The more you have in your cup, the more likely people are to want a drink.

Seth Godin¹

In the first ten chapters, you learned how to use Tableau to connect to data, analyze data, visualize data, build dashboards, and share stories. This chapter and the next two are about installing, managing, and automating Tableau’s Server. Tableau provides three different tools for sharing information—Tableau Public, Tableau Online, and Tableau Server.

Tableau Public is a free cloud-hosted service aimed at bloggers, students, or data visualization enthusiasts who want to share their work publicly. It is not designed for enterprise environments that require data security. In fact, anything published on Tableau Public is freely available for anyone to download. This tool is generally not used in enterprise environments that need to control access to the information.

Tableau Online is another cloud-based information sharing environment (managed by Tableau Software) that provides data security without the need for installing any software or managing hardware. Your data is stored in a secure environment managed by Tableau Software. To start using Tableau Online, just sign up for the service and assign access to your users based on your security needs.

Tableau Server is for customers who need to control where and how the data is stored and managed. It can be installed on hardware behind your firewall or on cloud services that you contract with directly. You can license it by named user or based on the server hardware that it is installed on.

What’s New in Version 9?

Tableau V9 provides significant performance and usability improvements when compared to earlier editions of Tableau Server. The visual interface for both the server user and server administrator has been redesigned to provide more information at a glance. Server provides improved activity analysis via analysis dashboards that include information on view counts, user activity, actions by user, background task details, statistics for space usage, load times, and more.

Server’s performance has been improved. Tableau Software published a Tableau Server 9.0 Scalability analysis.² This paper documents significant improvements in concurrent user scalability, query speeds, and reduced time-outs resulting in errors. These improved results do require increased investments in RAM, so you should consider investing in more RAM before you upgrade from V8 to V9.

InterWorks consultant Glen Robinson did comparison tests of Tableau Server 8.3 and 9.0 with Tableau Server deployed in the cloud on Amazon Web Services using two different CPU configurations.³ His testing showed improved response times just under 3X using an 8-core CPU and 3.5X using a 16-core CPU. While results were different from those reported by Tableau Software, the performance improvements are still significant. Your results will be different, but you should expect to see better query response times even with increased user concurrency rates in Tableau Server 9 versus Server 8.3.

Tableau Server 9 also provides the administrator with more control over clustering in multi-node and high-availability environments. You can now set a preferred server for the Active Repository, which may be important if your server hardware is different for each of the servers in your cluster. For example, you can specify that the active repository run on the most powerful server in your cluster. See Glen’s blog post referenced in the end notes to this chapter for more details. Tableau continues to provide more ways to secure your data through Secure Socket Layers, SAML, and Kerberos.

Tableau Server 9.1 also gives the administrator the option to schedule synchronization of all Active Directory groups. Synchronization can be customized hourly, daily, monthly, or on demand. This feature can be disabled by the server administrator. At the time of this writing, Tableau Server 9.2 is in beta release. Permissions locking features are being added to provide more control over Project view, interaction, and editing.

This chapter focuses on options you need to consider when installing or upgrading Tableau Server. Chapter 12 focuses on managing Tableau Server, and Chapter 13 discusses automating Tableau Server through the command-line tools and the enhanced SDI and API toolsets provided through Tableau Server Version 9.1.

Reasons to Deploy Tableau Server

Most companies begin using Tableau by purchasing a few licenses of Tableau Desktop. While learning how to use the software, you will share your workbooks with other Tableau Desktop users in your company. You may also save your analysis in packaged workbooks so that you can share your workbooks with other team members using Tableau’s free Reader product. Or you may have a few licenses of Tableau Online for providing access to mobile team members via the cloud.

As Tableau’s value to your organization is proven, the number of people wanting Tableau visualizations and dashboards will grow. You have to scale to a larger number of analysts or information consumers. Some people may want to make their own (slightly different) versions of the reports you publish but don’t require the facility that Tableau Desktop offers. Tableau Server allows you to share your work securely with a much larger number of people who will access your workbooks and dashboards via a web browser or tablet app. Tableau Server provides desirable features including:

• Data governance (security)
• Efficiency (sharing workbooks, data connections, and data extracts)
• Flexibility (consumption and editing options)

Server’s architecture provides the flexibility to scale from a single box to large multi-server deployments. Tableau Server supports several different security protocols including Secure Socket Layers (SSL), Security Assertion Markup Language (SAML), and network authentication via Kerberos. Windows Active Directory can be utilized for user authentication. Tools are provided for setup and maintenance of access rights, scheduling, and notification. Downloading and installing Tableau Server normally can be done in less than two hours.

Tableau’s growing partner network provides additional add-on tools for merging workbooks, style management, data source auditing, best practice analysis, and performance-tuning. Automation tools are available that allow you to create workflows for managing and monitoring growing enterprise deployments. Software development kits (SDKs) are available that allow you to create your own custom batch automation, determine data lineage, create dynamic parameters by binding data, and more. Given Tableau’s rapid growth over the past several years, it’s likely that this add-on market will continue to grow to address a wide variety of customer needs that are outside of Tableau’s standard capabilities.

Data Governance

Securing proprietary or confidential data is not only a business need, but it can also be a legal requirement. Information managed by healthcare providers, insurance companies, and government entities is controlled by law. Businesses have a legal obligation to ensure private employee and customer data is kept confidential and secure.

Businesses must be concerned about the accuracy and consistency of the data being consumed by staff without being overly controlling. Tableau Server balances these needs well by supporting data governance best practices. It allows information technology staff to maintain control over data sources (providing a single version of the truth) while simultaneously providing information consumers with the ability to adapt reports to their own purposes—without the need for additional technical staff or needing to resort to creating new (unauthorized) data sources.

Efficiency

Sharing reports is easy via Tableau’s free desktop report consumption tool—Tableau Reader. However, this approach doesn’t scale well and provides limited means for securing the underlying data. Updating desktop reports is easy but can be time-consuming if you have dozens of weekly reports to deliver. Tableau Server provides a secure environment for report consumption and can automatically update reports and inform users of new report availability via Server’s subscription service. Administrators can monitor report consumption, server utilization, and performance.

Tableau Online provides similar benefits at a lower price point but requires that you publish Tableau reports outside of your firewall.

When the data source doesn’t include all of the information desired, domain experts on your team can create starter workbooks that address aggregation needs, dimension grouping, and other particulars that are desirable to share with everyone using Tableau. Server facilitates this sharing by allowing users to publish the metadata via data source files through the server—saving everyone time and ensuring report consistency. When those data source files are modified, changes are automatically propagated to everyone using the published data source.

Personnel consuming reports don’t need to install any software to view reports because everything is viewed via a web browser. Internet Explorer, Microsoft Edge, Firefox, Chrome, and Safari are all supported.

Flexibility

If you use data extracts, updates can be scheduled to run automatically at almost any time interval desired. Do not underestimate the level of demand that Tableau generates. Your deployment may quickly go from a few users to hundreds and then thousands. The number of reports will increase as well. Server provides users with an easy-to-navigate environment that allows them to ask questions and quickly get answers. It also provides administrators tools for managing and updating reports without the need for daily manual intervention.

Administrators can assign rights for publishing, consuming, and modifying reports. Interactive reports can be embedded into existing websites, and Tableau can pass through the security layer without requiring the user to re-enter login information. Authorized consumers can securely view and edit reports via the web on their desktop, laptop, and iOS or Android Tablet devices.

Tableau Server is a robust environment that provides technology managers with the tools to secure and maintain the environment while also providing information consumers with fast access to the information they need.

Licensing Options for Tableau Server and Tableau Online

Tableau Server can be licensed in two different ways:

• Per-named-user basis
• Server core license

Core licensing provides unlimited access to any number of users. Pricing is based on the number of processor cores contained on the server(s) on which you deploy the software. Named-user licensing starts with a minimum of ten users. Core licensing requires an eight-core minimum. Although many factors can affect performance in a server deployment (hardware, network traffic, dashboard design), an eight-core configuration can support in the low hundreds of concurrent users.

Tableau Online is sold via a named-user license that requires a one-year commitment. You can start with a single license and add more as your needs grow.

Determining Your Hardware and Software Needs

Tableau Server is a scalable system that is capable of meeting the demands of the most intense enterprise environments. Proper planning is an important first step before you settle on the appropriate hardware configuration and licensing options. At a minimum, you should consider the following details when planning your deployment:

• User count
• User concurrency rate
• Workbook complexity
• User locations
• Database locations
• Database size
• Extract usage—number and size

User count is easy to estimate because it represents the number of licensed users of Tableau Server that are able to make requests to the server. User concurrency rates represent the percentage of the licensed users that will be making requests at any single moment. For example, a deployment anticipating 1,000 licensed users with an expected concurrency rate of 10 percent implies that approximately 100 users will be active in the system at any moment. This is more difficult to estimate but tends to range between 2 and 10 percent of total licensed users. If you have an existing analytics system or web portal that is actively used for report distribution, do not assume that you will see similar usage levels in Tableau Server. In our experience, this is not a reliable. Well-designed, interactive Tableau dashboards increase server traffic when compared to legacy systems because Tableau is more popular with users.

Tableau workbook size and complexity can vary widely. For this reason, before you plan your Server environment, it is advisable to identify a core group of report designers, train them, and have them build some initial reports that can serve as a basis for planning. This typically doesn’t require more than a month to accomplish and doesn’t need to involve many staff. Not all requests made to Tableau Server are equivalent. Server will spend more resources to render dashboards with complex designs and large volumes of data than dashboards with simple designs and low record counts. Poorly designed dashboards are the most common cause of poor performance in Tableau Server.

If you have users in many locations or have database services deployed across multiple geographies, you may need to have a correspondingly larger number of Tableau Servers to support local demands if a central service isn’t able to provide the desired responsiveness.

You must also consider the amount of data you have as well as the type of database sources you are using. Massive data or heavy demand, along with a database that wasn’t designed for intense analytical loads, can create the need for shifting some of the analytical burden from the database to Tableau Server. This is accomplished by publishing Tableau Data Extract (.tde) files to Tableau Server.

New Feature: Persistent Query Cache

Beginning with Version 9.0, the query cache has been moved into its own process. This allows for more efficiency by sharing the cache between processes to increase the number of cache hits. This query cache is also now persistent, meaning that results in cache are maintained across restarts.

Determining What Kind of Server License to Purchase

If you don’t require that your data and reporting be on your own network—behind your firewall—Tableau Online provides a convenient option. Tableau Online is a cloud-based version of Server. Tableau Software manages the hardware and is responsible for maintaining network performance. It is a good option if you are comfortable with Software-as-a-Service (SaaS) models and you don’t have any legal restrictions preventing you from storing information this way. Your administrator of a Tableau Online is responsible for controlling access by setting permissions for publishing and viewing the data.

If your organization is unable to reside your data in the cloud outside of your firewall, Tableau Server’s named-user licensing and core-server licensing allow you to directly control every aspect of Tableau Server’s setup and configuration—inside or outside of your company’s firewall. For most large enterprise customers, Tableau Server offers the most flexibility.

Tableau Server’s named-user licensing is exactly what it sounds like—one license purchased per user, meaning that a license must be purchased for each individual user of the system. If there are ten distinct employees who need access to Tableau Server, then all ten of them must have a named-user license.

A question that many people ask is whether Tableau can be deployed on any kind of multiplexing device so that individual users can share the named-user license. The answer is no. Licenses are transferable, but this is not a practical way to split a single named-user license among an active user base. Named-user licenses are also referred to as Interactor licenses.

Core licensing allows customers to license Tableau Server by the server processor core—avoiding the purchase of licenses for specific named users. Core licensing provides greater flexibility, allowing for as many users as a server can support from a resource perspective. These licenses are typically sold in eight core multiples. Pricing for core licensing reflects the fact that a single core can support many users. It also provides the option of enabling a special guest account to enable unrestricted access to reports assigned by the administrator. The guest account must be enabled by the administrator.

The number of users you anticipate accessing the system typically determines which licensing model you choose. Smaller entities with low user counts typically find that named-user licensing provides a better value. Tableau Online will also appeal to this segment if externally hosted security is permitted. Large organizations with user counts in the hundreds typically find core licensing more cost effective.

In some cases, mixed licensing models might be desirable because hardware limitations imposed by the core licensing model can be alleviated through the selective use of named-user licensing and/or Tableau Online.

Tableau Server’s Architecture

Tableau Server comprises many processes operating together. These may run concurrently, but typically all processes won’t be running all of the time. These include:

• API Server (wgserver.exe)
• Application Server (wgserver.exe)
• Cache Server (redis-server.exe)
• Cluster Controller (culutercontroller.exe)
• Coordinator Service (zookeeper.exe)
• File Store (filestore.exe)
• Search & Browse (searchserver.exe)
• VizQL Server (vizqlserver.exe)
• Data Engine (tdeserver.exe, tdeserver64.exe)
• Backgrounder (backgrounder.exe)
• Data Server (dataserver.exe)
• Repository (postgres.exe)

The API Server handles REST API calls. The Application Server handles requests to the web application such as searching, browsing, logging in, generating static images, and managing subscriptions. The Cache Server handles the query cache. The Cluster Controller is responsible for monitoring Tableau Server’s components, identifying failures, and executing failovers. The File Store replicates extracts across data engine nodes. Search & Browse is responsible for fast search, filtering, retrieval, and displaying content metadata.

The VizQL server handles the task of loading and rendering requested views. The Data Engine receives queries made to Tableau data extracts present on the server. These queries come from the VizQL processes. To service these queries, the Data Engine loads the Tableau Data Extracts into memory and returns the requested recordset. The Backgrounder runs maintenance tasks and data extract refreshes. The Data Server handles requests to Tableau Data Sources. These requests can come from the Tableau Server or from Tableau Desktop users. The Repository is the Postgres database Tableau Server uses to store settings, metadata, usage statistics, and workbooks.

Sizing the Server Hardware

Tableau Server runs well within a variety of hardware configurations. It can be deployed for small organizations on a relatively inexpensive single system. It can also be deployed for large organizations with thousands of users on clusters containing many powerful machines. You get what you pay for in terms of performance from hardware expenditures. Our own test results and those reported by Tableau indicate performance gains in Tableau Server 9 are enhanced significantly with 16-core CPUs—more so than with prior versions.

The current minimum recommended hardware configuration for Tableau Server is a single machine with 32GB of memory and 8-CPU cores. Specific recommendations regarding the size and configuration of your deployment are affected by many factors, including the complexity and size of the dashboards, the data sources, the timing and frequency of usage, the network, the hardware configuration running the software, and whether or not you have the need for high availability redundancy. For these reasons, specific benchmarks are not provided. Consult with Tableau Software’s technical staff or a qualified Tableau Software Partner to obtain specific recommendations.

As it is likely that the cost of hardware (particularly in a large-scale deployment) is going to be the least expensive part of your project cost, it would be prudent to oversize your hardware. If you skimp on hardware, you increase the changes for grumpy users, and you risk greater help-desk call volume.

A Scale-Up Scenario

To scale Tableau Server up on a single system, choose a platform that can provide more physical CPU cores and more system memory. At this time, major hardware manufacturers are shipping servers that support up to 32 physical CPU cores and far more memory than Tableau Server will require. The ratio of CPU cores to system memory (1 CPU to 4GB memory) is a good general guideline to follow. Plan for more memory when use of very large Tableau data extracts is expected. The data engine will hold data extracts in memory if possible. This improves query performance.

Disk performance is a secondary consideration when planning for Tableau Server in most cases. The major exception is situations in which there is heavy use of the data engine with extracts that will not fit into memory. In this case, the data engine is forced to go to disk frequently—making faster I/O potentially worthwhile. Otherwise, even with heavy use of the data engine, Tableau Server does not benefit a great deal from more exotic I/O setups such as arrays of Solid State Drives (SSDs).

An example of a scale-up configuration for Tableau Server is a single machine with 24-CPU cores and 96GB of memory. Based on the current Tableau Server scalability tests, it’s expected that this server could handle somewhere between 108 and 378 concurrent requests depending on workbook complexity.

A Scale-Out Scenario

To scale Tableau Server out, multiple servers will need to be provisioned, and the server processes will be split across them. In this case, the servers are not required to be configured identically. It is a common pattern to tailor each machine in a cluster to the processes running on it. Deploying Tableau Server on multiple servers is discussed in greater later in this chapter in the section on “Deploying Tableau Server in High Availability Environments.”

An example of a scale-out configuration for Tableau Server is a cluster consisting of three machines each configured with 8-CPU cores and 32GB of memory. This configuration will provide slightly lower performance than the sample scale-up configuration because of the server communication overhead introduced by the cluster.

Regardless of whether you plan to scale up or scale out, if you decide to purchase under the core-license model, you need to determine the number of cores that you’ll be required to purchase. Do this by counting the number of physical cores across all of the machines that will be running Tableau Server processes, excluding servers that are running unlicensed services only.

Environmental Factors That Can Affect Performance

There are many environmental factors that can affect performance of Tableau Server. Typically, the most significant factors relate to network performance, the browser, and resource contention.

Network Performance

Users will be connecting to Tableau Server either through an internal network or via the public Internet. Slow network links between users, and Tableau Server can cause erratic dashboard behavior. Spotty Internet connections are a common cause of long dashboard load times. If you do experience slow connection speeds, the best solution is to increase the available bandwidth of the connection.

Browser

The user experience of Tableau Server is dependent on JavaScript. As such, some browsers can cause Tableau Server to feel unresponsive or sluggish because of their sub-par JavaScript performance. Older browsers are major offenders in this case. Chrome, Firefox, Safari, Edge, and modern versions of Internet Explorer all have superior JavaScript performance. If it takes a few clicks to get a quick filter drop-down selection to apply, you might be running into a browser performance issue.

Resource Contention

Tableau Server will not perform well in environments with other resource-hungry applications and services running on the same machine. Resource contention can cause slowness in each component process of Tableau Server. To get the most out of your Tableau Server license expenditure, ensure that Tableau Server is the only application running on the machine(s).

Configuring Tableau Server for the First Time

When installing Tableau Server, there are many configuration options to evaluate. These setup options are system-wide. Some are permanent and not easily changed after initial setup. For example, the user authentication method you choose is permanent, so you should carefully consider the option you select for user authentication before you begin installation of Tableau Server.

Before you attempt to install Tableau Server for the first time, go online and search for “Tableau Server Administration Guide 9.” You can get a PDF of the entire administrator manual (around 600 pages) or access it via the Web. Review this guide first. After installing Tableau Server, you can also access the administrator manual and additional documentation from within Tableau Server.

This section will detail the steps required for a first-time installation of Tableau Server but will also include more advanced features related to Alerts and Subscriptions and different security options you can apply. I will not detail (but will outline) the steps you should take for upgrading Tableau Server.

It’s not uncommon for new Tableau Server users to install Tableau Server on a laptop as a localhost for initial testing. To do this, your computer should have

• CPU (with at least two cores)
• 4GB RAM
• 15GB free disk space

This configuration will support the 32-bit version of Tableau Server. When you are ready to deploy Tableau Server in an actual server environment on premise or in the cloud, use the 64-bit version. This requires

• CPU (with at least 4 cores)
• 8GB RAM
• 15GB free disk space

After downloading and installing the Tableau Server zip file, you’ll be presented with the typical Windows software installation screens that ask for you to verify the install location, region, and language options and then the activation screen where you can activate your license or start a 14-day trial. You can also choose to activate the software offline. See Tableau’s online manual for details on offline activation. Now you are ready to start configuring Server.

General Setup Menu Tab

When you install server for the first time, the configure menu presents four possible different menu tabs—General, Data Connections, Alerts and Subscriptions, and possibly a security setting tab. Figure 11-1 shows the General tab configuration menus.

Server Run As User (area 1) refers to the Windows username that the Tableau Server service (tabsvc) will run under. By default, this is configured as the Network Service account. This can be changed to either a local machine account or a domain account. If you choose a domain account, specify the domain with the username. One reason to use a domain account is to provide access to data sources that require Window NT authentication without prompting users for credentials. In Figure 11-1, the account specified is TSImcedward, which matches the DOMAINusername used in a Tableau On Demand training video on Tableau’s website.

General: Run as User, User Authentication, and Active Directory

Area 2 of Figure 11-1 displays the options for authenticating users:

• Local Authentication
• Active Directory Authentication (AD)

It is important that you carefully choose the authentication method because this cannot be changed once the server is installed. This is permanent. Changing it later isn’t easy. Tableau does provide procedures on its website if you are forced to change your user authentication later. Avoid that heartache by carefully choosing this before you install the software.

Local Authentication means that you will create a username and password setup inside Tableau. This is not the authentication method most administrators select. Using Active Directory authentication requires that users who are added to the Tableau Server must already exist within your Active Directory. Because most organizations already have Active Directory in place to provide security for network access, selecting Active Directory authentication allows you to reuse your existing security structure. Figure 11-1 (area 2) shows the User Authentication menu in under the General settings tab. In the figure, Local Authentication is selected. This is fine if you are doing a localhost installation, but if you are installing on a network server, you should select Use Active Directory.

Be sure to enter the domain name and nickname in Figure 11-1 (area 3) when choosing to authenticate with Active Directory. This domain name must be a fully qualified domain name. Using the AD method allows an additional option—Enable Automatic Log-on. This option enables users to automatically log into Tableau Server with the currently logged in Windows account credentials via the Microsoft Security Support Provider Interface (SSPI).

If you are installing Server 9.1 or greater, Tableau Server can be enabled to synchronize Active Directory Groups that have been imported into Tableau Server. You can also schedule synchronizations for daily, weekly, or monthly intervals at specific times. Before V9.1 this was possible only through Tableau Server’s command-line tool tabadmin. Tableau’s command-line tools are covered in Chapter 13.

General: Gateway Port Number

By default, Tableau Server accepts requests on port 80. Figure 11-1 (area 4). If you have a firewall or proxy in front of the Tableau Server host, you may need to modify this point number. If you aren’t the system administrator, contact that person to get the specific port number for your network.

General: Open Port in Windows Firewall

Select the Open port in Windows firewall check box (Figure 11-1, area 5) to open the specified port number shown in area 4 as well as port number 443 if SSL is enabled.

General: Include Sample Data and Users

If you decide to include sample data and users (Figure 11-1, area 6), Tableau will install a sample project with workbooks. This is a good way to check that your installation is working properly and is recommended. You can delete the files once you’ve confirmed that everything is working properly.

Data Connection Tab

The data connection cache options are defined in the Data Connections tab you see in Figure 11-2.

The caching options within Tableau Server dictate how often cached data will be reused and how frequently data will be queried from the data source. The options include

• Refresh Less Often
• Balanced
• Refresh More Often

Caching option selections can significantly affect performance. Reading from the cache is much quicker than querying the data source directly. In most cases, leaving this option set to Refresh Less Often will provide the best performance. The main reason to change to Balanced or Refresh More Often is to prevent old data from being reported from when you have a rapidly changing data source. You can change this setting later if your environment’s needs change.

The Initial SQL section at the bottom of Figure 11-2 is important if your users will be connecting to a Teradata data source to build views. Tableau provides the option to define a SQL command that will run one time when the workbook is loaded into the browser. Unless you are accessing Teradata, this option should not be selected. For performance and security reasons, Teradata administrators may find it desirable to turn this option off.

Alerts and Subscriptions

This menu tab is where you set up email alerts for system administrators and for end users interested in receiving e-mail notification when workbooks are updated. Figure 11-3 shows the Alerts and Subscriptions menu tab.

To enable e-mail alerts for systems administrators that provide notifications related to server health issues, click the check box highlighted in the upper left of Figure 11-3. This means that the administrator in the bottom section will receive an e-mail from the defined address [email protected] to the addresses [email protected] and [email protected]. You must also enter a valid SMTP server address. If your SMTP account requires it (this is an optional setting), you may also have to enter a valid username and password for the SMTP server. The default port value is 25. You should change this only if you know you are using another port number.

Subscriptions allows Tableau Server users to receive e-mail notifications when a workbook is updated. To enable e-mail subscriptions, select the option highlighted at the top right of Figure 11-4.

Completing the SMTP Server information, send from e-mail account, and the Tableau Server URL settings that are highlighted in Figure 11-4 will give your server users the ability to create e-mail notifications that will come to their e-mail Inbox when the selected views are updated. Figure 11-5 shows the top of the server site page where your users can create subscriptions.

After enabling subscriptions, a small mail icon will appear in the upper-right side of server web pages. This icon enables users to define subscriptions for the view. To subscribe, the user clicks the icon circled in Figure 11-5 to expose options for defining a title for the e-mail (it will default to the sheet name), the delivery schedule (server includes standard schedule or you can customize schedules), and whether to include the view currently being displayed or all the sheets in the workbook. When the subscription is delivered, it includes an image of the sheet. The user can click the image to open the view in Tableau Server.

Server Processes

When Tableau Server is installed, various server processes are installed and configured automatically. Beginning with Tableau Version 9, new processes have been added that provide additional capability. You are now able to reconfigure these processes in multi-server clusters to assign specific processes to each machine. See the online Tableau Server Administrator manual for details. Tableau V9’s new processes include the following:

• API server: Handles REST API calls
• Application server: Supports browsing and searching the web application
• Backgrounder: Executes tasks, including extract refreshes, tabcmd tasks, and “Run Now” tasks
• Cache server: Query case to improve load speeds
• Cluster controller: Monitors components, detecting failures and executing failover in clustered environments
• Coordination service: In distributed installations, ensures a quorum exists for automating decisions during failover
• Data engine: Stores data extracts and answers queries
• Data server: Manages connections to Tableau Server data sources
• File store: Automatically replicates extracts across data sources
• Repository: Stores user metadata
• Search & Browse: Searches, filters, retrieves, and displays content metadata on the server
• VizQL: Loads and retrieves views; computes and executes queries

If you are deploying Tableau on a single server, processes related to multi-server clusters will not be present as they relate to coordination of services within distributed environments. Earlier versions of Tableau Server had fewer processes. Added capability has increased the number of Tableau Server’s processes. Tableau Server 9 is a more capable enterprise tool with improved scalability and security. Greater capability comes at the cost of more overhead and greater complexity in the background. For more information on Tableau Server, see Tableau’s online Administrator Guide.

Security Options

A few years ago Tableau Server security was an easy topic to write about because there were limited options. Fully covering this topic today would require hundreds of pages. I will strike a balance in this this section between what a curious Tableau Desktop user might be interested in and what an experienced, technical network administrator needs to know about how security protocols operate within Tableau Server. Tableau Server security is based on the following items:

• User identity: Handled via authentication
• What users can do: Authorization of access to data
• Securing communications: Network security protocols
• Securing data: Vendor access methods and protocols

Tableau Server authentication is accomplished globally through the User Authentication method selected under the General Settings tab shown in Figure 11-1. To prevent unauthorized intrusion to communications required between server users and the physical server(s), Tableau utilizes Secure Sockets Layer (SSL) encryption. This is referred to as External SSL. To encrypt communication between Tableau Server’s Postgres data repository and other server components in your deployment, SSL is also used. This is called Internal SSL. To avoid the inconvenience of multiple sign-ons within a secure connection, Tableau supports a variety of different methods including SAML (Security Assertion Markup Language) and Kerberos (an authentication protocol developed by MIT and used by Microsoft Windows as the default authentication method).

After identifying users and securing communications, Tableau Server utilizes a hierarchy of site roles to define permissions for exactly what users can do. Site roles include

• Server administrator: With access to do anything
• Site administrator: With access to do anything on a particular Server site
• Publisher: Someone permitted to publish content to Server
• Interactor: Someone permitted to interact with views on Server
• Viewer: Someone who can merely look at views on Server

The exact details of what each level is allowed to do are defined by permissions. Permissions can be assigned to individuals, workbooks, data sources, projects (a collection of workbooks), groups (a collection of people), or all users. The combination of all of these different systems provides robust security. Tableau V9 greatly enhanced the interface for viewing and setting permissions by making the interface more visual.

External Secure Sockets Layer

This section assumes that you have already obtained an SSL certificate for your network. To enter the details for your network, follow these steps:

1. Open the Tableau Server Configuration Utility from your Windows Server Start menu by selecting Start ⇒ All Programs ⇒ Tableau Server 9.0 ⇒ Configure Tableau Server.
2. In the Configuration Tableau Server dialog box, select the SSL tab.
3. Select Use SSL for Server Communication and provide the location for each of the certificate files you see in Figure 11-6.

   

• SSL Certificate File: Must be a valid PEM-encoded x509 certificate with the extension .crt.
• SSL Certificate Key File: Must be a valid RSA or DSA key that has an embedded passphrase and is not password protected with the file extension .key.
• SSL Certificate Chain File (Optional): Some certificate providers issue two certificates for Apache. The second certificate is a chain file that is a concatenation of all the certificates forming the chain for the server certificate. All of these certificates must be x509 PEM encoded, and the file must have a .crt extension (not .pem).

After entering the details, click OK. The changes will be applied when Tableau Server is restarted. Tableau Server currently uses SSL only over port 443. If you have to configure a multi-node cluster and your primary server is the only node that is running the gateway process, you can follow the steps defined earlier. If your setup has multiple gateways, you’ll have to configure your load balancer for SSL and Tableau. If you need to change these settings after installation, select the Configure Tableau folder in All Programs. For more information about this more advanced configuration, refer to Tableau’s online Administrator Guide.

You can also apply SSL internally to security communications between Tableau Server’s Postgres data repository and other server components. This feature is disabled by default. If you want to enable it, go to Tableau’s online manual and search for “SSL for Direct Connections” where you’ll find detailed setup instructions.

SAML—Security Assertion Markup Language

Security Assertion Markup Language (SAML) is an XML-based open standard developed by the Security Services Technical Committee of the Organization for the Advancement of Structured Information Standards (OASIS). Is that enough acronyms for you? SAML separates development of security systems from applications. Open standards in the era of cross-platform mobile communications are desirable. By using a third-party Identity Provider (IDP) to handle the authentication component for Tableau Server, you can enable Single Sign-on (SSO) in Tableau Server. Using SAML, you can securely pass authentication information (such as a username or e-mail address) to Tableau once a login is successfully completed. Offloading the authentication function to an IDP provides a more seamless user experience while maintaining secure and centralized identity management.

Before you begin to configure SAML on Tableau Server, you must place the certificate files in a folder named SAML, such as:

C:Program FilesTableauTableau ServerSAML

If you decide to configure SAML during your first installation of Tableau Server, you will go to the SAML tab to complete the necessary details. If you wait until after your initial setup, go to the Tableau Server Configuration Utility on your Windows server and access Start ⇒ All Programs ⇒ Tableau Server, and then click the SAML tab and provide the addresses for the items you see in Figure 11-7.

• Tableau Server return URL: The URL to which the Identify Provider (IDP) redirects the user after a successful login.
• SAML entity ID: Allows your IDP to identify the Tableau Server application. Use your Tableau Server URL to avoid confusion.
• SAML certificate file: A certificate file identifying the Tableau Server application.
• SAML key file: A private key for Tableau Server to decrypt messages from the IDP.

Once this information is completed, you export the metadata to configure your IDP. Do this by clicking the Export Metadata File button in the menu. Your IDP may output an additional metadata file, which you then add to the SAML IDP metadata file field at the bottom of the SAML menu. This completes the SAML configuration in Tableau Server. Unauthenticated users accessing Tableau Server will be redirected to your IDP’s web page and, upon successful login, will be authenticated and redirected into Tableau Server.

If you have a multi-node cluster, refer to Tableau’s online Administrator Guide and search for “Configure a Server Cluster for SAML.”

Kerberos—A Ticket-Based Security Protocol

Kerberos is a network authentication protocol developed by the Massachusetts Institute of Technology (MIT) and adopted by Microsoft for Windows authentication in 2000. It works by using tickets to allow clients and servers to communicate securely. Once again, Tableau Server’s online manual provides all of the details to set up Kerberos. This process must be done by your administrator. The steps are as follows:

1. Open a command prompt and change the directory to the location of Tableau Server’s bin directory. The default location is C:ProgramFilesTableauTableau Server9.2in.
2. Type this command to stop Tableau Server: tabadmin stop.
3. Open the Tableau Server Configuration Utility from Start ⇒ All Programs ⇒ Tableau Server 9.2 ⇒ Configure Tableau Server.
4. Click the Kerberos tab.
5. Click Export Kerberos Configuration Script. The script generated configures your Active Directory domain to use Kerberos with Tableau Server.
6. Have your Active Directory domain administrator run the configuration script to create Service Principal Names (SPNs) and the .keytab file.

   The domain administrator must review the script to verify that it contains the correct values. Run the script at the command prompt on any computer in the domain by typing the script name. The script will create a file (kerberos.keytab) in a keytabs folder in the location where the script was run.

7. Save a copy of the .keytab file created by the script to the Tableau Server computer. In step 3, enter the path to the .keytab file, or click the Browse button to navigate to the file. The key tab file will be copied to all the gateway nodes in your Tableau Server installation when you click OK in the Configuration utility. Do not rename the .keytab file. It must be saved using the kerberos.keytab name.

Click the Test Configuration button in the menu to confirm that your environment is working properly. Then click OK to save your Kerberos configuration and restart Tableau Server. Tableau’s online manual provides a quick-start guide for this procedure and more technical details related to Kerberos. If you run into any problems, search the online manual for “Kerberos.”

Now that you’ve enabled a secure authentication protocol for Tableau Server, in the next section we’ll discuss how you manage what you permit users to do when they access Tableau Server.

Managing Ownership Through Hierarchy

Tableau Server has a robust system for managing access. To fully grasp it, you must understand the hierarchy of objects that contain reports and data within Tableau’s environment. These objects include

• Workbooks and views
• Users
• Projects
• Groups
• Sites
• Permissions

Search the Tableau Online manual for “Manage Ownership” for details regarding who can change or be given ownership for each of these objects.

Workbooks and Views

The Workbook object represents the Tableau workbook file published from Tableau Desktop. It contains dashboards and worksheets, which in terms of Tableau Server are all known as Views. Permissions can be applied to specific Views within a Workbook or at the whole Workbook level. Workbooks and Views can belong to Projects and must be published to a Site.

User

The User object represents a named-user who has access to the Tableau Server. Users must be granted a licensing level of Interactor or Viewer to log in to the server. It’s possible to leave a user account on the server in an effectively disabled state by setting its licensing level to unlicensed. This can be useful for audit purposes. Users can be granted access to Views, Workbooks, Projects, and Sites. They can also be placed into groups. Also note that unlicensed Tableau Server users (who have been given publishing rights) can publish workbooks to Server even though they cannot view the published results on Server.

Project

The Project is an object used to organize and manage access to Workbooks and data sources. Workbooks are placed into Projects within a Site. This can be used as an organizational tool by placing Workbooks with similar content into a single project. They can be used as an access restriction tool by granting access to a Project to a user or group and then publishing Workbooks into that Project.

Group

The Group is an object used to organize users in Sites on the Tableau Server. Users can be placed into Groups, and these Groups can, in turn, be given permissions to objects on the server. Groups can be created locally on the Tableau Server, or, if Active Directory authentication is in use, they can be imported from an Active Directory Group. Groups make managing user permissions within Tableau Server much easier.

Site

The Site is the top level of the security hierarchy. Sites are completely separate Tableau Server instances from the user perspective. Users cannot log in to, or view, any information about Sites to which they do not have access. The base Tableau Server Site is known as the Default Site. Users that belong to more than one Site must choose which Site they want to see when they log in.

Permissions

Sites define separate work environments in Tableau Server. Permissions define what users or groups are permitted to do within a site. Tableau Server comes with several standard permission roles that can be assigned to Users or Groups.

• Server administrator: Can access, interact with, publish, and manage all objects on the server
• Site administrator: Can access, interact with, publish, and damage all objects within a site
• Publisher: Can access, interact with, and publish objects (workbooks)
• Interactor: Can access and interact with objects (workbooks)
• Viewer: Can access workbooks and publish objects (workbooks)
• Unlicensed: Can publish only

In addition to roles, there are permission rules that can be applied at the User or Group level. These permission rules grant users or groups specific capabilities such as the ability to view, interact with, or edit workbooks and data sources. Tableau Server comes with standard rules, but if these don’t work, you can edit them to meet your needs. You can add customized permissions to Groups or Users.

The visual interface in Tableau Server V9 has been improved numerous ways. Permissions can now be reviewed quickly with the improved visual interface you see in Figure 11-8.

Tableau provides default permissions for All Users that can be edited by server or site administrators. As you see in Figure 11-8, all users have been granted View capabilities along with Interact capabilities (excluding Web Edit). One Save has been enabled within the Edit section. Specific permissions can be added to groups or users. Go to the online Tableau Server Administrator Guide and search for “Manage Permissions” to explore more details.

Using Groups and Projects to manage access is much easier than assigning user permission to workbooks or users individually. Depending on the sensitivity of data contained in workbook, some organizations choose to make heavier use of individual Sites rather than Projects. It is important to understand that moving content between projects is easy, but moving content between Sites requires republishing the content.

If you have particularly sensitive data for departments such as human resources or sales, it may make sense to create separate sites for those work groups to ensure that the data is secure. Another common use for Sites is to create an alternate site for development and testing on the server. Tableau’s online manual contains nearly 40 pages of details related to permissions. Read the manual before you develop a permission strategy.

Permissions for Web Edit, Save, and Download

The last few releases of Tableau Server have provided new capabilities for Tableau Server users. In some cases, light users of Tableau Desktop may no longer require a Desktop license. Server users (with the appropriate permissions enabled) can now:

• Edit workbook views (and create new fields via calculations)
• Save views
• Download workbooks

Refer to Figure 11-8 and notice that there are three categories of permissions that can be enabled: View, Interact, and Edit. Web editing is included in the Interact category, while Save and Download are part of the Edit category. Enabling these three permissions gives users the ability to create new views in the browser or on a tablet. Save those views for their instance of the file and download the source workbook to their desktop.

Tableau made significant improvements to web editing in Version 9. Ad hoc calculations were enabled for Tableau Server for the first time. I expect Tableau to continue to add more web editing capabilities in future releases.

Providing Data Security with User Filters

While it has been possible for years to provide row-level security for data published to Tableau Server, with Version 8 forward it is much easier to achieve. Tableau desktop users can publish workbooks to Tableau Server that filter views based on usernames by creating filters in views, filters embedded in data sources, or via a hybrid method that utilizes the data source to apply filters.

Apply a User Filter in a View

There are two ways to apply a user filter directly in Tableau Desktop that can be used in a workbook or data source published to Server V8 or later. First, let’s look at the steps to create a data filter in a view.

To create your own version of the examples to follow, you need to have a live connection to Tableau Server that has at least four users. Or you can download and install Tableau Server on your personal computer, create an administrative user account, and add at least four users to the system. Then open Tableau Desktop and create a view that looks like Figure 11-9.

The filled map color-encodes the four regions in the data set: east, south, central, and west. Follow these steps to create the user filter:

1. Go to the main menu and select Server ⇒ Create User Filter.
2. Sign in to Tableau Server.
3. Select a dimension to apply the filter.
4. Drag the user filter from the Sets pane to the Filters shelf.
5. Test the filter with the User Emulator in the bottom right of the worksheet.

Figure 11-9 shows the Server ⇒ Create User Filter ⇒ Region selection for creating the filter set. If you aren’t already logged in to Tableau Server, you will be prompted to sign in to Server to create the user filter. Figure 11-10 shows the User Filter dialog box.

Add the following filter selections:

• Admin: Apply to all regions.
• Alex Lentz: Central region.
• Ashley Eadon: South region.
• Anthony Ball: East region.
• Behfar Jahanshahi: West region.

The filter name used in the example is 1_UserFilter. You can use your own user-names to apply to each region. The red X you see next to the four names in Figure 11-10 indicate that those names have been applied in the filter.

Next, drag the 1_UserFilter from the Sets pane to the Filters shelf you see in Figure 11-11.

At the bottom right of Figures 11-11 and 11-12 you see the user emulator. The emulator shows you what the view will look like for that user when it is published to Tableau Server. Admin user was given permission to see all of the regions. Figure 11-12 shows how the map will be filtered for each user.

You can see that each user is filtered for a particular region. As long as the users on Tableau Server do not have edit or download permissions, they cannot alter the user filter. You can also apply this user filter directly to the data source.

Applying a User Filter to a Data Source

Remove the 1_UserFilter set from the Filters shelf. Now you’ll apply that same filter directly to the data source. The procedure is as follows:

1. Right-click the data source.
2. Select ⇒ Edit Data Source Filters ⇒ Add.
3. Pick the 1_Userfilter set.

Figure 11-13 shows the dialog boxes open with the 1_UserFilter set highlighted.

Select OK to apply the user filter to the data source. The resulting filter action should be identical to the results you see in the first example shown in Figure 11-12. The Admin user can still see all of the regions. The last example uses a hybrid approach to applying the user filter.

Creating a Hybrid Filter from the Data Source

If you have data in your data source that you can use to enable user filters, it can be utilized to achieve similar results to the Tableau-only data security methods but with the added benefit of little to no maintenance in Tableau. In the next example, an additional tab in the TYD2 Data Security Example Ch11.xlsx data source will be used to filter the data. This tab in the Excel data source includes the managers by region. Figure 11-14 shows a small section of the Orders table that includes sales information and the Managers table that defines the regional management responsibilities. These two tables will be joined to create the hybrid user filter.

A left outer join was used to combine the data from both tables in Tableau, as you see in Figure 11-15.

The manager names used in the table exactly match their usernames in Tableau Server. If you are building your own example, make sure that the names you add to the manager table exactly match the users you have added in your instance of Tableau Server. To create the hybrid filter, you’ll create a calculation that utilizes a user function. Figure 11-16 shows the calculation.

The FULLNAME() function validates the [Manager Name] field from the data source against the users in Tableau Server. This formula results in a Boolean (True/False) result. The filter is enabled in the view by applying the new field to the Filters shelf or by adding it to the data source. The end result will look exactly like the Figure 11-12. The beauty of this approach is obvious if you have thousands of users in a database that you are maintaining. Any update to the database would pass through to the Tableau workbook or to the data source.

If you want to view a video that has similar examples to those presented here, Tableau Software has an excellent training video illustrating these techniques at www.tableau.com/learn/tutorials/on-demand/data-security-user-filters.

What Is the Data Server?

As a Tableau Server administrator, you should learn what the Data Server is and how it can help you manage workloads more efficiently. The Data Server provides a full range of publishing options that provide access, flexibility, and control.

Packaged Data Sources (.tdsx files) are shortcuts that do not contain any actual data but have all of the information needed to connect to a data source and any metadata created in the source Tableau workbook including:

• Default properties
• Calculated fields
• Groups
• Name aliases
• Renamed field
• Other metadata

Publishing data sources to Tableau Server leverages the knowledge of domain experts within your company for a large number of other less knowledgeable people to use. Publishing workbooks with the data embedded is also possible. These files and connections can be refreshed via scheduled updates or on demand and are then automatically propagated to all authorized users. The type of data source (live connection or embedded) is identified using icons.

Data Server gives end users safe access to clean data while giving the server administrator a single point of control. This governance model provides convenience, flexibility and control.

When and How to Deploy Server on Multiple Physical Boxes

Earlier in this chapter, you read about considerations for sizing hardware for Tableau Server—specifically the concepts of scaling up and scaling out. Scaling up refers to using more powerful single-server hardware. Scaling out refers to bringing in more machines to help carry the workload. Clustering, distributed environments, and scaling out all refer to the same concept: running Tableau Server on more than one machine to spread the workload.

The decision to scale out Tableau Server in a cluster is normally made when a single server cannot support the expected workload and when adding additional machines represents a lower expected cost than scaling up to a substantially more powerful single machine. Tableau’s multiple processes can be assigned to different machines in the cluster to achieve efficient division of the workload.

For instance, an environment that makes use of large data extracts could devote an entire machine in the cluster for running data extract engine processes. This machine could include a larger amount of system memory and fast I/O to support the need to quickly load and query many data extracts. In addition, another machine with very fast CPU cores could be dedicated to VizQL processes if high numbers of concurrent view requests are anticipated. Clustering Tableau Server can also provide high availability capabilities by creating redundant core processes on multiple machines. High availability configurations will be in the next section of this chapter.

In Tableau Server clustered environments, the first machine you install Tableau Server is known as the Primary Server, or the Gateway. All other machines are known as Workers. The Gateway handles all of the requests to the Tableau Server and communicates with the workers to satisfy those requests. To set up a distributed cluster environment, follow these steps:

1. Install Tableau Server on the primary machine. (Note the IP address of this machine.)
2. Stop the Tableau Server service on the primary machine.
3. Install the Tableau Server worker software on all of the Worker machines.
4. Return to the primary (Gateway) server and open the configuration utility.
5. Select the Servers tab and click the Add button.
6. Type the IP address of one of the Worker machines in the dialog box.
7. Specify the number of, and each type of, processes to deploy on the Worker.
8. Click OK.
9. Repeat the same steps for each Worker machine.

Once all of the Workers are added to the cluster, save the changes within the configuration utility and restart the Tableau Server service on the primary machine. For more information about clustered Tableau Server deployments, see the “Distributed Environments” section of the Tableau Server Administrator Guide.

Deploying Tableau Server in High Availability Environments

Strategies to guarantee constant availability are broadly referred to as high availability. These strategies necessitate that core components of Tableau Server be redundant to minimize the chance of unplanned downtime. Realizing this goal requires deployment in a distributed environment and running redundant critical processes on separate servers.

Achieving significant redundancy can be realized using a three-server cluster, but to achieve a fully redundant configuration, at least four servers are necessary.

Three-Node Cluster

In this configuration, the Primary Server or Gateway (the server on which you first install Tableau Server) hosts the following processes:

• Search and browse
• Licensing
• Cluster controller
• Coordination service
• Gateway processes

The two Worker servers are used to host identical configurations that should include:

• Cluster controller
• Coordination service
• Gateway
• VizQL Server
• Application server
• API server
• Backgrounder
• Cache server
• Data server
• Data engine
• File store

Each worker also contains the Active Repository. A load balancer is recommended to direct traffic to active nodes in the event of a failure. The loss of a Worker machine can occur without making the cluster inaccessible. However, because there is only a single Gateway machine, should that server go offline, the cluster will be inaccessible to users. To have complete fault tolerance, a four-node cluster is required.

Four-Node Cluster

In a four-node cluster, a backup Primary Server is added to make that critical node redundant. However, the Primary backup server must be promoted to active status manually. There is currently no automatic fail-over for Primary (Gateway) machines.

The high availability setup process is similar to the basic cluster configuration. The following are the steps to set up a high availability configuration:

1. Install Tableau Server on the primary machine (note the IP address of this machine).
2. Stop the Tableau Server service on the primary machine.
3. Run the Tableau Server Worker installer on the other machines included in the cluster (the primary server IP is needed for this step).
4. Open the configuration utility.
5. Select the Servers tab and click the Add button.
6. In the Add Tableau Server dialog box, type the IP address of the first of the Workers.
7. Specify the number of each type of process.
8. Ensure both the extract storage and repository storage are included on this host’s settings. Click OK.
9. Start the Tableau Server service on the Primary Server machine.
10. View the server status and observe that the instances of the extract engine and repository on the new Worker appear to be down. This will be resolved once the primary server has transmitted all data for these processes to the new worker machine.
11. After the worker extract engine and repository processes switch from Service Down to Service Standing By, stop the Tableau Server service on the primary machine again.
12. Open the configuration utility on the primary server.
13. Clear the extract storage in the configuration utility on the Host and the repository storage on This Host check boxes for the primary server. Remove all other processes to configure this machine as a Gateway only. Click OK.
14. Click the Add button on the Servers tab.
15. In the Add Tableau Server dialog box, type the IP address of the second Worker and specify the number of each type of process. Be sure to check both the Extract Storage and Repository Storage on this host’s settings. Click OK.
16. As an optional step, you can configure e-mail alerts about the cluster status from the Email Alerts tab in the configuration utility.
17. Close the configuration utility and restart the Tableau Server service.
18. Once the service comes back up, check the status of the cluster from the Tableau Server maintenance page. You should see the IP address of the primary server listed with only the Gateway service. You should also see the two Worker server IP addresses listed with the remaining Tableau Server processes. One Worker will have an active data engine and repository, and the other Worker will have standby copies of these processes.

The three-node configuration presented earlier may be augmented with a redundant Gateway server to increase reliability. For more information about making the Gateway redundant and the manual fail-over process, see the “Configuring a Highly Available Gateway” section of the Tableau Server Administrator Guide.

Leveraging Existing Security with Trusted Authentication

Tableau Server is frequently deployed in landscapes containing legacy systems that already have security protocols to prevent unauthorized access. These systems may include internal website portals, content management systems, or existing reporting interfaces. Is it possible to embed an interactive Tableau visualization into a site that already contains a legacy security protocol? The answer is yes. This is commonly referred to as single sign-on. The Tableau Server system for enabling this is called Trusted Authentication.

When using Trusted Authentication, it is assumed that the web server containing the embedded views will handle the user authentication. The person attempting to access the embedded view must be a valid user on both the web page and Tableau Server. The web page server passes the username of the person who has logged in to the Tableau Server. So, the usernames must match or be programmatically transformed to match.

Tableau Server must also be configured to acknowledge the web page server as a trusted server. This is configured using the Tableau Server Administration (tabadmin) tool. See Chapter 13 for more details on Tableau Server’s command-line tools.

The web page server must also be able to perform a POST request and transform the response into a URL. This means that static web pages that are not supported by a scripting language will not be able to support these requirements.

If the web page server uses Security Support Provider Interface (SSPI), configuring Trusted Authentication is unnecessary as long the users are valid members in Active Directory. In that case, Tableau Server authenticates the user via Active Directory as long as the users are also licensed to access Tableau Server. The flowchart in Figure 11-17 illustrates how security data travels between each component.

If all of the requirements are met, Trusted Authentication works in the following way:

1. A user visits the web page: When a user visits the web page with the embedded Tableau Server view, it sends a GET request to your web server for the HTML for that page.
2. Web server POSTS to Tableau Server: The web server sends a POST request to Tableau Server. That POST request must have a username parameter. The username value must be the username for a licensed Tableau Server user. If the server is running multiple sites and the view is on a site other than the Default site, the POST request must include a target site parameter.
3. Tableau Server creates a ticket: Tableau Server checks the IP address of the web server that sends the POST request. If it is set up as a trusted host, then Tableau Server creates a ticket in the format of a unique nine-digit string. Tableau Server responds to the POST request with that ticket. If there is an error and the ticket cannot be created, Tableau Server responds with a value of –1.
4. Web server passes the URL to the browser: The web server constructs a temporary URL for the view using either the view’s URL or its object tag (if the view is embedded) and inserts it into the HTML for the page. The ticket will include a temporary address that will look similar to this URL address: http://tabserver/trusted/<ticket>/views/requestedviewname). The web server passes the HTML for the page back to the client’s web browser.
5. Browser requests view from Tableau Server: The client web browser sends a request to Tableau Server using a GET request that includes the URL with the ticket.
6. Tableau Server redeems the ticket: Tableau Server sees that the web browser requested a URL with a ticket in it and redeems the ticket. Tickets must be redeemed within three minutes after they are issued. Once the ticket is redeemed, Tableau Server logs the user in, removes the ticket from the URL, and sends back the final URL for the embedded view.

The Tableau Server installation manual provides examples of the code required for the web server to handle the POST to Tableau Server, converting the ticket into a URL and embedding the view in many languages. These examples are included as a part of the Tableau Server installation. Navigate to this Drive location to view them: C:Program FilesTableauTableau Server9.2extrasembedding.

For additional tips on using Trusted Ticket Authentication, see the section “Using Trusted Ticket Authentication as an Alternative Single Sign-on Method” in Chapter 12.

Deploying Tableau Server in Multi-National Environments

Tableau Desktop and Server support a wide range of locales and languages. This makes it easy to deploy in organizations with diverse nationalities. Language settings refer to the translation of text in the user interface elements within Tableau. Locale refers to the format of numbers and dates.

Default language and locale options can be configured at the server level by users with system administrator permission. Set up these options in Tableau Server at the Server ⇒ Settings ⇒ Language and locale menu (see Figure 11-18).

Users can also configure their individual language and locale settings from the User Account page. However, users must do this from their view of the User Account page. Administrators cannot set language and locale options for a specified user. When a user changes these settings, this overrides the default language and locale settings designated by the administrator.

If the user does not have a language and locale specified on his user account page, those settings can also be taken from the user’s web browser—if the browser is using a language that Tableau supports. If the language is one Tableau does not support, English will be used. Also, keep in mind that the author of a workbook in Tableau Desktop can specify language and locale in the workbook. Settings specified in the workbook take precedence over all other language and locale settings.

The order of precedence—from highest to lowest priority—is designated as follows:

1. The Tableau workbook
2. The user preferences page
3. The locale specified by a user’s browser
4. The Tableau Server maintenance page
5. The computer on which Tableau Server is installed

Keep in mind that language options do not translate any report content—only Tableau user interface elements.

Tableau Server Performance Recorder

At the end of Chapter 8, you learned how to use Tableau’s Performance Recorder to improve workbook performance in Tableau Desktop. There is also a separate Performance Recorder that allows you to record and view information about Tableau Server performance at the workbook level.

Prior to Tableau Version 8, this data had to be collected and analyzed manually from log files or via a third-party application that was created by InterWorks. The Performance Recorder creates a Tableau workbook of your Tableau workbook’s performance. Information about the following events is captured and displayed visually:

• Query execution
• Geocoding
• Connections to data sources
• Layout computations
• Extract generation
• Data blending
• Server rendering

Performance Recorder is disabled on Tableau Server by default. To activate performance recording on the server, navigate to the Server ⇒ Sites ⇒ Settings page and check the Workbook Performance Metrics option. Figure 11-19 shows applicable portion of the page.

There are several other site setting options on that page. Figure 11-19 shows only the workbook performance metrics check box that is near the bottom.

When you are ready to use the Performance Recorder, you must append the code ?:record_performance=yes& to the end of the page URL just before the session ID, as you see highlighted in the URL script at the top of Figure 11-20.

If everything is working correctly, the Show Performance Recording menu will appear in the view’s status bar—circled in Figure 11-20. Clicking this link will open a view that is generated from the recorded performance data. Note that the performance recording view does not automatically update. To see the most current data, close and open the view again.

Once it is activated, the Performance Recorder will continue capturing data about interactions with the view until the user navigates away or removes the string from the URL. Figure 11-21 displays an example of the information available in the Performance Summary display.

The dashboard Performance Recorder contains three panes:

• Timeline: A Gantt chart displaying event start time and duration
• Events Sorted by Time: A bar chart showing event duration by type
• Query: Appears when clicking an Executing Query event in the bar chart

Show Events Filter

This filter allows you to cull the details that appear below to show only the items requiring the specified minimum cost in time.

Timeline Gantt Chart

The Timeline Gantt Chart displays by workbook, dashboard, or worksheet when each event occurred. Event start time is indicated by the bar’s horizontal position, and the duration of each event is indicated by the individual bar length. The event type is color encoded.

Events Sorted by Time

This section of the workbook shows the duration of recorded events in descending order. This is useful for observing the execution time of each event that occurred during the performance recording. This will help you identify any lengthy events that may be the cause of performance problems.

Query Text

Optionally, the workbook also displays the query text for any specific green-colored Executing Query event that you want to examine in detail. This is a handy feature that allows you to review any query text that may be of interest without having to leave the Tableau Performance Summary dashboard.

Performance-Tuning Tactics

The Performance Summary report generated by the Performance Recorder informs you about the specific events that may be contributing to slow performance. Once you understand the events most affecting performance, try the following tactics to address the performance problem.

Query Execution

Query Execution represents the time that it takes for the data source to execute a query and retrieve the data requested by the worksheet. If the data source is a database, it is very helpful to see the queries issued by Tableau in order to identify inefficiencies. Common issues include poor indexing strategies, fragmented indexes, database contention, insufficient database resources, and inefficient SQL queries. If the data source is the Tableau data engine, there are fewer troubleshooting options.

Geocoding

Geocoding represents the time Tableau needs to locate geographical dimensions. If this event type is consuming too much time, consider geocoding your records in the source dataset and passing a pre-calculated latitude and longitude to Tableau rather than having Tableau generate the geocodes when rendering the map view.

Connecting to the Data Source

Connecting to the data source conveys the time required for Tableau to connect to the data source. This event is typically not a large percentage of total worksheet time. In rare cases, there can be a network or data source issues that extend connection times. To rule out these issues, examine the network topology between the Tableau Server and the data source server.

Layout Computations

The time needed for Tableau Server to compute the visual layout of the worksheet is the Layout Computation event. This can be influenced by server resource contention as well as worksheet complexity. The more marks that are visualized within the workbook, the more time that workbook will require to load and refresh. It may be necessary to restrict the number of marks simultaneously displayed through techniques such as actions, filters, and aggregation. Large text tables can be particularly costly and are not a good visual analytic technique. If all these tactics fail to result in noticeable improvement, it may be necessary to provide additional resources to the server.

Generating Extract

The amount of time that the data engine spends generating an extract is called the Generating Extract event. The size of the data source (the numbers of rows and columns) along with the time Tableau spends compressing and sorting the data are the major factors affecting the time required to generate extract files. Starting with the release of Tableau Server V9, persistent query caching reduces the impact of costly queries after the cache is warmed.

If your extract file is still taking too long to refresh in your environment, it may be possible to speed up the process by removing unnecessary columns from the extract. This will reduce the time required for generating, sorting, and compressing the remaining columns. Should the problem persist, you may want to ensure that all fields have the appropriate data type assigned to them in the underlying database. Improperly defined field types in the source database can affect the performance during the extract creation, as well as any subsequent queries needed to be performed against the extract file.

If extract generation speeds are still not good enough, try running more data engine processes or placing them on their own Worker instance.

Blending Data

The amount of time that Tableau Server spends performing data blends is the Blending Data event. This event can take a long time when working with large amounts of data from the blended data sources. Filtering before the blend at the data source level can be effective. If possible, consider moving data into a single data source so that joins can be used instead of blending.

Server Rendering

The amount of time that Tableau Server spends rendering the computed layouts into a format to send to the client browser is the Server Rendering event. The time it takes to complete this event can be impacted by the load on the VizQL processes as well as the complexity of the layouts. Refer to Tableau Server’s online manual and the Interpret a Performance Recording section for additional information.

Whether specifically mentioned or not, most of these events can be quickened by restricting the amount of data visualized through filtering or aggregation. This can also be achieved by using faster hardware or adding more resources on Tableau Server. As far as workbook performances goes, if it doesn’t perform well in Tableau Desktop, it won’t perform well in Tableau Server either. For this reason you should use the Performance Recorder on the desktop to troubleshoot performance issues there before publishing an under-performing workbook to the server.

Managing Tableau Server in the Cloud

Increasingly, organizations are choosing to move away from hosting on-premise servers by migrating to cloud-based solutions. Flexibility and decreased initial costs are two reasons for pushing software into the cloud.

What Does It Mean to Be in the Cloud?

Before I discuss cloud-based Tableau Server hosting options, it might be helpful to define what I mean by “cloud-based.” The expression “in the cloud” has become a catchall term in recent years for any service that isn’t hosted by an on-premise server. That definition doesn’t quite capture the scaling implications of the cloud, though. Cloud solutions are typically hosted and rapidly scalable systems. As mentioned at the beginning of this chapter, Tableau Software has two server versions that operate only in the cloud.

Tableau’s Cloud-Based Versions of Server

Tableau Public is a Tableau Server implementation hosted by Tableau Software that is free to use but comes with some caveats. Chief among these is that all workbooks and data hosted on Tableau Public are just that, public. This is probably a deal-breaker for most organizations. However, if your organization wants to make data available to the public anyway, this is a great (free) solution. Other caveats with Tableau Public are

• Data sources are limited to 10,000,000 rows per data source.
• Only file-based data sources can be used.
• Data limited to 10GB per account.

Tableau Online (fee-based) provides an added measure of control and security beyond Tableau Public. It is a cloud-based version of Tableau Server that is licensed on a per-named-user basis with no minimum requirement on the number of licenses. The software is installed and maintained by Tableau Software in a secure hosting facility. It is easy to use Tableau Online. Once you have signed up, you can start publishing workbooks for other licensed Tableau Online users to view.

There are a few differences between Tableau Online and Tableau Server including the following:

• Workbooks published to Tableau online must use Tableau Data Extract, which must be refreshed regularly. Live connections to Amazon Redshift are supported as well.
• No guest access. Everyone using Tableau Online must be licensed to use the service.
• Tableau Software creates and maintains your site.
• No minimum user requirement.

Tableau Software continues to make additional features available via Tableau Online. Custom branding is now supported (June 2015); SAML authentication (May 2015) and Tableau Online are now able to auto sync with other cloud services such as Salesforce and Google Analytics. And you can sync with data stored behind your firewall.

At the beginning of this chapter, I introduced Tableau’s three different server products: Tableau Server, Tableau Pubic, and Tableau Online. Currently, the majority of Tableau Server customers want to host Tableau Server on premise, behind their company firewall. But an increasing number of organizations are choosing to host Tableau Server in the cloud.

Putting Tableau Server in the Cloud

Although Tableau Server is most frequently hosted within company networks, it can also be hosted in the cloud or by utilizing Amazon EC2 instances and most other services that provide cloud-based Windows Server platforms. Amazon EC2 is not currently a platform supported by Tableau Software, but it does work. There are a few items to consider if you want to deploy Tableau Server using a cloud service provider. You are still fully responsible for the installation and maintenance of Tableau Server deployed this way—unless you also want to farm out this work on a contract basis to consultants.

Tableau Server needs to be accessible to your users, so make sure ports are opened in any firewalls and that the server will accept traffic from your users’ network addresses. Active Directory integration can be tricky with these platforms, so consider local authentication if you encounter issues.

When deploying Tableau Server in multi-node configurations, ensure that the IP addresses of the nodes are static so that node communication won’t be impaired through system restarts. Also ensure that firewall rules are in place to allow nodes to communicate with one another. The most common issues with running Tableau Server in a cloud environment are networking related. Once the Tableau Server is installed and accessible, administering it is similar to administering a locally installed host.

Monitoring Activity on Tableau Server

As your server deployment grows, you can monitor usage activity to ensure the best experience for your users. Tableau Server includes a Server Status page that you see in Figure 11-22.

The Server Status page is divided into four different sections: Process Status, Analysis, Log Files, and a button for rebuilding the Search & Browse process index.

Status Section

The Process Status section displays the current status for every process available on each machine deployed. The example in Figure 11-22 is for a single server. If you have a multi-cluster setup, you will see each machine’s IP address in separate columns along with the processes assigned to the Primary and Worker Servers.

Analysis Section

The Analysis section provides links to embedded Tableau workbooks that provide visual analysis of important metrics related to your server activity. This was improved dramatically with the release of V9. There are nine different canned reports available including:

• Traffic to views
• Traffic to data sources
• Actions by all users
• Actions by a specific user
• Actions by recent users
• Background tasks for extracts
• Background tasks for non-extracts
• Stats for load times
• Stats for space usage

Figure 11-23 shows the Traffic to Views page.

Opening any one of the views provides access to the other views within the workbook via tabbed access across the top of the workbook web page as well.

Log Files Section

Beginning with Tableau Server 8.2, access to generate and review log files became much easier. To generate a snapshot of logs, navigate to Server ⇒ Status and select the Generate Snapshot button. Once the generation of the snapshot is completed, it is available to review using the Download Snapshot button shown in the Log Files section in Figure 11-22.

Rebuilt Search Index Section

A problem could occur in your server setup that causes the server’s search index to become corrupted. If this happens, users may not get the correct results when searching for workbooks or data sources. Run the Rebuild Search Index if searches are not retrieving the expected results.

Editing Server Settings and Monitoring Licensing

Separate pages are provided that give access to additional server settings and for monitoring Tableau Server licenses.

Server Settings General Page

General server settings are accessed through the Server ⇒ Settings ⇒ General page (see Figure 11-24).

From the General page, you can control whether publishers can embed or save credentials and whether or not to allow guest access to Tableau Server. You can also define a default start page or set the default language and locale (covered previously).

Server Setting License Page

Your server license key, seats, and maintenance expiration date are displayed here as well as the current seat licenses in use, licenses available for use, and the number of unlicensed users. Tableau Software has made significant strides improving the tools available for the security, reporting, and administration of the site.

Partner Add-on Toolkits

Tableau’s growing partner ecosystem now provides add-on tools for Tableau Desktop and Tableau Server that may include additional capabilities that will help you manage Tableau Server. See Appendix A for summary information on Tableau Software’s product line and add-on products provided by Tableau Partners.