使用外部身份存储的部署中的用户管理

任意 LDAP 目录

Tableau 中的系统用户名是您在 LDAP 配置中设置的任何属性，例如“cn”。对于单个用户导入和组同步功能都是如此。请参阅外部身份存储配置参考。

登录时的用户绑定行为

您可能需要更新 LDAP 配置，以允许与附加了 DN 的用户名绑定。具体来说，当 Tableau Server 配置了任意 LDAP 目录时，您需要更新 LDAP 配置。（例如，OpenLDAP）使用UPN或电子邮件地址作为用户名。

Tableau Server 将根据登录期间提供的用户名搜索给定用户。然后，Tableau 服务器将尝试使用附加了 DN 的用户名进行绑定。如果 Tableau Server 已配置 GSSAPI，则将使用username@REALM（域名）。

活动目录

本主题其余部分中的此内容假定您熟悉 Active Directory 用户管理以及基本的 Active Directory 架构和域概念。

如果要安装到 Active Directory 中，则必须将 Tableau Server 安装到已加入 Active Directory 域的计算机上。

注： 在用户和组同步的上下文中，配置了 LDAP 身份存储的 Tableau Server 等效于 Active Directory。Tableau Server 中的 Active Directory 同步功能可与正确配置的 LDAP 目录解决方案无缝协作。

Active Directory 用户身份验证和 Tableau Server

Tableau Server 将所有用户名存储在 Tableau Server 身份存储中，该存储由存储库管理。如果 Tableau Server 配置为使用 Active Directory 进行身份验证，则必须首先将用户身份从 Active Directory 导入到身份存储。当用户登录到 Tableau Server 时，其凭据将传递到 Active Directory，后者负责对用户进行身份验证。Tableau Server 不执行此身份验证。（默认情况下，NTLM 用于身份验证，但您可以为 Kerberos 或 SAML 启用单一登录功能，但是，在所有这些情况下，身份验证都留给 Active Directory。但是，存储在标识存储中的 Tableau 用户名与 Tableau Server 的权限相关联。因此，在验证身份验证后，Tableau Server 将管理用户对 Tableau 资源的访问（授权）。

Active Directory 用户名属性和 Tableau Server

Active Directory 使用多个属性唯一标识用户对象。（有关详细信息，请参阅用户命名属性（链接将在新窗口中打开）在 MSDN 网站上。Tableau Server 依赖于两个 Active Directory 用户命名属性：

• sAMAccountName.此属性指定最初设计用于旧版 Windows 的登录名 在许多组织中，此名称与用于身份验证的 NetBIOS 名称组合在一起，使用的格式类似于 ，其中是 NetBIOS 名称，是值。由于 Windows 中的原始设计，该值必须小于 20 个字符。example\jsmithexamplejsmithsAMAccountNamesAMAccountName

  在 Windows Active Directory 用户和计算机管理控制台中，此值位于用户对象的“帐户”选项卡上标记为“用户登录名（Windows 2000 之前版本）”的字段中。

• userPrincipalName（UPN）。此属性指定格式为 的用户名，其中是 UPN 前缀，是 UPN 后缀。jsmith@example.comjsmith@example.com

  在 Windows Active Directory 用户和计算机管理控制台中，UPN 是用户对象的“帐户”选项卡上两个字段的串联：用户登录名字段及其旁边的域下拉列表。

Adding users from Active Directory

You can add users individually from Active Directory, either by typing them in the server environment or by creating a CSV file and importing the users. You can also add Active Directory users by creating a group via Active Directory and importing all of the group's users. The result can be different depending on which approach you're using.

Importing UPN prefix as username

The user name that Tableau Server will import into the identity store will be the sAMAccountName value unless one of the following is true:

• If the UPN prefix of the user specified is greater than 20 characters, and the search string matches the full UPN, and is entered with the Windows login format (domain\UPN).

  Consider a user with the following Active Directory attributes:

  To import this user so that the UPN prefix () is used as the Tableau Server username, specify this search string when importing the user: jsmith123456789012345example.lan\jsmith123456789012345@example.lan

  (To import this user so that sAMAccountName is used, simply specify when importing).jsmith

• UPN: jsmith123456789012345@example.lan

• sAMAccountName: jsmith

• If the user name you specify includes an symbol in the UPN prefix () and the search string you enter is either in the Windows domain login format () or is the full UPN. @jsmith@domainexample.lan\jsmith@domain

  Consider a user with the following Active Directory attributes:

  To import this user so that the UPN prefix (jsmith@domain) is used as the Tableau Server username, specify either one of the following search strings when importing the user:

  (To import this user so that sAMAccountName is used, simply specify when importing).jsmith

• example.lan\jsmith@domain

• jsmith@domain@example.lan

• UPN: (in this case, the UPN prefix is and the UPN suffix is jsmith@domain@example.lanjsmith@domainexample.lan)

• sAMAccountName: jsmith

If user names were inadvertently imported using UPN names, you can delete the accounts in Tableau Server and then reimport those accounts using the value for the user name, as shown in User logon name (pre-Windows 2000) in the Windows Active Directory Users and Computers administrative console.sAMAccountName

In all cases, the Tableau Server Users page will present user names with the prefix of the UPN only. The full UPN is not displayed in the Tableau Server Users page.

Adding user groups

If you import an Active Directory user group, Tableau will import all users from the group using the .sAMAccountName

Sync behavior when removing users from Active Directory

Users cannot be automatically removed from Tableau Server through an Active Directory sync operation. Users that are disabled, deleted, or removed from groups in Active Directory remain on Tableau Server so that you can audit and reassign the user's content before removing the user's account completely.

However, Tableau Server will act upon user objects differently based how the status of that user object changes in Active Directory. There are two scenarios: deleting/disabling users in Active Directory or removing users from synchronized groups in Active Directory.

When you delete or disable a user in Active Directory and then synchronize that user's group on Tableau Server, the following occurs:

• The user is removed from the Tableau Server group you synchronized.

• The user's role is set to "unlicensed.”

• The user will still belong to the All Users group.

• The user is unable to sign in to Tableau Server.

When you remove a user from a group in Active Directory and then synchronize that group on Tableau Server, the following occurs:

• The user is removed from the Tableau Server group you synchronized.

• The users role is retained: it is not set to “unlicensed.”

• The user will still belong to the All Users group.

• The user will still have permission to the Tableau Server with access to everything that the All Users group is granted permission to use.

In both instances, to remove a user from Tableau Server, the server administrator must delete the user from the Server Users page in Tableau Server.

Domain nicknames

In Tableau Server, domain nickname is equivalent to the Windows NetBIOS domain name. In a Windows Active Directory forest, a fully qualified domain name (FQDN) can have an arbitrary NetBIOS name. The NetBIOS name is used as the domain identifier when a user logs in to Active Directory.

For example, the FQDN might be configured with a NetBIOS name (nickname) of . The user in that domain could log on to Windows using either of the following user names:west.na.corp.lanSEATTLEjsmith

• west.na.corp.example.com\jsmith

• SEATTLE\jsmith

If you want your users to sign in to Tableau Server with a NetBIOS name instead of the FQDN, then you'll need to verify that the nickname value for each domain where users log in is set. See editdomain for information on how to view and set the nickname value for each domain.

Support for multiple domains

You can add users and groups from a domain that's different from the domain of the Tableau Server computer in these cases:

• Two-way trust has been established between the server’s domain and the users’ domain.

• The server's domain trusts the users’ domain (one-way trust). See Domain Trust Requirements for Active Directory Deployments.

The first time you add a user or group from the non-server domain, you must specify the fully qualified domain name with the user/group name. Any additional users or groups you add from that domain can be added using the domain’s nickname, provided the nickname matches the NetBIOS name. If Tableau Server connects to multiple domains, you must also specify the other domains that Tableau Server connects to by setting the (version 2020.3 and earlier) or (version 2020.4 and later) option with TSM. For more information, see wgserver.domain.whitelist or wgserver.domain.accept_list.wgserver.domain.whitelistwgserver.domain.accept_list

重复的显示名称

如果用户显示名称在多个域中不是唯一的，则在 Tableau 中管理具有相同显示名称的用户可能会令人困惑。Tableau Server 将为两个用户显示相同的名称。例如，假设一个组织具有两个域，例如 example.lan 和 example2.lan。如果用户 John Smith 同时存在于这两个域中，则在 Tableau Server 中将该用户添加到组和其他管理任务中会令人困惑。在这种情况下，请考虑在 Active Directory 中更新其中一个用户的显示名称以区分帐户。

使用 NetBIOS 名称登录到 Tableau Server

用户可以使用域昵称（NetBIOS 名称）登录到 Tableau Server，例如 .SEATTLE\jsmith

Tableau Server 无法查询给定 FQDN 的 NetBIOS 名称。因此，Tableau 会根据命名空间中的第一个条目设置给定 FQDN 的昵称。例如，给定 FQDN ，Tableau 将昵称设置为 。west.na.corp.lanwest

因此，您可能需要先更新 Tableau 服务器上的域昵称，然后用户才能使用该昵称登录。如果不更新昵称，用户必须使用完全限定的域名登录。有关详细信息，请参阅新域中的用户无法登录且未显示在用户列表中（链接将在新窗口中打开）在 Tableau 知识库中。