Was this page helpful?
Yes No
Tableau Help > Tableau Server for Windows Help > 
Manage Server > Command Line Utilities > tabadmin > tabadmin set Options

tabadmin set options

Use the table below to learn more about Tableau Server options you can configure using the set command. See Tableau Server Ports for a complete list of ports.

After using tabadmin set to change configuration options, you need to run a tabadmin config command to update configuration files on all Tableau Server nodes.

Option Default
Value
Description
api.server.enabled true Allows access to the Tableau Server REST API. By default, this functionality is enabled.
auditing.enabled true Allows access to the PostgreSQL (Tableau Server's own database) historical auditing tables. See Collect Data with the Tableau Server Repository for details.
backgrounder.externalquerycachewarmup.enabled true Controls the caching of workbook query results after scheduled extract refresh tasks. See Configure Workbook Performance after a Scheduled Refresh.
backgrounder.externalquerycachewarmup.view_threshold 2.0 The threshold for caching workbook query results after scheduled extract refresh tasks. The threshold is equal to the number of views that a workbook has received in the past seven days divided by the number of refreshes scheduled in the next seven days. See Configure Workbook Performance after a Scheduled Refresh.
backgrounder.extra_timeout_in_seconds 1800 The number of seconds beyond the setting in backgrounder.querylimit before a background task is canceled. This setting makes sure that tasks do not hold up subsequent jobs if they are stalled. The setting applies to processes listed in backgrounder.timeout_tasks.
backgrounder.failure_threshold_for_run_prevention 5 The number of consecutive failures of a subscription or extract job before that job is suspended. Suspending continuously failing jobs helps preserver backgrounder resources for other jobs. To disable suspension of failing background tasks, set this to -1.

Note: To reenable a suspended job, click Try again from the alert menu, or republish the data source or a workbook using the data source, or change the connection properties of the data source.

backgrounder.querylimit 7200 Longest allowable time, in seconds, for completing a single extract refresh task or subscription task. 7200 seconds = 2 hours.

Note: If a background task reaches this time limit, it may continue to run for an additional several minutes while being canceled.

backgrounder.reset_schedules_on_startup true Controls when to run background tasks that were scheduled to run at a time when the server was stopped. When set to true (the default), tasks are run at their next scheduled time. When set to false, all tasks that were scheduled to run when the server was stopped are run, simultaneously, at server startup, including times when the Tableau Server backup file (.tsbak) is restored.
backgrounder.send_email_on_refresh_failure true Controls whether extract refresh alerts are enabled for all sites on the server. By default alerts are enabled. To disable extract refresh alerts for all sites on a server, set this to false.

Extract alerts can be enabled or disabled on a site basis by site administrators in site settings, or at the user level in user settings.

backgrounder.sort_jobs_by_run_time_history_observable_hours -1 Controls the time window used when determining duration of the last full extract job.

Tableau Server can sort full extract refresh jobs so they are executed based on the duration of their "last run," executing the fastest full extract refresh jobs first.

The "last run" duration of a particular job is determined from a random sample of a single instance of the full extract refresh job in last <n> hours. Full extract jobs are then prioritized to run in order from shortest to longest based on their "last" run duration. By default this is sorting is disabled (-1). If enabling this, the suggested value is 36 (hours).

backgrounder.sort_jobs_by_type_schedule_boundary_heuristics_milliSeconds 60000 Controls the time window that identifies backgrounder jobs which are determined to have the same scheduled start time.

The backgrounder process orders work that is scheduled at the same time to be executed by job type, running the fastest category of jobs first: Subscriptions, then Incremental Extracts, then Full Extracts.

Jobs are batched to determine which jobs are scheduled at the “same time”. A value 60,000 milliseconds (the default) indicates jobs for schedules starting within a 1 minute window should be classified in the same batch and so are ordered by type within that batch.

backgrounder.subscription_image_caching true Controls whether backgrounder will cache images that are generated for subscriptions. Cached images do not have to be regenerated each time so caching improves subscription performance. By default image caching is enabled. To disable image caching for all sites on a server, set this to false.
backgrounder.timeout_tasks refresh_extracts,
increment_extracts,
subscription_notify,
single_subscription_notify
The list of tasks that can be canceled if they run longer than the combined values in backgrounder.querylimit and backgrounder.extra_timeout_in_seconds. The list of tasks is delimited with commas. The default list represents all the possible values for this setting.
clustercontroller.pgsql.failover true In a high availability environment, controls whether failover of the PostGRES repository occurs automatically (the default). When set to false, failover to the passive repository only occurs when you to run the failoverrepository command.
clustercontroller.zk_session_timeout_ms 300000 The length of time, in milliseconds, that Cluster Controller will wait for the Coordination Service (ZooKeeper), before determining that failover is required.
dataAlerts.checkIntervalInMinutes 60 The frequency, in minutes, at which Tableau Server checks to determine if data-alert conditions are true.

(The server also checks whenever extracts related to data alerts are refreshed.)

dataengine.port 27042 Port that the data engine runs on.
dataserver.port 9700 Port that the data server runs on.
DataServerRefreshMetadataPerSession false Determines whether Tableau Server will make additional queries to get updated schema data for a published data source when there have been changes in the underlying schema structure. This is disabled by default for performance reasons, and there is a delay in the display of schema changes. If you want changes in the schema of a live published data source to be reflected quickly, or if you see errors ( for example, "An error occurred while communicating with the data source: Invalid column name. Statement could not be prepared.") set this to true. When set to true, Tableau Server makes additional queries to update the schema.
features.AlertOnThresholdCondition true Controls whether data-driven alerts are enabled for users on the server.
features.DesktopReporting false Controls whether Desktop License Reporting is enabled on the server. When set to false (the default), no Administrative Views related to desktop licenses are available. Set this to true to enable license reporting and make license usage and expiration Administrative Views visible on the Server Status page.
gateway.http.hsts false The HTTP Strict Transport Security (HSTS) header forces browsers to use HTTPS on the domain where it is enabled.
gateway.http.hsts_options "max-age=31536000" By default, HSTS policy is set for one year (31536000 seconds). This time period specifies the amount of time in which the browser will access the server over HTTPS.
gateway.http.request_size_limit 16380 The maximum size (bytes) of header content that is allowed to pass through the Apache gateway on HTTP requests. Headers that exceed the value set on this option will result in browser errors, such as HTTP Error 413 (Request Entity Too Large) or authentication failures.

A low value for gateway.http.request_size_limit may result in authentication errors. Single sign-on solutions that integrate with Active Directory (SAML and Kerberos) often require large authentication tokens in HTTP headers. Be sure to test HTTP authentication scenarios before deploying into production.

We recommend setting tomcat.http.maxrequestsize option to the same value that you set for this option.

gateway.http.x_content_type_nosniff true The X-Content-Type-Options response HTTP header specifies that the MIME type in the Content-Type header should not be changed by the browser. In some cases, where MIME type is not specified, a browser may attempt to determine the MIME type by evaluating the characteristics of the payload. The browser will then display the content accordingly. This process is referred to as "sniffing." Misinterpreting the MIME type can lead to security vulnerabilities. The X-Content-Type-Options HTTP header is set to 'nosniff' by default with this option.
gateway.http.x_xss_protection true The HTTP X-XSS-Protection response header is sent to the browser to enable cross-site scripting (XSS) protection. The X-XSS-Protection response header overrides configurations in cases where users have disabled XXS protection in the browser. The X-XSS-Protection response header is enabled by default with this option.
gateway.public.host Name of the machine The name (URL) of the server, used for external access to Tableau Server. If Tableau Server is configured to work with a proxy server or external load balancer, it is the name entered in a browser address bar to reach Tableau Server. For example, if Tableau Server is reached by entering tableau.example.com, the name for gateway.public.host is tableau.example.com.
gateway.public.port 80 (443 if SSL) Applies to proxy server environments only. The external port the proxy server listens on.
gateway.slow_post_protection.enabled false Enabling this can provide some help in protecting against slow POST (Denial-of-Service) attacks by timing out POST requests that transfer data at extremely slow rates. Note: This will not eliminate the threat of such attacks, and could have the unintended impact of terminating slow connections.
gateway.timeout 1800 Longest amount of time, in seconds, that the gateway will wait for certain events before failing a request (1800 seconds = 30 minutes).
gateway.trusted IP address of proxy server machine Applies to proxy server environments only. The IP address(es) or host name(s) of the proxy server.
gateway.trusted_hosts Alternate names of proxy server Applies to proxy server environments only. Any alternate host name(s) for the proxy server.
install.firewall.allowedprograms.manage true Controls whether Tableau Server can add firewall rules. When set to true (the default), Tableau Server will add new firewall rules to allow its processes to make connections through Windows Firewall. Change this to false if you want to manage all firewall rules yourself and do not want Tableau Server to add new rules.
java.heap.size 128m Size of heap for Tomcat (repository and solr). This generally does not need to change except on advice from Tableau.
monitoring.dataengine.connection_timeout 30000 The length of time, in milliseconds, that Cluster Controller will wait for the data engine, before determining that a connection timeout occurred. The default is 30,000 milliseconds (30 seconds).
native_api.connection.limit.<connection class>   Set parallel query limit for the specified data source (connection class). This overrides the global limit for the data source.
native_api.connection.globallimit 16 Global limit for parallel queries. When not specified, the default is 16 (except for Amazon Redshift, which has a default of 8). When specified, the limit applies to all data source types.
native_api.ProtocolTransitionLegacyFormat false Use the legacy name format for constrained delegation.

The name format was changed in version 10.1 to allow cross-domain protocol transition (S4U). If this causes problems with existing configurations and you don't need cross-domain protocol transition, configure Tableau Server to use the old behavior by setting this to true.

native_api.recycling_interval_minutes 1440 Sets the number of minutes after which a process can be restarted, or "recycled", if thread recycling is enabled.
native_api.recycling_thread_enabled false Enables thread recycling.

Thread recycling restarts processes on a fixed schedule regardless of their resource usage, and separate from any restarts caused by exceeding CPU or memory limits. Thread recycling schedules are set using native_api.recycling_time_start and native_api.recycling_time_end.

native_api.recycling_time_start 1380 Sets the scheduled start time for thread recycling, if enabled.

Specify the time using a number of minutes since the start of the day, with no quotes required. The default value of 1380 is the equivalent of 11 PM (23:00).

native_api.recycling_time_end 240 Sets the scheduled end time for thread recycling, if enabled.

Specify the time using a number of minutes since the start of the day, without quotes. The default value of 240 is the equivalent of 4 AM (04:00).

features.PasswordReset false Applies only to servers that use local authentication. Set to true to let users reset their passwords with a "Forgot password" option on the sign-in page.
pgsql.port 8060 Port that PostgreSQL listens on.
pgsql.verify_restore.port 8061 Port used to verify the integrity of the PostgreSQL database. See Verify the Tableau Postgres Database for more information.
recommendations.enabled true Suggests server content, such as data sources and tables, to Tableau Desktop users. Content suggestions are based on popularity of the content or on content frequently used by other users who are similar to the current user.
refresh_token.max_count_per_user 24 Specifies the maximum number of refresh tokens that can be issued for each user. If user sessions are expiring more quickly than you expect, either increase this value or set it to -1 to entirely remove token limits.
rsync.timeout 600 Longest allowable time, in seconds, for completing file synchronization (600 seconds = 10 minutes). File synchronization occurs as part of configuring high availability, or moving the data engine and repository processes.
schedules.display_schedule_description_as_name false Controls whether a schedule name displays when creating a subscription or extract refresh (the default), or the "schedule frequency description" name describing the time and frequency of the schedule displays. To configure Tableau Server to display timezone-sensitive names for schedules, set this value to true.

When true, the "schedule frequency description" is also displayed after the schedule name on the schedule list page.

schedules.display_schedules_in_client_timezone true

Shows the "schedule frequency description" in the timezone of the user when true (uses the client browser timezone to calculate the "schedule frequency description").

searchserver.index.bulk_query_user_groups true

When used with vizportal.csv_user_mgmt.bulk_index_users set to true, this determines whether the indexer queries groups in bulk or one at a time.

The default value of true means the groups will be queried in bulk.

service.init.state start

Determines whether or not Tableau Server will automatically start when operating system of the computer Tableau Server is running on is restarted.

Valid options are start and pause.

Set this to pause if Tableau Server should not start on a restart of the computer.

service.jmx_enabled false Setting to true enables JMX ports for optional monitoring and troubleshooting. See Enable the JMX Ports for details.
service.max_procs # of processes Maximum number of server processes.
service.port_remapping.enabled true Determines whether or not Tableau Server will attempt to dynamically remap ports when the default or configured ports are unavailable. Setting to false disables dynamic port remapping. See Tableau Server Ports for more information.
session.ipsticky false Makes client sessions valid only for the IP address that was used to sign in. If a request is made from an IP address different from that associated with the session token, the session token is considered invalid.

In certain circumstances—for example, when Tableau Server is being accessed by computers with known and static IP addresses—this setting can yield improved security.

Note:  Consider carefully whether this setting will help your server security. This setting requires that the client have a unique IP address and an IP address that stays the same for the duration of the session. For example, different users who are behind a proxy might look like they have the same IP address (namely, the IP address of the proxy); in that case, one user might have access to another user's session. In other circumstances, users might have a dynamic IP address, and their address might change during the course of the session. If so, the user has to sign in again.

sheet_image.enabled true Controls whether you can you can get images for views with the REST API. For more information, see the REST API Reference in the REST API help.
     
     
solr.rebuild_index_timeout 3600 When Tableau Server is upgraded or when a .tsbak file is restored, the background task rebuilds the search index. This setting controls the timeout setting for that task (3600 seconds = 60 minutes).
ssl.ciphersuite HIGH:MEDIUM:!aNULL:!MD5:!RC4

The Triple-DES cipher suite is no longer considered adequate to encrypt sessions on the internet. Specifically, running Triple-DES ciphers leaves the Tableau Server vulnerable to information disclosure and denial of service attacks. You can learn more at the National Vulnerability Database webpage for CVE-2016-2183.

Triple-DES is enabled by default on the version of OpenSSL that is running on Tableau Server. However, other deprecated cipher suites (MD5 and RC4) are disabled. To add Triple-DES to the list of disabled ciphers, set ssl.ciphersuite to:

HIGH:MEDIUM:!aNULL:!MD5:!RC4:!3DES

ssl.client_certificate_login.mapping_strategy UPN | LDAP | CN Specifies the method to be used for retrieving the user name from the certificate.

The default depends on how Tableau Server is configured for user authentication:

  • When Tableau Server authentication is configured for Local Authentication, the default is UPN (User Principal Name).
  • When Tableau Server authentication is configured for Active Directory (AD), the default is LDAP (Lightweight Directory Access Protocol).

CN (Common Name) is an option the administrator can set for either authentication type.

ssl.protocols all -SSLv2 -SSLv3

Tableau Server does not allow external clients to use SSL v2 or SSL v3 protocols to connect. We recommend that you only allow external clients to connect to Tableau Server with TLS v1.2.

Specially, we recommend that you disable TLS v1 and TLS v1.1 on Tableau Server. However, before you disable a specific version of TLS, verify that the browsers that your users connect to Tableau Server with support TLS v1.2. In some cases, you may need to preserve support for TLSv1.1.

If you do not need to support TLS v1.2, then we recommend setting ssl.protocols to all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1.

This command enables TLS v1.2 (using the "all" parameter) and disables SSL v2, SSL v3, TLS v1, and TLS v1.1 (by prepending the minus [-] character to a given protocol).

ssl.revocation.file   Specifies the file path for an SSL CA Certificate Revocation List (CRL) file.

Example: tabadmin set ssl.revocation.file "c:\Program Files\Tableau\Tableau Server\SSL\ca-bundle-client.crl

subscriptions.enabled false Controls whether subscriptions are configurable system-wide. See Set Up a Server for Subscriptions.
subscriptions.timeout 1800 Longest allowable time, in seconds, for a single view in a workbook subscription task to be rendered before the task times out. This value applies separately to each view in the workbook, so the total length of time to render all the views in a workbook (the full subscription task) may exceed this timeout value. 1800 seconds = 30 minutes.
tomcat.http.maxrequestsize 16380 The maximum size (bytes) of header content that is allowed to pass through the Apache gateway on HTTP requests. Headers that exceed the value set on this option will result in browser errors, such as HTTP Error 413 (Request Entity Too Large) or authentication failures.

A low value for tomcat.http.maxrequestsizemay result in authentication errors. Single sign-on solutions that integrate with Active Directory (SAML and Kerberos) often require large authentication tokens in HTTP headers. Be sure to test HTTP authentication scenarios before deploying into production.

We recommend setting gateway.http.request_size_limit option to the same value that you set for this option.

tomcat.https.port

8443

SSL port for Tomcat (unused).

tomcat.server.port

8085

Port that tomcat listens on for shutdown messages.

vizportal.adsync.update_system_user

false

Specifies whether email addresses and display names of users are changed (even when changed in Active Directory) when an Active Directory group is synchronized in Tableau Server. To ensure that user email addresses and display names are updated during synchronization, set vizportal.adsync.update_system_user to true, and then restart the server.

vizportal.csv_user_mgmt.index_site_users

true

When you import or delete users through a CSV file and appropriate tabcmd command, this specifies how user indexing is accomplished. The default setting of true means indexing is done as each user is added or deleted. To improve performance, you can do either of the following:

  • Leave this set to true, and set the vizportal.csv_user_mgmt.bulk_index_users option to true. This is recommended because it does not need to index the whole site, and it can be used along with searchserver.index.bulk_query_user_groups.

  • Set this option to false. This indexes the whole site after the entire CSV file has been processed (including existing users that were not changed during the CSV process).

vizportal.csv_user_mgmt.bulk_index_users

false

Determines whether users imported or removed through a CSV file and appropriate tabcmd command will be indexed individually or as a group. The default setting of false means that users are indexed one-by-one as they are added to the database.

To improve performance when you are working with large sets of users, set this to true, to index users after the CSV file is processed. This option enables you also to use searchserver.index.bulk_query_user_groups set to true for best performance results.

vizportal.log.level info

The logging level for vizportal Java components. Logs are written to ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizportal\*.log.

Set to debug for more information. Using the debug setting can significantly impact performance, so you should only use this setting when directed to do so by Tableau Support. See Change Logging Levels for more information.

vizportal.openid.client_authentication  

Specifies custom client authentication method for OpenID Connect.

To configure Tableau Server to use the Salesforce IdP, set this value to client_secret_post.

vizportal.openid.enabled false In Tableau Server 10.3, set to true to enable OpenID Connect SSO authentication.
vizportal.openid.id_claim sub Change this value if your IdP does not use the subclaim to uniquely identify users in the ID token. The IdP claim that you specify should contain a single, unique string. For more information, see Requirements for Using OpenID Connect.
vizportal.openid.ignore_jwk false Set this to true if your IdP does not support JWK validation. In this case, we recommend authenticating communication with your IdP using mutual TLS or another network layer secure protocol.
vizportal.openid.ignore_domain false

Set this to true if the following are true:

  • You are using email addresses as usernames in Tableau Server
  • You have provisioned users in the IdP with multiple domain names
  • You want to ignore the domain name portion of the email claim from the IdP

Before you proceed, review the user names that will be used as a result of setting vizportal.openid.ignore_domain to true. User name conflicts may occur. In the case of a user name conflict, the risk of information disclosure is high. See Requirements for Using OpenID Connect.

vizportal.openid.static_file file path Specifies the local path to the static OIDC discovery JSON document. See Configure Tableau Server for OpenID Connect.
vizportal.openid.username_claim email Change this value to the IdP claim that your organization will use to match usernames as stored in Tableau Server. For more information, see Requirements for Using OpenID Connect.
vizportal.rest_api.cors.allow_origin Specifies the origins (sites) that are allowed access to the REST API endpoints on Tableau Server when vizportal.rest_api.cors.enabled is set to true.You can specify more than one origin by separating each entry with a comma (,).

tabadmin set vizportal.rest_api.cors.allow_origin https://mysite, https://yoursite

If vizportal.rest_api.cors.enabled is false, the origins listed by this option are ignored. For more information, see Enabling CORS on Tableau Server.

Note: You could also use an asterisk (*) as a wild card to match all sites. This is not recommended as it allows access from any origin that has access to the server and could present a security risk. Do not use an asterisk (*) unless you fully understand the implications and risks for your site.

vizportal.rest_api.cors.enabled false Controls whether Tableau Server allows Cross Origin Resource Sharing (CORS). When set to true, the server allows web browsers to access the Tableau REST API endpoints. You can use this option and the REST API to create custom portals. By default, this functionality is not enabled. To specify which origins (sites) have access, use the vizportal.rest_api.cors.allow_origin option. Only the origins specified with this option are allowed to make requests to the Tableau Server REST API. For more information, see Enabling CORS on Tableau Server.
vizportal.rest_api.view_image.max_age 720 The amount of time, in minutes, to cache images that are generated by the Query View Image method of the REST API. For more information, see the REST API Reference in the REST API help.
vizqlserver.allow_insecure_scripts false Allows a workbook to be published to the server from Tableau Desktop, and to be opened from the server, even if the workbook contains SQL or R expressions that are potentially unsafe (for example, a SQL expression that could potentially allow SQL injection). When this setting is false (the default), publishing a workbook or opening it from the server results in an error message, and the workbook is blocked. You should set this value to true only if you want to use workbooks that contain SQL or R expressions that have been detected as potentially unsafe, and only if the workbooks come from a safe source and you have verified that they do not contain an unsafe expression.
vizqlserver.browser.render true Views under the threshold set by vizqlserver.browser.render_threshold or vizqlserver.browser.render_threshold_mobile are rendered by the client web browser instead of by the server. See About Client-Side Rendering for details.
vizqlserver.browser.render_threshold 100 The default value (100) represents a high level of complexity for a view displayed on a PC. Complexity factors include number of marks, headers, reference lines, and annotations. Views that exceed this level of complexity are rendered by the server instead of in the PC's web browser.
vizqlserver.browser.render_threshold_mobile 60 The default value (60) represents a high level of complexity for a view displayed on a tablet. Complexity factors include number of marks, headers, reference lines, and annotations. Views that exceed this level of complexity are rendered by the server instead of in the tablet's web browser.
vizqlserver.clear_session_on_unload false Determines whether or not VizQL sessions are kept in memory when a user navigates away from a view or closes their browser. The default value (false) keeps sessions in memory. To close VizQL sessions on leaving a view or closing a browser, set this to true. See General Performance Guidelines for more information.
vizqlserver.extsvc.connect_timeout_ms 1000 Extends the timeout value, in milliseconds, for connections to Microsoft’s RServer. Raise the value of this setting if Tableau is timing out before the server can respond.
vizqlserver.extsvc.host   Specifies an external service host.

Note: In versions of Tableau before version 10.1, this setting was named vizqlserver.rserve.host. Be sure to use this earlier setting name if your Tableau version is older than version 10.1.

This setting, and the other vizqlserver.extsvc settings, support external service functionality in workbooks—in particular, R servers and Python servers.

R is an open source software programming language and a software environment for statistical computing and graphics. In Tableau Desktop, you can use a set of four functions to pass R expressions to an Rserve server and obtain a result. If you upload a workbook that uses any of these functions, you should configure Tableau Server for an Rserve connection, by configuring this option and the three following. Otherwise, any worksheets that use R functionality will be unavailable.

See Pass Expressions to External Services in the Tableau Help for further details.

vizqlserver.extsvc.port 6311 Specifies an external service port. This setting supports R and Python functionality in workbooks.

Note: In versions of Tableau before version 10.1, this setting was named vizqlserver.rserve.port. Be sure to use this earlier setting name if your Tableau version is older than version 10.1.

vizqlserver.extsvc.username   Specifies an external service username. This setting supports R and Python functionality in workbooks. Not all Rserve hosts require a username and password.

Note: In versions of Tableau before version 10.1, this setting was named vizqlserver.rserve.username. Be sure to use this earlier setting name if your Tableau version is older than version 10.1.

vizqlserver.extsvc.password   Specifies an external service password. This setting supports R and Python functionality in workbooks. Not all Rserve hosts require a username and password.

Note: In versions of Tableau before version 10.1, this setting was named vizqlserver.rserve.password. Be sure to use this earlier setting name if your Tableau version is older than version 10.1.

vizqlserver.geosearch_cache_size 5 Sets the maximum number of different geographic search locale/language data sets that can be loaded into server memory at the same time. When the server receives a geographic search request for locale/language data set that is not in memory, it will load the set into memory. If loading the data set will exceed the specified limit, the least recently used locale/language data set is cleared from memory so the requested one can be loaded. The minimum value is 1. Each cache takes approximately 60 MB in memory (so if you set this to 10, the memory usage would be 600 MB (60 * 10).
vizqlserver.log.level info The logging level for vizqlserver Java components. Logs are written to ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\*.log.

Set to debug for more information. Using the debug setting can significantly impact performance, so you should only use it when directed to do so by Tableau Support. See Change Logging Levels for more information.

vizqlserver.port 9100 Base port for the VizQL servers.
vizqlserver.protect_sessions true When set to true (the default), prevents VizQL sessions from being reused after the original user signs out.
vizqlserver.querylimit 1800 Longest allowable time for updating a view, in seconds.
vizqlserver.session.expiry.minimum 5 Number of minutes of idle time after which a VizQL session is eligible to be discarded if the VizQL process starts to run out of memory.
vizqlserver.session.expiry.timeout 30 Number of minutes of idle time after which a VizQL session is discarded.
vizqlserver.showdownload true Controls the display of the Tableau Workbook option of the Download menu in views. When set to false, the Tableau Workbook option is unavailable.
vizqlserver.showshare true Controls the display of Share options in views. To hide these options, set to false.

Note: Users can override the server default by setting the "showShareOptions" JavaScript or URL parameter.

 
vizqlserver.trustedticket.log_level info The logging level for trusted authentication. The logs are written to ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\vizql-*.log.

Set to debug for more information. Using the debug level can significantly impact performance, so you should only use it when directed to do so by Tableau Support. See Change Logging Levels for more information.

vizqlserver.trustedticket.token_length 24 Determines the number of characters in each trusted ticket. The default setting of 24 characters provides 144 bits of randomness. The value can be set to any integer between 9 and 255, inclusive. As of Tableau Server 10.4, this option is ignored unless wgserver.trustedticket.use_deprecated_v2_tickets is set to true, which is not a recommended best practice.
vizqlserver.trustedticket.use_deprecated_9digit_token false

When set to true, tickets are 9 digits long (as in version 8.0 and earlier) and the setting vizqlserver.trustedticket.token_length is ignored.

Warning: Setting this option to true severely and negatively impacts the security strength of trusted ticket authentication. For strongest security, upgrade to Tableau Server 10.4 and run trusted tickets in the default configuration.

vizqlserver.url_scheme_whitelist   Specifies one or more URL schemes to whitelist when using URL actions on views and dashboards. The schemes http, https, gopher, news, ftp, and mailto are whitelisted by default. This command can contain multiple comma and space-separated values, as in this example:

tabadmin set vizqlserver.url_scheme_whitelist scheme1, scheme2

The values you specify overwrite previous settings. Therefore, you must include the full list of schemes in the set command. (You cannot amend the list of schemes by running the set command repeatedly.)

webdataconnector.enabled true When this setting is true, you can use tabadmin commands to manage web data connectors on the server, and web data connectors are included when you back up and restore the server. If the setting is false, web data connectors that are on the server are not included during backup and restore. For more information, see Web Data Connectors in Tableau Server.
webdataconnector.refresh.enabled true When this setting is true, the server supports doing refreshes for web data connector-based data sources. For more information, see Web Data Connectors in Tableau Server.
webdataconnector.whitelist.mode mixed Determines how Tableau Server can run web data connectors. Supported modes are:
  • local. Users can run connectors that have been imported to Tableau Server.
  • fixed. Users can run connectors that are on a safe list (whitelist) of URLs.
  • mixed. Users can run imported connectors or connectors on the safe list.
  • insecure. Users can run any connector.

Important: Use the insecure option only for development and testing. Because connectors run custom code, running connectors that have not been vetted can pose a security threat.

For more information about how to add connectors to a safe list and import connectors, see Web Data Connectors in Tableau Server.

wgserver.audit_history_expiration_days 183 Specifies the number of days after which historical events records are removed from the PostgreSQL database (the Tableau Server database). See Collect Data with the Tableau Server Repository for details.
wgserver.authentication.desktop_nosaml false Controls whether or not Tableau Desktop uses SAML for authentication. Use this option when your IdP does not use forms-based authentication. Valid options are true and false. By default this is not set, so the behavior is equivalent to setting it to false. Set this to true to disable SAML authentication for Tableau Desktop.
wgserver.authentication.app_nosaml false Serves as the above setting for the Tableau Mobile app.
wgserver.authentication.login   In Tableau Server 10.2 and earlier, set to saml to enable SAML SSO authentication or set to openid to enable OpenID SSO Connect authentication.
wgserver.authentication.restricted false Controls whether users can sign in to Tableau Server using a Tableau Server username and password. This setting is useful in scenarios where users normally sign in to the server using single sign-on (OpenID Connect or Kerberos, for example). In these cases, if wgserver.authentication.restricted is set to true (the default is false), only system administrators can use tabcmd because this utility doesn't support SSO so requires a username and password.
wgserver.change_owner.enabled true Controls whether the ownership of a workbook, data source or project can be changed. Other options include false and adminonly. See Manage Ownership for details.
wgserver.clickjack_defense.enabled true When set to true, helps prevents a malicious person from "clickjacking" a Tableau Server user. In a clickjack attack, the target page is displayed transparently over a second page, and the attacker gets the user to click or enter information in the target page while the user thinks he or she is interacting with the second page.

For more information, see Clickjack Protection.

wgserver.domain.fqdn value of %USERDOMAIN% The fully qualified domain name of the Active Directory server to use.
wgserver.extended_trusted_ip_checking false Enforces IP client matching for trusted ticket requests.
wgserver.openid.iframed_idp.enabled false When enabled, if you are using embedded views and OpenID Connect, this suppresses the Tableau Server Sign In button and redirects the user to the IdP for authentication.

This only works if the IdP does not implement clickjack protection. If the IdP sign in page implements clickjack protection, the page will not display and the user cannot sign in. Most OpenID IdPs implement clickjack protection and do not allow their sign in page to display in an <iframe> element.

The default is false.

Important: Using this option disables Tableau Server clickjack protection for OpenID, which can present a security risk.

wgserver.restrict_options_method true Controls whether Tableau Server accepts HTTP OPTIONS requests. If this option is set to true, the server returns HTTP 405 (Method Not Allowed) for HTTP OPTIONS requests.

wgserver.saml.enabled

false

In Tableau Server 10.3, set to true to enable SAML SSO authentication.

wgserver.saml.idpattribute.username

username

Specifies the name of the attribute in which your SAML IdP stores user names. By default, this is set to username. If the attribute name that your IdP uses contains spaces, enclose it in quotation marks. For more information, see Configure Server-Wide SAML or Configure Site-Specific SAML.

wgserver.saml.iframed_idp.enabled

false

When enabled, if you are using embedded views and SAML, this suppresses the Tableau Server Sign In button and redirects the user to the IdP for authentication.

This only works if the IdP does not implement clickjack protection. If the IdP sign in page implements clickjack protection, the page will not display and the user cannot sign in. Most SAML IdPs implement clickjack protection and do not allow their sign in page to display in an <iframe> element.

The default is false.

Important: Using this option disables Tableau Server clickjack protection for SAML, which can present a security risk..

wgserver.saml.logout.enabled

true

Specifies whether SAML logout is enabled for Tableau Server. The default is true. This setting only applies if SAML authentication is enabled for Tableau Server.

wgserver.saml.logout.redirect_url

 

Specifies the post-logout landing page for SAML authentication. The default is the standard server sign-in page. You can specify an absolute or a relative URL. For more information, see SAML Requirements.

wgserver.saml.maxassertiontime

3000

Specifies the maximum number of seconds, from creation, that an assertion is usable.

wgserver.saml.maxauthenticationage

7200

Specifies the maximum number of seconds allowed between user's authentication and processing of the AuthNResponse message.

wgserver.saml.responseskew

180

Sets the maximum number of seconds difference between Tableau Server time and the time of the assertion creation (based on the IdP server time) that still allows the message to be processed.

wgserver.session.apply_lifetime_limit false Controls whether there is a session lifetime for server sessions. Set this to true to configure a server session lifetime.
wgserver.session.lifetime_limit 1440 The number of minutes a server session lasts if a session lifetime is set. The default is 1440 minutes (24 hours). If wgserver.session.apply_lifetime_limit is false (the default) this is ignored.
wgserver.session.idle_limit 240 The number of minutes of idle time before a sign-in to the web application times out.
wgserver.site_saml.enabled false Set to true to enable site-specific SAML so that each site on Tableau Server uses a different SAML identity provider (IdP).
wgserver.trusted_hosts   IP address or host names of web servers that request trusted tickets from Tableau Server. This command can contain multiple comma and space-separated values enclosed by double quotes, as in this example:

tabadmin set wgserver.trusted_hosts host1, host2

The values you specify overwrite previous settings. Therefore, you must include the full list of hosts in the set command. (You cannot amend the list of hosts by running the set command repeatedly.) The web servers you specify must use static IP addresses, even if you use host names (learn more).

wgserver.trustedticket.use_deprecated_v2_tickets false Specifies whether Tableau Server should return a legacy URL format for trusted ticket requests. The legacy URL format includes a 24 character, Base64-encoded string. Beginning with Tableau Server 10.4, the URL that is returned has been updated and includes a Base64-encoded UUID and a 24 character secure random string. Only set option this to true if you have deployed trusted tickets with custom code that requires the legacy URL format. We recommend instead, updating your custom code to accept the new URL format.
wgserver.unrestricted_ticket false Specifies whether to extend access to server resources for users authenticated by trusted tickets. Default behavior allows users to access views only. Setting this to true allows users with valid trusted tickets to access server resources (projects, workbooks, and so on) as if they had signed in using their credentials.
workerX.gateway.port 80 (443 if SSL) External port that Apache listens on for workerX. worker0.gateway.port is Tableau Server’s external port. In a distributed environment, worker0 is the primary Tableau Server.
workerX.vizqlserver.procs # of processes Number of VizQL servers.
workerX.vizqlserver.port 9100 Base port for the vizQL server on workerX.
zookeeper.config.dataLogDir   Specifies the directory and file path for ZooKeeper transaction logs. By default ZooKeeper transaction logs are written to the Tableau data directory (for example c:\Tableau\Tableau Server\data\tabsvc\zookeeper\0\data). Use this option to specify a different location.

The drive and path apply to all nodes in a cluster. The location will be created if it does not exist. The drive must exist and be writable on all nodes. This should not be a UNC path to a share.

ZooKeeper recommends that transaction logs be written to a dedicated drive to optimize performance.

Example: tabadmin set zookeeper.config.dataLogDir "d:\Tableau\Tableau Server\zookeeper"