Optimise Your Tableau Cloud: Effective Admin Strategies

2 March 2024

Learn top strategies for optimizing Tableau Cloud. Ideal for admins, we'll cover efficient content governance, managing users and data security practices to boost your Tableau deployment.

Site administrators form an integral piece of the modern analytics workflow. The role of an administrator helps to facilitate the work of analysts and viewers who work on our Tableau Cloud site.

We need to make content easy to access for viewers, and help analysts to follow best practices to maintain a healthy site.

Understanding how analytics is performed in an interactive way, and how best to facilitate that is key to enabling and elevating the use of Tableau across the business.

The modern analytics workflow is an iterative process involving multiple teams and personas

The overall process will be consistent, but the detail of how the governance process is implemented will vary based on a number of factors, such as data sensitivity or skill levels of the target audience.

These factors inform which of the three types of governance approach we want to adopt.

Centralized - a core team of BI professionals within IT are responsible for connecting to, preparing and vizualising data. Other teams are consumers of these analyses.

Delegated - members of teams outside of IT (within lines of business) have direct access to data and can prepare reports for themselves. The role of IT shifts from “provider of reports” to “enabler of analytics”. Almost all tasks are handled by the central team.

Self-governed - users across the business are well versed in the governance process and are able to manage connecting, creating and promoting content entirely independently of the central BI/IT team.

Different models serve different purposes for instance highly sensitive data such as HR or personally identifiable data will always need to be managed centrally, but in general for internal, non-sensitive data, a path towards full self-governance is the ideal route.

As data literacy and processes are developed across an organization, the governance model can shift from centralized to delegated to self-governed.

There is no one size fits all approach, it’s always a case of finding the best governance model to fit your needs.

Many best practices apply to all governance models. In this post we'll explore best practices for

User and content management
Data security
Monitoring and auditing

User and Content Management

Site and Project Structure

An example project hierarchy

A well structured site hierarchy is key to maintain governance at scale for any governance model.

For centralized, the structure is consistent and well documented for a central team to navigate and manage.

For delegated, the individual projects can be passed on to each team to take ownership.

For self-governed, the structure is easy to manage for individuals who are responsible for their own sets of projects.

The exact layout may vary depending on your needs, perhaps you’d rather have production & sandbox at the top level, then departments within those, but the key thing is to maintain a consistent, logical structure for all your projects.

Integrate your existing identity provider

Configure SSO on your cloud site with your identity provider (IdP) of choice to improve user experience and minimize admin overhead.

This also allows you to centralise user management with your IdP team.

Popular IdPs include Salesforce, Google, Microsoft Azure Entra ID, Okta, OneLogin and PingOne.

SAML authentication flow

In addition to a single sign-on experience for end users, using an external identity provider also allows you to configure your site for the System for Cross-domain Identity Management (SCIM).

This is supported by most IdPs and full Tableau documentation for integration with Okta, OneLogin, Azure Entra ID is available.

This allows your IdP to automatically provision users and groups on your site, further centralizing user management.

Illustration of the SCIM system for Tableau Cloud

Managing Licensing

A relatively new addition to Tableau Cloud is the grant role on sign in feature.

This allows you to provision users to your site, but add them as unlicensed until they actually go to sign in.

At the point of sign in, they are provisioned a license.

This helps drive adoption as all users registered on Tableau Cloud don’t need to consume a license unless they are active.

This should be combined with monitoring of your use activity and license allocations. You can remove licenses from inactive users, freeing up space for more users or purchase additional licenses as your active user base grows.

Grant role on sign in can be configured for each group

Data Security and Governance

Permissions best practices

Assign permissions to groups

Managing access through groups helps streamline permission management. Access can be provided or removed by adding or removing the relevant users from the necessary groups.

Group rules are evaluated after user rules. This means you can set up ad hoc exceptions to either allow or deny access to specific individual if needed, but this should only be used for testing or providing temporary access.

Conflicts can arise when mixing user and group rules on complex permission sets. These conflicts can become tricky to troubleshoot.

Use deny rules sparingly

Deny rules are evaluated before allow rules. Use them sparingly.

Conflicts can arise when mixing deny and allow on complex permission sets. These conflicts can become tricky to troubleshoot.

A lack of permissions also ends up with a deny result.

Permission evaluation flowchart

Remove permissions from the default project

When you first get your site, the All Users groups will have full access to the default project.

Your should remove this permission as any new top-level projects inherit permissions from the default project.

Removing All Users reduces the chance of accidentally providing unwanted permissions.

Example permission setup for the default project

Use Locked project permissions

Project permission locking can be applied at any level in the project hierarchy.

This allows you to set and manage permissions in one place, rather than managing individual content items separately.

Data source management

Avoid unnecessary replication and proliferation of data.

Use published data sources for key, reusable sources rather than duplicating the same content for each workbook.

This also helps reduce load on your source system by only having a single point of query rather than multiple.

Enable access to central data sources across departments to avoid siloing.

Published data sources can be used as sources for Tableau Pulse Metrics.

A single published source can serve multiple workbooks

Implement row level security.

Reuse the same workbooks and data sources for different user segments, filtering out the available data based on their needs and access permissions.

This comes in may shapes and can be applied at various levels:

Workbook level
Data source level
Virtual Connection level (requires Data Management)
Database level

Monitoring and Auditing

It’s important to keep an eye on your cloud deployment to catch any issues before they become big problems.

There are a number of ways to track activity and usage across your site.

Site admin views
Admin insights
Monitoring for stale content
Monitoring for scheduling bottlenecks/errors
Activity log

Using webhooks and REST APIs for active monitoring

Site admin views

These are reports provided with your site which update in near real-time and cover a range of areas. They can be found under the Site Status menu.

Live connections to Tableau Bridge
Extract refresh tasks
Extract refresh tasks via Tableau Bridge
Other background tasks e.g. subscriptions
Prep Flow performance
Data Quality warning history

Site Status menu on Tableau Cloud

Admin Insights data sources and starter workbook

Your site also includes a set of data sources which contain metadata on the state and usage of your site.

You can use these to build your own monitoring reports for an even broader range of areas focused around site traffic, adoption and reach.

User activity on the site
User breakdown such as license allocations
Groups
Content on the site
Viz load performance
Background task performance
Permissions
Subscriptions
Access tokens

As an example, there the starter workbook has views to analyse:

Stale content based on last access date
User login activity
Content publishing activity
Extract size and utilisation

Admin Insights starter workbook

You could enhance these reports with your own views such as:

Identify scheduling bottlenecks or gaps where new jobs could be scheduled
Monitor for slow loading views which need to be reviewed

Activity log

This feature of the Advanced Management package streams site activity in real time as JSON to an S3 bucket.

Covers a wide range of activity including effective permission changes, ownership changes, extract jobs, view access events among many others.

Ideal for auditing given the granular detail and wide scope of activity tracked.

More types of activity is being added to the log over time.

Leveraging the APIs

You can build webhooks to trigger external notifications on an event, such as extract refresh failures or when a user is promoted to an admin.

These webhooks can be integrated with many external services such as Slack or AWS Lambda.

Lets you get notified of issues as they happen so you can take action before end users even submit a report.

Typical webhook creation process

Summary

Following best practices helps to maintain a healthy and efficient site. As admins, our job is to make this as easy as possible for other teams involved in the analytics workflow.

Deciding on, and sticking to, a governance strategy and following through on these fundamental administration practices will help to keep your Tableau Cloud site in top shape.

Author:

Nick Jastrzebski

View More Posts