TABLEAU SERVER AND CLOUD SECURITY (6/10): Conten Owner left company

What should be done when Tableau server or Cloud users left company?

The right process is to un-license AND then delete the users from Tableau server or Tableau when users left company.

  • Admins can un-license content owners but Admins can’t delete users who own content even the users left company.
  • You will have to change content owner first before deleting the user

Who can change content owner?

  1. Owner. The best practice is for owner to change the content owner to someone else in the team.
  2. Project Admin (aka project leader) who has publisher site role. For whatever reasons, if content owner left company, project admin can also change the owner to someone else (two step process: change to yourself and then change to someone else)
  3. Project Owner (two step process: change to yourself and then change to someone else)
  4. Admins

Content owner change tips

  • Explorer site role user can be given content ownership but can’t grant permissions to others, can’t change the ownership to anyone else anymore.
  • Once content owner is changed, the embedded password will be invalid. The new content owner has to re-embedded the password
  • Project admin (aka Project Leader) or Project owner can’t other’s content to someone else although can change someone else’s content to herself or himself. It will be two step process for project admin to change owner content to someone else:
    1. Change owner to project leader himself or herself
    2. Then as content owner, you can change content ownership to someone else

What happed when content owner left company?

  • If content ownership is not changed before owner left company, workbook can still be accessed, extract can still run (if embedded credentials not tie to personnel database acct)
  • But, Tableau server or Cloud’s email or Slack notifications (failure/suspension, flow failure/suspension) goes to nowhere….
  • No action can be taken by owner anymore 

So content owner should be changed. However ….

The Problem : Often Project Admins may not be aware of all content owned by person who left company 

The scalable solution is to build Invalid Content Owner alert

What is Invalid Content Owner alert?
It is a Python scripts to use REST API to find content owned by user who is not an active employee anymore. The content list alert will be sent to project admin (aka project leader) and project owner. It can also be sent to previous manager if possible (see below alert):

The alert can also have a link to the content to make project admin’s life easier. Action is for project admin (aka project leader) to click the link in the alert and change content to himself, then change to someone else if necessary.

Here is the logic used for the alert

Conclusion: We found that it was extremely useful to send invalid owner alert in the daily basis for large Tableau deployment since project leaders don’t have visibility for this data. You do need Tableau server database workgroup readonly user/password, REST API, Python and whatever scheduling tool to implement it.

Source link

Be the first to comment

Leave a Reply

Your email address will not be published.