Changing the Identity Store
Tableau Server on Windows now includes Tableau Services Manager (TSM), which replaces the Configuration Utility and the tabadmin command line tool. If you need help for an earlier version of Tableau Server, see the Tableau Help page.
Infrastructure or business changes may require you to change the identity store on Tableau Server. There are two kinds of identity stores: local and external. When you installed Tableau Server you configured either a local identity store or an external identity store.
When you configure Tableau Server with a local identity store, all user and group information is stored and managed in the Tableau Server repository. In the local identity store scenario, there is no external source for users and groups.
When you configure Tableau Server with an external store, all user and group information is stored and managed by an external directory service. Tableau Server must synchronize with the external identity store so that local copies of the users and groups exist in the Tableau Server repository, but the external identity store is the master source for all user and group data. Examples of external identity stores are OpenLDAP and Active Directory.
For more information about the Tableau identity store, see Identity Store.
You can change from local store to an external store, or you can change from an external store to a local store. In either case, to change the identity store type, you complete these steps:
- Uninstall (including manual deletion of directories) and then reinstall of Tableau Server. The procedure for full uninstall and clean install are at the end of this topic.
- Restore content and permissions.
Changing the installation type on Tableau Server can be a complicated and time-consuming process. To avoid data loss or orphaning of content or users, you'll need to plan this process carefully. In all cases, user filters applied to workbooks and data sources will need to be updated manually after the change.
Most importantly, determine how you will transition content and permissions to the new identity store after you reinstall Tableau Server.
Methods for restoring content and permissions
The following list describes two methods for restoring content and permissions after you reinstall Tableau Server. Select the method that best fits with your environmental requirements.
Method 1: Use site export and import—In this method, you start by exporting each site in your existing deployment. Then, you install the new server and configure it for the new identity store type. You then create new users in the default site on the new server. Finally, you import all the original sites. During the import stage, you can map the original identities to the new users that you created in the default site.
Because this method exports all content and permissions at each site, it is the best method for organizations that require a high fidelity replica of the content and permissions after the identity store change is complete. Some organizations require an identity store change as the result of an authentication change. In these cases, a different user name syntax is a often a requirement in the new model. This method, which includes a process of mapping original user names to new names, provides flexibility for such scenarios.
Method 2: Fresh installation; users republish content—In this method, you install a new version of Tableau Server and select the new identity store type during setup. You also create new sites. You then create users and give them access, and they republish their workbooks and data sources. Unlike the other method, in this one, you do not reuse any of your existing Tableau Server infrastructure.
This method is most appropriate for smaller deployments with fairly autonomous and data savvy users. From an administrative perspective, this method is the simplest, since you're not actively porting over content. However, because you rely entirely on users to republish content, this method may not be successful for large organizations or for those where centralized oversight of content is required.
User filters are domain-specific. Therefore, when the domain of Tableau Server changes or authentication type changes, filters no longer function as expected. Although the user filters are generated by Tableau Server, after they are set by the user, the filters are stored in the workbooks and data sources. Neither of these methods for changing the identity store modifies the contents of the workbooks or data sources.
As you plan the identity store change, you must also include a final task to correct user filtering in all workbooks and data sources with Tableau Desktop.
User names and the Tableau Identity store
If you are using Method 1, it's helpful to understand how Tableau Server stores user names in the Tableau identity store. Tableau stores all user identities in the repository, which coordinates content permissions and site membership with various services in Tableau Server. Generally, an identity store configured for Active Directory store user names in the format,
domain\username. Some organizations use a UPN (
On the other hand, organizations that configure Tableau Server with local identity store usually create standard, truncated user names, such as
In all cases, these user names are literal strings that must be unique in the Tableau identity store. If you are changing from one identity store type to another, then your target authentication, SSO, or user provisioning solution may require a specific user name format.
Therefore, to maintain all permissions, content, and user viability, one of the following must be true after you change the identity store type:
- The new user names must match the original user names, or
- The original user names must be updated to match a new format.
If an authentication change is driving the identity store change, then the target authentication scheme will likely impose a user name syntax that is different than your original user names. Method 1 includes a process where you can map original user names to new user names.
It's possible that the original user name format will work with the new authentication type. For example, if you used UPN names in a local identity store deployment, you might be able to use the same user names in an Active Directory deployment. You could also use the
domain\username format for local identity store, as long as users continue to use that format to sign in to Tableau Server.
If you are changing from local identity store to an external Active Directory store, review the topic, User Management in Active Directory Deployments, as part of your planning process.
Method 1: Use site export and import
- Export all sites on your server. See Export or Import a Site.
- Back up, remove, and then reinstall .
- Create new users on Tableau Server. You should have a new user that corresponds to each user on the original server.
- Import the sites that you exported in Step 1. See Export or Import a Site. During import, you will be prompted to map the new users to the original users.
Method 2: Fresh installation—users republish content
Even if you do not plan to port content as part of your identity store change, we recommend that you back up the server.
- Back up, remove, and then reinstall .
- Create users, sites, and groups.
- Inform your users of the new Tableau Server, provide them with credentials, and allow them to republish their content.
Both methods include the following steps:
- Back up Tableau Server
- Remove Tableau Server.
- Reinstall Tableau Server with the new identity store type.
Step 1: Back up Tableau Server
As a best practice, you should back up the server before proceeding.
Follow the procedure, Create a backup using the TSM command line interface (CLI). Run the
backup command with the
–d option. The
–d option adds the datestamp.
When you are finished, copy the backup file (
.tsbak) to a safe location that is not a part of your Tableau Server installation.
Step 2: Remove Tableau Server
You must completely remove Tableau Server from the computer. See Remove Tableau Server from Your Computer.
Step 3: Reinstall Tableau Server with new authentication type
- Go to the Tableau Customer Portal, sign in with your Tableau user name and password, and then download Tableau Server.
- Install Tableau Server. See Install and Configure Tableau Server more information. During installation, you will select the new identity store type. See Configure Initial Node Settings.