Files and Permissions in TSM
This topic covers the permissions requirements needed for Tableau Services Manager (TSM) to access and use files. This information is intended for server administrators. This topic does not address permissions used for managing users and content within Tableau Server (permissions for content and users). For information related to these permissions, see Content Permissions and Ownership.
During installation of TSM and Tableau Server, an unprivileged user (tableau) is created and added to a server authorized group (tableau). This user account enables the work done by TSM and Tableau Server processes. You can change the user and group during installation. For more information, see Identity Store.
Permissions requirements for TSM apply to both files, and to the directories in which the files are placed. When TSM creates and manages files, the files get put into specific default locations with the necessary permissions and you don't need to worry about setting permissions. When you create, copy, or move files yourself, or when you put files into non-default locations, you need to be aware of permission requirements so that TSM can properly access the files. Common cases (For information about using non-default locations, see tsm File Paths.)
General rules for permissions and TSM are:
Files—If the tableau group has access to a file (if it is the group owner and has read access to the file), the users in the group have access to the file. An alternate approach is to give "other" read access.
Directories—If the tableau group has read and execute access to the directory that contains a file, and any parent directories of that directory, the users in the group have access to the file.
Situations that may require you to adjust permissions include server backup files and site import archives that you copy from a different computer or to a non-default location, customization files such as logos or images, and security certificates such as SSL certificates.
For example, if you migrate from Tableau Server on Windows to Tableau Server on Linux, you use a backup created in Windows to restore data to your Linux server. Because this backup file isn't created by TSM, it may not have the correct permissions for the restore process to access it. You need to make sure the backup file and the directory structure you copy it into have the proper permissions. Similarly, if you are copying files like certificates to additional nodes in a cluster, you need to make sure the files and the directories you copy them into have the permissions the tableau user needs in order to access them.
Setting permissions for individual files
If you are using a file you copy to one of the default locations created by TSM, you need to make sure the ownership and permissions on the file allow TSM access by giving the tableau user read access. You can do this in one of two ways:
You can give the tableau user read access by giving the tableau group (in a default installation) read and execute access to a file using the
chmodcommands. For example:
chgrp tableau <backup>.tsbak
chmod g+rx <backup>.tsbak
Alternately, you can give world read and execute access to the file:
chmod o+rx <backup>.tsbak
Setting permissions for directories
In addition to setting the proper permissions on the files themselves, TSM also needs permissions for the directory that contains the file, as well as any parent directories. If you are using a non-default location for files that TSM will access, you will need to make sure permissions for the parent directory or directories that contain the file allow read and execute access.
You can address this issue in a couple of ways:
Change group ownership of the directory to the tableau group, and add group read and execute permission to the directory. Doing this makes files in the directory more available to the tableau user.
chgrp tableau <directory-name>
chmod g+rx <directory-name>
Alternatively, you can add world read and execute permission to the directory. This makes files in the directory more available to all users on the system. This approach may require additional steps to ensure security of other files in the directory. For example, you may want to make sure other files in the directory are not world readable so other users cannot read them.
chmod o+rx <directory-name>
Hint: You can use
namei -mo command to list an entire permissions tree. This can make it easier to see what directories need to have permissions adjusted to allow access by the tableau group. You can find more information on the internet.