Prerequisites

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

Customer Managed Applies to customer-managed instances of Alation

Core Connector Core connectors are included with all Alation platform tiers (subject to each tier’s connector limits) and are fully supported by Alation.

Before you install the Tableau OCF connector, ensure that you:

Enable Metadata API for Tableau Server

Refer to Enable metadata-services. Enabling Metadata API may take up to 48 hours depending on the volume of metadata.

Note

The Metadata API is enabled by default for Tableau Cloud.

Enable Sensitive Lineage Data Setting

In Tableau:

  1. Go to Site Settings > General > Sensitive Lineage Data.

  2. Make sure that Show complete lineage (default) is selected.

Note

If this option is not selected, some Tableau objects will not be extracted.

This setting is applicable for both Tableau Server and Tableau Cloud.

Required Information

Site ID

A site ID is the text after the #/site/ part of the URL of a Tableau page, in front of the next slash. In the example below Sales is the site ID:

https://prod-useast-a.online.tableau.com/#/site/Sales/explore

You can specify multiple site IDs separated with commas.

Note

Site ID is optional for Tabelau Server.

Tableau Server

The Tableau Server site ID information is used for authentication. You can provide a single valid site ID and the connector will discover all the other sites that the service account has access to. If the field is left empty, the connector will use the default site.

Tableau Cloud

For Tableau Cloud, Alation will only extract metadata from the sites with the IDs you have specified. If the field is left empty, the test connection will fail and no metadata will be extracted.

SSL Certificate

If connecting over SSL with custom SSL certificate, obtain the SSL certificate. It will need to be uploaded in the Tableau BI source settings in Alation. If you are connecting over SSL using CA authorised, certificate upload is not required.

Configure Authentication

The Tableau OCF connector requires a service account with site administrator privileges. Authentication can be configured on the BI source Settings page. Make sure that the service account is assigned with one of the following roles:

  • Server Administrator (applicable to Tableau Server only)

  • Site Administrator Creator

  • Site Administrator Explorer

The following authentication types are supported by Alation:

  • Basic authentication with a username and password

    Note

    Basic authentication is supported only on Tableau Server.

  • Personal access token (PAT)

    • PAT inherits all API permissions from the service account’s site role. No additional scope configuration is required. All connector features (metadata extraction, previews, sampling, and permission mirroring) are available based on the user’s role.

    • Each token can only be used for a single metadata extraction. If the token is used for multiple extractions in parallel, only the first extraction will work; for others an authentication error message will be displayed.

  • Unified Access Token (UAT)

    Note

    Available from connector version 1.14.0 and is only applicable to Tableau Cloud.

    • UAT is a JSON Web Token (JWT)-based authentication mechanism and requires Tableau REST API version 3.27 or later (December 2025 release).

    • UAT requires explicit scope configuration. The JWT and the UAT configuration in Tableau Cloud Manager must include all required scopes for the connector features you plan to use. See Unified Access Token for the full list of required scopes.

The Tableau OCF connector does not support SSO authentication to Tableau.

Note

For Tableau Cloud, if multi-factor authentication (MFA) is enabled, you must use either personal access token or UAT authentication.

Unified Access Token

Unified Access Tokens (UAT) provide JWT-based authentication for Tableau Cloud, managed through the Tableau Cloud Manager (TCM). See Tableau’s UAT documentation for setup instructions.

To use UAT authentication for the connector, ensure you complete the following prerequisites:

Grant Access

The user setting up UAT must have the Cloud Administrator role in Tableau Cloud. This role is required to:

  • Access the Tableau Cloud Manager (TCM) at https://<tenant-name>.cloudmanager.tableau.com/

  • Create and manage UAT configurations

  • Upload public keys for JWT signature verification

Important

TCM access is per-individual, not per-group. If you do not have Cloud Administrator access, contact your Tableau Cloud administrator.

Set up Tableau Cloud Manager

Before configuring UAT in Alation, complete the following steps in Tableau Cloud Manager. Refer to the Tableau UAT documentation linked above for detailed instructions.

  1. Generate an RSA key pair — Create a 2048-bit RSA key pair. The private key is used to sign JWTs; the public key is uploaded to TCM.

  2. Create a UAT configuration in TCM — Register the public key, set the issuer, and configure scopes and resource IDs.

  3. Generate a signed JWT — Sign a JWT with the private key using RS256 algorithm. The JWT must include the required claims (see below).

Configure JWT Scopes

The following scopes must be configured in both the UAT configuration in TCM and the scp claim of the JWT:

Scope

Purpose

tableau:content:read

Required for accessing projects, workbooks, data sources, views, and the GraphQL Metadata API.

tableau:content:download

Required for general content downloads.

tableau:sites:read

Required for site discovery and validation.

tableau:users:read

Required for user extraction and permission mirroring.

tableau:groups:read

Required for group extraction and permission mirroring.

tableau:views:download

Required for preview images, high-resolution images, and report field value sampling.

tableau:workbooks:download

Required for workbook preview images.

tableau:datasources:download

Required for datasource downloads.

tableau:tasks:read

Required for task-related API calls.

Important

Individual scopes such as tableau:workbooks:read or tableau:projects:read do not work with UAT. You must use tableau:content:read as the scope for all content read endpoints, and the :download scopes for preview images, high-resolution images, and report field value sampling.

The table below shows which scopes are required for each connector feature:

Connector Feature

Required Scopes

Metadata Extraction (projects, workbooks, data sources, views, columns, auto-generated embedded data sources, hidden worksheets)

tableau:content:read, tableau:sites:read

Permission Mirroring

tableau:users:read, tableau:groups:read

Preview Images (low-resolution)

tableau:views:download, tableau:workbooks:download

High-Resolution Preview Images

tableau:views:download

Report Field Value Sampling

tableau:views:download

Data Source Downloads

tableau:datasources:download, tableau:content:download

Task and Schedule Metadata

tableau:tasks:read

Note

It is recommended to configure all 9 scopes listed above to ensure all connector features work correctly. If any scope is missing, the features that depend on it will fail with a 401 Unauthorized error.

Required JWT Claims

The JWT must include the following claims:

Claim

Description

Example

iss

Must match the UAT configuration issuer exactly.

https://your-company.com

sub

User email address.

user@company.com

exp

Expiration time in Unix epoch seconds. Set a reasonable expiry window (for example, 24 hours for scheduled extractions).

1775476508

iat

Issued at time in Unix epoch seconds.

1775469308

jti

Unique token identifier. Use a UUID.

32c46fa2-c8b7-4a18-ac12-02144bef7a48

email

User email. Must match usernameClaim in the UAT configuration.

user@company.com

https://tableau.com/tenantId

Tableau tenant ID from the UAT configuration.

625e7ea1-a2b9-4348-a679-2217a6ba6ead

scp

Scopes as an array of strings. See Configure JWT Scopes for the full list.

["tableau:content:read", "tableau:content:download", "tableau:sites:read", "tableau:users:read", "tableau:groups:read", "tableau:views:download", "tableau:workbooks:download", "tableau:datasources:download", "tableau:tasks:read"]

UAT Configuration Resource IDs

The resourceIds field in the UAT configuration must include both the Tenant ID and the Site ID. Including only the Tenant ID is not sufficient and will result in a sign-in error (error code 101007).

For resourceIds, use the Tableau REST API site.id value (not the site name or the URL segment after #/site/). To retrieve this value, sign in to the Tableau REST API with a personal access token and note the site.id value from the sign-in response.

Note

TCM Personal Access Tokens and Tableau Cloud Personal Access Tokens are completely separate and not interchangeable. A TCM PAT works only against the TCM API, and a Tableau Cloud PAT works only against the Tableau REST API.

Authentication with Active Directory

Authentication with Active Directory is supported through basic authentication (username and password). Use the following format for the username when configuring the Tableau BI source settings in Alation:

  • For Username, use domain_name\ADusername, where ADusername stands for the Active Directory username.

  • For Password, use the Active Directory password of the Active Directory username.

Extracting User Permissions Information from Multiple Domains

When permissions mirroring is enabled for a Tableau BI data source, Alation can extract user permissions information from multiple domains. To make extraction from multiple domains possible, perform the following configuration in Tableau and Active Directory:

  • In Active Directory, make sure that the domains you will extract from have bi-directional trust with the AD server that has Tableau installed. Users must be able to log into the Tableau instance using the credentials from another AD server.

  • Ensure that the Active Directory groups are imported and set up in Tableau.