This topic covers the permissions requirements needed for Tableau Services Manager [TSM] to access and use files. This information is intended for server administrators. This topic does not address permissions used for managing users and content within Tableau Server [permissions for content and users]. For information related to these permissions, see Permissions.
During installation of TSM and Tableau Server, an unprivileged user [tableau] is created and added to a server authorized group [tableau]. This user account enables the work done by TSM and Tableau Server processes. You can change the user and group during installation. For more information, see Identity Store.
Permissions requirements for TSM apply to both files, and to the directories in which the files are placed. When TSM creates and manages files, the files get put into specific default locations with the necessary permissions and you don't need to worry about setting permissions. When you create, copy, or move files yourself, or when you put files into non-default locations, you need to be aware of permission requirements so that TSM can properly access the files. Common cases [For information about using non-default locations, see tsm File Paths.]
General rules for permissions and TSM are:
Files—If the tableau group has access to a file [if it is the group owner and has read access to the file], the users in the group have access to the file. An alternate approach is to give "other" read access.
Directories—If the tableau group has read and execute access to the directory that contains a file, and any parent directories of that directory, the users in the group have access to the file.
Situations that may require you to adjust permissions include server backup files and site import archives that you copy from a different computer or to a non-default location, customization files such as logos or images, and security certificates such as SSL certificates.
For example, if you migrate from Tableau Server on Windows to Tableau Server on Linux, you use a backup created in Windows to restore data to your Linux server. Because this backup file isn't created by TSM, it may not have the correct permissions for the restore process to access it. You need to make sure the backup file and the directory structure you copy it into have the proper permissions. Similarly, if you are copying files like certificates to additional nodes in a cluster, you need to make sure the files and the directories you copy them into have the permissions the tableau user needs in order to access them.
Setting permissions for individual files
If you are using a file you copy to one of the default locations created by TSM, you need to make sure the ownership and permissions on the file allow TSM access by giving the tableau user read access. You can do this in one of two ways:
You can give the tableau user read access by giving the tableau group [in a default installation] read and execute access to a file using the chgrp and chmod commands. For example:
chgrp tableau .tsbak
chmod g+rx .tsbak
Alternately, you can give world read and execute access to the file:
chmod o+rx .tsbak
Setting permissions for directories
In addition to setting the proper permissions on the files themselves, TSM also needs permissions for the directory that contains the file, as well as any parent directories. If you are using a non-default location for files that TSM will access, you will need to make sure permissions for the parent directory or directories that contain the file allow read and execute access.
You can address this issue in a couple of ways:
Change group ownership of the directory to the tableau group, and add group read and execute permission to the directory. Doing this makes files in the directory more available to the tableau user.
chgrp tableau
chmod g+rx
Alternatively, you can add world read and execute permission to the directory. This makes files in the directory more available to all users on the system. This approach may require additional steps to ensure security of other files in the directory. For example, you may want to make sure other files in the directory are not world readable so other users cannot read them.
chmod o+rx
Hint: You can use namei -mo command to list an entire permissions tree. This can make it easier to see what directories need to have permissions adjusted to allow access by the tableau group. You can find more information on the internet.
Next: Stream [or sync] Drive files to users' computers This article is for administrators. To learn how to share or set permissions for your own files, go to
Share files from Google Drive. As an administrator, you can control how users in your organization share Google Drive files and folders. These include items from Google Docs, Sheets, Slides, and My Maps as well as folders and anything else stored in Drive. Note: If Drive is turned off, you can’t change file-sharing permissions. Instead of using Drive settings for sharing outside your organization, you can use trust rules to manage sharing both outside and inside your
organization. Trust rules give you more control over who your users can share with. For details, see Create and managed trust rules for Drive sharing [beta]. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group. Supported editions for this feature: Business Standard and Business Plus;
Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; G Suite Business; Nonprofits; Essentials. Compare your edition For Sharing outside of your
organization, click On and choose sharing options: Click Save. If you configured an organizational unit or group, you might be able to Inherit or Override a parent organizational unit, or Unset a group. It can take up to 24 hours
to see changes. During this time, old and new settings might be intermittently enforced. Supported editions for this feature: Business Standard and Business Plus; Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education
Plus; G Suite Business; Essentials. Compare your edition You can restrict file sharing to trusted [allowed] domains. When you use an allowlist to restrict sharing: To set allowlist settings:Get started: Drive setup guide for admins
Before you begin
Try managing Drive sharing with trust rules [beta]
Let users share files outside of your organization
Note: To edit or comment on files, users must sign in to a Google Account [or a visitor account if you have visitor sharing turned on].Restrict sharing to certain domains
- Click Sharing settingsSharing options.
To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.
Supported editions for this feature: Business Standard and Business Plus; Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; G Suite Business; Nonprofits; Essentials. Compare your edition
- For Sharing outside of your organization, click Allowlisted Domains and choose sharing options:
- For files owned by users in your organization, warn when sharing with users in allowlisted domains—To protect confidentiality, users get a warning when trying to share files with users in a domain on an allowlist.
- Allow users in your organization to receive files from users outside of allowlisted domains—Users can open files from domains that aren’t on an allowlist and edit Google Docs, Sheets, and Slides stored on third-party storage systems.
- Allow users in your organization to send invitations to non-Google accounts outside your organization—Allows PIN-verified visitor sharing to non-Google users in domains on your allowlist.
- Click Save. If you configured an organizational unit or group, you might be able to Inherit or Override a parent organizational unit, or Unset a group.
It can take up to 24 hours to see changes. During this time, old and new settings might be intermittently enforced.
Restrict all file sharing outside of your organization
Supported editions for this feature: Business Standard and Business Plus; Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; G Suite Business; Essentials. Compare your edition
You can restrict users from sharing or receiving the following items outside of your organization:
- Invitations to items in Docs, Sheets, and Slides, which are active for 14 days
- Links to files stored in Drive
- Email attachments that users can send or receive, uploaded directly from devices and stored in Drive
To restrict file sharing outside of your organization:
- Click Sharing settingsSharing options.
To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.
Supported editions for this feature: Business Standard and Business Plus; Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; G Suite Business; Nonprofits; Essentials. Compare your edition
- For Sharing outside of your organization, click Off.
- [Optional] To keep users from opening or editing files from outside of your organization or in third-party storage systems, uncheck the Allow users in your
organization to receive files from users outside of your organization box.
Note: If you set a policy that restricts external users from accessing your organization’s information, users can share files with a group that has external users, but those users can’t access the files. - Click Save. If you configured an organizational unit or group, you might be able to Inherit or Override a parent organizational unit, or Unset a group.
It can take up to 24 hours to see changes. During this time, old and new settings might be intermittently enforced.
Control the default access to files
You can control the options that users get when they allow general access to files from My Drive. The options do not apply to files and folders in shared drives.
Cloud Identity customers: If your organization has a mix of Cloud Identity and Google Workspace licenses, the General access default for the Google Workspace users also applies to the users with Cloud Identity licenses.
Set target audiences
Supported editions for this feature: Business Standard and Business Plus; Enterprise; Education Standard and Education Plus; G Suite Business; Nonprofits. Compare your edition
Target audiences appear in the General Access section of the Drive sharing dialog, and they encourage users to share with appropriate groups instead of with the entire organization. The primary target audience you set is their default sharing option. Learn more about target audiences.
The predefined primary target audience is named your organization, and includes all users in your organization. If your organization has created additional target audiences, you can:
- Add target audiences to users' Drive sharing settings.
- Set a different primary target audience for all or just specific users.
- Remove
target audiences from users' Drive sharing settings.
If you remove a target audience: The default sharing option for users becomes Restricted. However, members of the removed audience can still access any files that were shared with the deleted audience. To prevent access, you'll need to either remove members from the audience or delete the audience.
To set target audiences:
- Click Target audiences.
The Audiences list shows any target audiences that are already applied to the service, in the order they appear in users' sharing settings. - To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child
organizational unit or a configuration group.
Supported editions for this feature: Business Standard and Business Plus; Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; G Suite Business; Nonprofits; Essentials. Compare your edition
Click General access default.
Choose an option:
- Private to the owner—Only the file owner can access new files.
- Anyone in your organization can access the item if they have the link—Anyone in your organization who has the link can access the file. Files with this setting don’t normally appear in search results unless there are links to them from other files that are searchable.
- Anyone in your organization can search and find the item—Anyone in your organization can search for and view the file. However, a file with this setting appears in a user’s Drive only after they access the file or the file is shared with them.
Important: If you set a target audience for the sharing settings rather than anyone at your organization, the target audience options show instead.
- Click Save.
If you configured an organizational unit or group, you might be able to Inherit or Override a parent organizational unit, or Unset a group.
It can take up to 24 hours to see changes. During this time, old and new settings might be intermittently enforced.
Restrict the access users can give to files
Supported editions for this feature: Business Standard and Business Plus; Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; G Suite Business; Essentials. Compare your edition
You can decide what level of access users can give to files when they are prompted to share a file. Users get prompted to share when they:
- Send Gmail or Google Chat messages with links to files that haven't been shared with recipients.
- +mention someone in a comment in a file who doesn't have access.
- Attach files to Google Calendar events where guests don't have access to the files.
If users share files they don't own, the sharing options come from the file owner's organizational unit. If users share multiple files and different organizational unit settings apply, the options come from the least permissive organizational unit.
To assign the level of access users can give:
- Click Sharing settings.
- To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child
organizational unit or a configuration group.
Supported editions for this feature: Business Standard and Business Plus; Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; G Suite Business; Nonprofits; Essentials. Compare your edition
- Click Sharing options.
- For Access Checker, choose an option:
- Recipients only, your organization, or public—Users can give access to anyone who has the link. The least restrictive setting, it’s available only if sharing is turned on for your organization and you allow users to publish files on the web.
- Recipients only or your organization—Users can give access to required recipients and anyone in your organization who has the link.
- Recipients only—Users can only give access to required recipients. If the file has been shared with other people, they still have access. This is the most restrictive setting.
- Click Save. If you configured an organizational unit or group, you might be able to Inherit or Override a parent organizational unit, or Unset a group.
It can take up to 24 hours for changes to appear.
Control who can access files stored on shared drives
Supported editions for this feature: Business Standard and Business Plus; Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; G Suite Business; Essentials. Compare your edition
You can control who can move files and folders outside of your organization when moving content from:
- A shared drive in your organization to a shared drive owned by another organization or someone’s My Drive in another organization
- Someone’s My Drive in your organization to a shared drive owned by another organization
For details on controlling who can access files stored on shared drives, go to Control sharing for your organization.
Related topics
- How Drive protects your privacy & keeps you in control
- Allow users to create shared drives
- Set target audiences for a Google service
- Add an organizational unit
- Move users to an organizational unit
Next: Stream [or sync] Drive files to users' computers
Was this helpful?
How can we improve it?