabled by default with this option.

gateway.public.host

Default value: <hostname>

The name (URL) of the server, used for external access to Tableau Server. If Tableau Server is configured to work with a proxy server or external load balancer, it is the name entered in a browser address bar to reach Tableau Server. For example, if Tableau Server is reached by entering tableau.example.com, the name for gateway.public.host is tableau.example.com.

gateway.public.port

Default value: 80 (443 if SSL)

Applies to proxy server environments only. The external port the proxy server listens on.

gateway.slow_post_protection.enabled

Default value: false

Enabling this can provide some help in protecting against slow POST (Denial-of-Service) attacks by timing out POST requests that transfer data at extremely slow rates. Note: This will not eliminate the threat of such attacks, and could have the unintended impact of terminating slow connections.

gateway.timeout

Default value: 1800

Longest amount of time, in seconds, that the gateway will wait for certain events before failing a request (1800 seconds = 30 minutes).

gateway.trusted

Default value: IP address of proxy server machine

Applies to proxy server environments only. The IP address(es) or host name(s) of the proxy server.

gateway.trusted_hosts

Default value: Alternate names of proxy server

Applies to proxy server environments only. Any alternate host name(s) for the proxy server.

hyper.file_partition_size_limit

Default value: 0

When set to 0, the size is set to unlimited and will use all the disk space that is available.

This option is used to set the disk space limit for a query that spools to disk. If your disk space usage by the spool.<id>.tmp file is higher than where you need it to be for your environment, it means that queries are spooling and taking up disk space. Use this option to limit the amount of disk space that any one query can use. The spool.<id>.tmp file can be found in the temp folder of the user account running Tableau Server. You can specify this value in K(KB), M(MB), G(GB), or T(TB) units. For example, you can specify the size limit as 100G when you want to limit the disk space usage to 100 GB.

For more information about spooling see the Memory and CPU Usage section in Tableau Server Data Engine.

hyper.global_file_partition_size_limit

Default value: 0

When set to 0, the size is set to unlimited and will use all the disk space that is available.

This option is used to set the disk space limit for all queries that spool to disk. If your disk space usage by the spool.<id>.tmp file is higher than where you need it to be for your environment, it means that queries are spooling and taking up disk space. The spool.<id>.tmp file can be found in the temp folder of the user account running Tableau Server. Use this option to limit the amount of disk space in sum total that all queries use when spooling to disk . You can specify this value in K(KB), M(MB), G(GB), or T(TB) units. For example, you can specify the size limit as 100G when you want to limit the disk space usage to 100 GB. Tableau recommends that you start with this configuration when fine tuning your spooling limits.

For more information about spooling see the Memory and CPU Usage section in Tableau Server Data Engine.

hyper.log_queries

Default value: true

When set to true, query information is logged.

By default query information is logged. If however you find that the log files are too large for the amount of disk space available, you can set it to false to disable logging query information. Tableau recommends leaving this configuration set to true.

hyper.log_query_cpu

Default value: false

Use this setting to log how much time each query takes and the CPU usage.

hyper.log_timing

Default value: false

This setting is useful to find out more information about the queries, like compilation and parsing times. By default this setting is disabled. You can turn this by setting the value to true to collect more details about your queries. Note, however that this will increase the size of your data engine log files (\logs\hyper).

hyper.log_troublesome_query_plans

Default value: true

When set to true, logs query plans of query that are identified as problematic. Queries that are either canceled, running slower than 10 seconds, or if the queries are spooling to disk fall into this category. The information in the logs can be useful to troubleshoot problematic queries. You can change the setting to false if you are concerned about the size of the logs.

hyper.hard_concurrent_query_thread_limit

Default value: 100%

Use this option to set the maximum number of threads Data Engine should use for running queries. Since this is a hard limit, use this to when you want to set a hard limit on the CPU usage. This setting will make sure that Data Engine does not use more CPU than this set limit.

It is important to consider that this setting controls the number of concurrent queries that can be executed. So, if you decrease this setting, the chance of queries needing to wait in a queue and wait for currently running queries to complete increases, which may affect workbook load times.

hyper.soft_concurrent_query_thread_limit

Default value: 100%

Use this option to specify the number of threads that a single query can be parallelized across, which is the set limit minus the number of active threads already in use. To illustrate this, here is a simplified example:

Let's say you set this value to 10 threads, this means queries can be parallelized up to 10 threads. If only 2 queries are running, the remaining 8 threads are used to parallelize the 2 queries.

This soft limit makes sure that the Data Engine does not utilize CPU over that limit, unless there are queries waiting to be queued even when at the limit. This is useful when you have queries that are CPU intensive, you can parallelize these across multiple threads so they complete faster.

The hyper. hard_concurrent_query_thread_limit, and hyper.soft_concurrent_query_thread_limit options work together to give you some options to manage your CPU usage while maximizing available CPU resources to complete queries faster. If you don't want the Data Engine to use all the available CPU on the machine, change it to less than 100% to a percentage that is optimal for your environment. The soft limit is a way for you to limit CPU usage but allow it to go beyond the soft limit up to the hard limit if necessary.

Note: The hyper.hard_concurrent_query_thread_limit and hyper.soft_concurrent_query_thread_limit options replace hyper.num_job_worker_threads and hyper.num_task_worker_threads options available in Tableau Server versions 2018.3 and earlier, and are deprecated in the current version. For information on the hyper.num_job_worker_threads and hyper.num_task_worker_threads, see tsm configuration set Options.

hyper.use_spooling_fallback

Default value: true

When set to true, it allows spooling to disk when querying extracts exceeds set RAM usage (80% of installed RAM).

Tableau recommends that you use the default setting. You can turn this off by setting the value to false if you are concerned about disk usage. If you turn this setting off, queries that use more than 80% of installed RAM will be canceled.

For more information about spooling see the Memory and CPU Usage section in Tableau Server Data Engine.

install.firewall.allowedprograms.manage

Default value: true

Controls whether Tableau Server can add firewall rules. When set to true(the default), Tableau Server will add new firewall rules to allow its processes to make connections through Windows Firewall. Change this to falseif you want to manage all firewall rules yourself and do not want Tableau Server to add new rules.

java.heap.size

Default value: 128m

Size of heap for Tomcat (repository and solr). This generally does not need to change except on advice from Tableau.

maestro.input.allowed_paths

Default value: ""

By default, access to any directory will be denied, and only publishing to Tableau Server with content that is included in the tflx file is allowed.

A list of allowed network directories for flow input connections. You must enable Tableau Prep Conductor to run flows on your Tableau Server. For more information, see Tableau Prep Conductor.

The following rules apply and must be considered when configuring this setting:

  • Paths should be accessible by Tableau Server. These paths are verified during server startup and at flow run time.

  • Network directory paths have to be absolute and cannot contain wildcards or other path traversing symbols. For example \\myhost\myShare\* or \\myhost\myShare* are invalid paths and would result in all the paths as disallowed. The correct way to safelist any folder under myShare would be \\myhost\myShare or \\myhost\\myShare\.

    Note:The \\myhost\myShare configuration will not allow \\myhost\myShare1. In order to safe list both of these folders one would have safe list them as \\myhost\myShare; \\myhost\myShare1.

  • The value can be either * meaning that any path, including local (with the exception of some system paths configured using “native_api.internal_disallowed_paths”), or a list of paths, delimited by “;”.

    Note: If a path is both on the flows allowed list and internal_disasslowed list, internal_disallowed takes precedence.

Important:
This command overwrites existing information and replaces it with the new information you provided. If you want to add a new location to an existing list, you must provide a list of all the locations, existing and the new one you want to add. Use the following commands to see the current list of input and output locations:

tsm configuration get -k maestro.input.allowed_paths
tsm configuration get -k maestro.output.allowed_paths

For more information and details about configuring allowed directories for flow input and output connections, see Safe list Input and Output Locations.

maestro.output.allowed_paths

Default value: ""

By default, access to any directories will be denied.

A list of allowed network directories for flow output connections. You must enable Tableau Prep Conductor to run flows on your Tableau Server. For more information, see Tableau Prep Conductor.

The following rules apply and must be considered when configuring this setting:

  • Paths should be accessible by Tableau Server. These paths are verified during server startup and at flow run time.

  • Network directory paths have to be absolute and cannot contain wildcards or other path traversing symbols. For example \\myhost\myShare\* or \\myhost\myShare* are invalid paths and would result in all the paths as disallowed. The correct way to safelist any folder under myShare would be \\myhost\myShare or \\myhost\\myShare\.

    Note:The \\myhost\myShare configuration will not allow \\myhost\myShare1. In order to safe list both of these folders one would have safe list them as \\myhost\myShare; \\myhost\myShare1.

  • The value can be either * meaning that any path, including local (with the exception of some system paths configured using “native_api.internal_disallowed_paths”), or a list of paths, delimited by “;”.

    Note: If a path is both on the flows allowed list and internal_disasslowed list, internal_disallowed takes precedence.

For more information and details about configuring allowed directories for flow input and output connections, see Safe list Input and Output Locations.

monitoring.dataengine.connection_timeout

Default value: 30000

The length of time, in milliseconds, that Cluster Controller will wait for the data engine, before determining that a connection timeout occurred. The default is 30,000 milliseconds (30 seconds).

native_api.connection.limit.<connection class>

Set parallel query limit for the specified data source (connection class). This overrides the global limit for the data source.

native_api.connection.globallimit

Default value: 16

Global limit for parallel queries. Default is 16 except for Amazon Redshift which has a default of 8.

native_api.ProtocolTransitionLegacyFormat

Default value: false

Use the legacy name format for constrained delegation.

The name format was changed in version 10.1 to allow cross-domain protocol transition (S4U). If this causes problems with existing configurations and you don't need cross-domain protocol transition, configure Tableau Server to use the old behavior by setting this to true.

native_api.unc_mountpoints

Default value: none

Specifies UNC and FQDN path for shared Windows directories that are accessed by Tableau Server on Linux. Each path must also be referenced in a corresponding auto.cifs file. Separate each path by a semicolon, for example:

'//filesrv01/development;/mnt/filesrv01/development;//filesrv01.example.lan/development;/mnt/filesrv01/development'

Subsequent updates to the native_api.unc_mountpoints value will overwrite the existing value. Therefore, each time you add a Windows share, you must include all shares in the updated value.

For more information, see the Community wiki topic, Connecting to a Windows Shared Directory.

pgsql.port

Default value: 8060

Port that PostgreSQL listens on.

pgsql.preferred_host

Specifies the computer name or IP address of the node with the preferred repository installed. This value is used if the --preferred or -r option is specified with the tsm topology failover-repository command.

pgsql.verify_restore.port

Default value: 8061

Port used to verify the integrity of the PostgreSQL database. See tsm maintenance backup for more information.

recommendations.enabled

Default value: true

Suggests server content, such as data sources and tables, to Tableau Desktop users. Content suggestions are based on popularity of the content or on content frequently used by other users who are similar to the current user.

refresh_token.absolute_expiry_in_seconds

Default value: 31536000

Specifies the number of seconds for absolute expiry of OAuth refresh and access tokens. The OAuth tokens are used by clients for authentication to Tableau Server after initial sign-in. To remove limits set to -1. To disable OAuth tokens, see Disable Automatic Client Authentication.

refresh_token.idle_expiry_in_seconds

Default value: 1209600

Specifies the number of seconds when idle OAuth tokens will expire. The OAuth tokens are used by clients for authentication to Tableau Server after initial sign-in. To remove limits set to -1.

refresh_token.max_count_per_user

Default value: 24

Specifies the maximum number of refresh tokens that can be issued for each user. If user sessions are expiring more quickly than you expect, either increase this value or set it to -1 to entirely remove token limits.

rsync.timeout

Default value: 600

Longest allowable time, in seconds, for completing file synchronization (600 seconds = 10 minutes). File synchronization occurs as part of configuring high availability, or moving the data engine and repository processes.

schedules.display_schedule_description_as_name

Default value: false

Controls whether a schedule name displays when creating a subscription or extract refresh (the default), or the "schedule frequency description" name describing the time and frequency of the schedule displays. To configure Tableau Server to display timezone-sensitive names for schedules, set this value to true.

When true, the "schedule frequency description" is also displayed after the schedule name on the schedule list page.

schedules.display_schedules_in_client_timezone

Default value: true

Shows the "schedule frequency description" in the timezone of the user when true (uses the client browser timezone to calculate the "schedule frequency description").

service.jmx_enabled

Default value: false

Setting to true enables JMX ports for optional monitoring and troubleshooting.

service.max_procs

Default value: <number>

Maximum number of server processes.

service.port_remapping.enabled

Default value: true

Determines whether or not Tableau Server will attempt to dynamically remap ports when the default or configured ports are unavailable. Setting to false disables dynamic port remapping.

session.ipsticky

Default value: false

Makes client sessions valid only for the IP address that was used to sign in. If a request is made from an IP address different from that associated with the session token, the session token is considered invalid.

In certain circumstances—for example, when Tableau Server is being accessed by computers with known and static IP addresses—this setting can yield improved security.

Note:  Consider carefully whether this setting will help your server security. This setting requires that the client have a unique IP address and an IP address that stays the same for the duration of the session. For example, different users who are behind a proxy might look like they have the same IP address (namely, the IP address of the proxy); in that case, one user might have access to another user's session. In other circumstances, users might have a dynamic IP address, and their address might change during the course of the session. If so, the user has to sign in again.

sheet_image.enabled

Default value: true

Controls whether you can get images for views with the REST API. For more information, see REST API Reference.

solr.rebuild_index_timeout

Default value: 3600

When Tableau Server is upgraded or when a .tsbak file is restored, the background task rebuilds the search index. This setting controls the timeout setting for that task (3600 seconds = 60 minutes).

subscriptions.enabled

Default value: false

Controls whether subscriptions are configurable system-wide. See Set Up a Server for Subscriptions.

subscriptions.timeout

Default value: 1800

Longest allowable time, in seconds, for a single view in a workbook subscription task to be rendered before the task times out. This value applies separately to each view in the workbook, so the total length of time to render all the views in a workbook (the full subscription task) may exceed this timeout value. 1800 seconds = 30 minutes.

tomcat.http.maxrequestsize

Default value: 16380

The maximum size (bytes) of header content that is allowed to pass through the Apache gateway on HTTP requests. Headers that exceed the value set on this option will result in browser errors, such as HTTP Error 413 (Request Entity Too Large) or authentication failures.

A low value for tomcat.http.maxrequestsizemay result in authentication errors. Single sign-on solutions that integrate with Active Directory (SAML and Kerberos) often require large authentication tokens in HTTP headers. Be sure to test HTTP authentication scenarios before deploying into production.

We recommend setting gateway.http.request_size_limit option to the same value that you set for this option.

tomcat.https.port

Default value: 8443

SSL port for Tomcat (unused).

tomcat.server.port

Default value: 8085

Port that tomcat listens on for shutdown messages.

vizportal.adsync.update_system_user

Default value: false

Specifies whether email addresses and display names of users are changed (even when changed in Active Directory) when an Active Directory group is synchronized in Tableau Server. To ensure that user email addresses and display names are updated during synchronization, set vizportal.adsync.update_system_user to true, and then restart the server.

vizportal.commenting.delete_enabled

Default value: true

When set to true, lets users delete comments on views. You can delete a comment if you created it, are the content owner, a project leader with an appropriate site role, or are an administrator. To learn which site roles are required for full project leader access, see Project-level administration.

vizportal.csv_user_mgmt.index_site_users

Default value: true

Specifies whether indexing of site users is done user by user when importing or deleting users with a CSV file. When set to true(the default) indexing is done as each user is added or deleted. To delay the indexing of the site users until after the entire CSV file has been processed, set this to false.

vizportal.log.level

Default value: info

The logging level for vizportal Java components. Logs are written to /var/opt/tableau/tableau_server/data/tabsvc/logs/vizportal/*.log.

Set to debug for more information. Using the debug setting can significantly impact performance, so you should only use this setting when directed to do so by Tableau Support.

vizportal.openid.client_authentication

Specifies custom client authentication method for OpenID Connect.

To configure Tableau Server to use the IdPs that require the client_secret_post, set this value to client_secret_post.

An example would be when connecting to the Salesforce IDP, which requires this.

vizportal.rest_api.cors.allow_origin

Specifies the origins (sites) that are allowed access to the REST API endpoints on Tableau Server when vizportal.rest_api.cors.enabled is set to true.You can specify more than one origin by separating each entry with a comma (,).

tsm configuration set vizportal.rest_api.cors.allow_origin https://mysite, https://yoursite

If vizportal.rest_api.cors.enabled is false, the origins listed by this option are ignored. For more information, see Enabling CORS on Tableau Server.

Note: You can use an asterisk (*) as a wild card to match all sites. This is not recommended as it allows access from any origin that has access to the server and can present a security risk. Do not use an asterisk (*) unless you fully understand the implications and risks for your site.

vizportal.rest_api.cors.enabled

Default value: false

Controls whether Tableau Server allows Cross Origin Resource Sharing (CORS). When set to true, the server allows web browsers to access the Tableau REST API endpoints. You can use this option and the REST API to create custom portals. By default, this functionality is not enabled. To specify which origins (sites) have access, use the vizportal.rest_api.cors.allow_origin option. Only the origins specified with this option are allowed to make requests to the Tableau Server REST API. For more information, see Enabling CORS on Tableau Server.

vizportal.rest_api.view_image.max_age

Default value: 720

The amount of time, in minutes, to cache images that are generated by the Query View Image method of the REST API. For more information, see the REST API Reference in the REST API help.

vizqlserver.allow_insecure_scripts

Default value: false

Allows a workbook to be published to the server from Tableau Desktop, and to be opened from the server, even if the workbook contains SQL or R expressions that are potentially unsafe (for example, a SQL expression that could potentially allow SQL injection). When this setting is false (the default), publishing a workbook or opening it from the server results in an error message, and the workbook is blocked. You should set this value to true only if you want to use workbooks that contain SQL or R expressions that have been detected as potentially unsafe, and only if the workbooks come from a safe source and you have verified that they do not contain an unsafe expression.

vizqlserver.browser.render

Default value: true

Views under the threshold set by vizqlserver.browser.render_threshold or vizqlserver.browser.render_threshold_mobile are rendered by the client web browser instead of by the server. See About Client-Side Rendering for details.

vizqlserver.browser.render_threshold

Default value: 100

The default value represents a high level of complexity for a view displayed on a PC. Complexity factors include number of marks, headers, reference lines, and annotations. Views that exceed this level of complexity are rendered by the server instead of in the PC's web browser.

vizqlserver.browser.render_threshold_mobile

Default value: 60

The default value represents a high level of complexity for a view displayed on a tablet. Complexity factors include number of marks, headers, reference lines, and annotations. Views that exceed this level of complexity are rendered by the server instead of in the tablet's web browser.

vizqlserver.clear_session_on_unload

Default value: false

Determines whether or not VizQL sessions are kept in memory when a user navigates away from a view or closes their browser. The default value (false) keeps sessions in memory. To close VizQL sessions on leaving a view or closing a browser, set this to true.

vizqlserver.geosearch_cache_size

Default value: 5

Sets the maximum number of different geographic search locale/language data sets that can be loaded into server memory at the same time. When the server receives a geographic search request for locale/language data set that is not in memory, it will load the set into memory. If loading the data set will exceed the specified limit, the least recently used locale/language data set is cleared from memory so the requested one can be loaded. The minimum value is 1. Each cache takes approximately 60 MB in memory (so if you set this to 10, the memory usage would be 600 MB (60 * 10).

vizqlserver.initialsql.disabled

Default value: false

Specify whether to ignore initial SQL statements for all data sources. Set this to true to ignore initial SQL:

tsm configuration set -k vizqlserver.initialsql.disabled -v true

vizqlserver.log.level

Default value: info

The logging level for vizportal Java components. Logs are written to /var/opt/tableau/tableau_server/data/tabsvc/logs/vizportal/*.log.

Set to debug for more information. Using the debug setting can significantly impact performance, so you should only use it when directed to do so by Tableau Support.

vizqlserver.NumberOfWorkbookChangesBetweenAutoSaves

Default value: 5

Auto recover configuration for web authoring. Specifies the number of changes that a user must make to trigger auto save. Take care when changing this value. Auto recover functionality may impact the performance of web authoring and other viz-related operations on Tableau Server. We recommend tuning this value by making incremental adjustments over time.

vizqlserver.port

Default value: 9100

Base port for the VizQL servers.

vizqlserver.protect_sessions

Default value: true

When set to true, prevents VizQL sessions from being reused after the original user signs out.

vizqlserver.querylimit

Default value: 1800

Longest allowable time for updating a view, in seconds.

vizqlserver.RecoveryAttemptLimitPerSession

Default value: 3

Auto recover configuration for web authoring. The maximum number of attempts to recover the same session. Take care when changing this value. Auto recover functionality may impact the performance of web authoring and other viz-related operations on Tableau Server. We recommend tuning this value by making incremental adjustments over time.

vizqlserver.script.disabled

Default value: true

Disable external service scripts in worksheets published to server.

The setting is named contrary to its meaning: Setting this to true means worksheets with external service scripts will operate as normal. A setting of false means worksheets with external service scripts will be disabled.

vizqlserver.session.expiry.minimum

Default value: 5

Number of minutes of idle time after which a VizQL session is eligible to be discarded if the VizQL process starts to run out of memory.

vizqlserver.session.expiry.timeout

Default value: 30

Number of minutes of idle time after which a VizQL session is discarded.

vizqlserver.showdownload

Default value: true

Controls the display of the Tableau Workbook option of the Download menu in views. When set to false, the Tableau Workbook option is unavailable.

vizqlserver.showshare

Default value: true

Controls the display of Share options in views. To hide these options, set to false.

Note: Users can override the server default by setting the "showShareOptions" JavaScript or URL parameter.

vizqlserver.url_scheme_whitelist

Specifies one or more URL schemes to whitelist when using URL actions on views and dashboards. The schemes http, https, gopher, mailto, news, sms, tel, tsc, and tsl are whitelisted by default. This command can contain multiple comma and space-separated values, as in this example:

tsm configuration set -k vizqlserver.url_scheme_whitelist -v scheme1, scheme2

The values you specify overwrite previous settings. Therefore, you must include the full list of schemes in the set command. (You cannot amend the list of schemes by running the set command repeatedly.)

vizqlserver.WorkbookTooLargeToCheckpointSizeKiB

Default value: 1024

Auto recover configuration for web authoring. Size limit (KB) for a workbook that will auto save. Workbooks larger than this value will not be auto-saved. Take care when changing this value. Auto recover functionality may impact the performance of web authoring and other viz-related operations on Tableau Server. We recommend tuning this value by making incremental adjustments over time.

webdataconnector.refresh.enabled

Deprecated. Use tsm data-access web-data-connectors allow instead.

Determines whether extract refreshes for web data connectors (WDCs) are enabled in Tableau Server. To disable refresh for all WDCs, set the value for this key to false, as shown below:

tsm configuration set --key webdataconnector.refresh.enabled --value false

To learn more, see Web Data Connectors in Tableau Server.

webdataconnector.whitelist.fixed

Deprecated. Use tsm data-access web-data-connectors add instead.

Specifies one or more web data connectors (WDCs) that can be used by to access data connections that are accessible over HTTP or HTTPS. This command is formatted as JSON data on a single line, with all double-quotes (") escaped using a backslash (\).

For example to add a San Francisco Film Locations WDC to the safe list:

tsm configuration set --key webdataconnector.whitelist.fixed --value "'{\"https://tableau.data.world:443\": {\"properties\": { \"secondary_whitelist\": [\"(https://data.world/)(.*)\"] } } }'"

To learn more, see Web Data Connectors in Tableau Server.

webdataconnector.enabled

Deprecated. Use tsm data-access web-data-connectors allow instead.

Default value: true

When set to true, you can use tsm commands to manage web data connectors on the server.

webdataconnector.whitelist.mode

Default value: mixed

Determines how Tableau Server can run web data connectors. Supported modes are:

  • fixed. Users can run connectors that are on a safe list (whitelist) of URLs.
  • insecure. Users can run any connector.

Important: Use the insecure option only for development and testing. Because connectors run custom code, running connectors that have not been vetted can pose a security threat.

wgserver.audit_history_expiration_days

Default value: 183

Specifies the number of days after which historical events records are removed from the PostgreSQL database (the Tableau Server database).

wgserver.change_owner.enabled

Default value: true

Controls whether the ownership of a workbook, data source or project can be changed. Other options include false and adminonly.

wgserver.clickjack_defense.enabled

Default value: true

When set to true, helps prevents a malicious person from "clickjacking" a Tableau Server user. In a clickjack attack, the target page is displayed transparently over a second page, and the attacker gets the user to click or enter information in the target page while the user thinks he or she is interacting with the second page.

For more information, see Clickjack Protection.

wgserver.extended_trusted_ip_checking

Default value: false

Enforces IP client matching for trusted ticket requests.

wgserver.restrict_options_method

Default value: true

Controls whether Tableau Server accepts HTTP OPTIONS requests. If this option is set to true, the server returns HTTP 405 (Method Not Allowed) for HTTP OPTIONS requests.

wgserver.saml.idpattribute.username

Specifies the name of the attribute in which your SAML IdP stores user names. By default, this is set to username. If the attribute name that your IdP uses contains spaces, enclose it in quotation marks. For more information, see Configure Server-Wide SAML or Configure Site-Specific SAML.

wgserver.saml.iframed_idp.enabled

Default value: false

Default of false means that when users select the sign-in button on an embedded view, the IdP’s sign-in form opens in a pop-up window.

When you set it to true, and a server SAML user who is already signed in navigates to a web page with an embedded view, the user will not need to sign in to see the view.

You can set this to true only if the IdP supports signing in within an iframe. The iframe option is less secure than using a pop-up, so not all IdPs support it. If the IdP sign-in page implements clickjack protection, as most do, the sign-in page cannot display in an iframe, and the user cannot sign in.

If your IdP does support signing in via an iframe, you might need to enable it explicitly. However, even if you can use this option, it disables Tableau Server clickjack protection for SAML, so it still presents a security risk.

wgserver.saml.maxassertiontime

Default value: 3000

Specifies the maximum number of seconds, from creation, that a SAML assertion is usable.

wgserver.saml.responseskew

Default value: 180

Sets the maximum number of seconds difference between Tableau Server time and the time of the assertion creation (based on the IdP server time) that still allows the message to be processed.

wgserver.session.apply_lifetime_limit

Default value: false

Controls whether there is a session lifetime for server sessions. Set this to trueto configure a server session lifetime.

wgserver.session.idle_limit

Default value: 240

The number of minutes of idle time before a sign-in to the web application times out.

wgserver.session.lifetime_limit

Default value: 1440

The number of minutes a server session lasts if a session lifetime is set. The default is 1440 minutes (24 hours). If wgserver.session.apply_lifetime_limitis false(the default) this is ignored.

wgserver.unrestricted_ticket

Default value: false

Specifies whether to extend access to server resources for users authenticated by trusted tickets. Default behavior allows users to access views only. Setting this to true allows users with valid trusted tickets to access server resources (projects, workbooks, and so on) as if they had signed in using their credentials.

workerX.gateway.port

Default value: 80 (443 if SSL)

External port that Apache listens on for workerX (where a “worker” is the term used for subsequent server nodes in the cluster). worker0.gateway.port is Tableau Server’s external port. In a distributed environment, worker0 is the initial Tableau Server node.

workerX.vizqlserver.procs

Default value: <number>

Number of VizQL servers.

zookeeper.config.snapCount

Specifies the number of transactions necessary to cause the Coordination Service to create a snapshot of the logs. By default this value is 100,000 transactions. If your Coordination Service is not writing enough transactions to result in snapshots, the automatic cleanup of snapshots older than five days will not take place, and you may lose disk space to the transaction logs. By default transaction logs and snapshots are created in the Tableau data directory. See zookeeper.config.dataLogDir above for more information about changing the location where transaction logs are written.