Everything Tableau Cloud site administrators need to manage their environment effectively — site configuration, user and group management, project permissions, content governance, extract and refresh management, and the REST API and admin views that provide operational visibility.
Tableau Cloud (formerly Tableau Online) gives site administrators a comprehensive set of tools to manage users, content, permissions, and site configuration. The challenge is that these tools are spread across the UI, the Admin Views, and the REST API — and the default site configuration is not optimised for most production environments. This guide covers every administrative responsibility of a Tableau Cloud site admin, with the specific settings and workflows that matter.
Site Configuration
### Site Settings Fundamentals
The Site Settings page (accessible to Site Admins) controls the foundational site configuration. Key settings to review and configure:
**Automatic licensing:** Determines how licences are assigned to new users. Automatic licensing with a defined default role (Viewer, Explorer, Creator) simplifies user provisioning. Set the default role to the least-privilege level appropriate for most of your users; elevate specific users who need higher roles.
**User visibility:** Controls whether non-admin users can see other users' names in the UI. For organisations with privacy requirements, restricting user visibility prevents users from discovering who else has access to the site.
**Content access:** The default site content visibility policy determines whether users can see content in projects they have not been explicitly granted access to. Set this conservatively — users should only see content they are explicitly permitted to access.
**Guest access:** Disable unless you have a specific use case for unauthenticated viewing. Guest access bypasses all user-level permissions.
**Embedding settings:** If you embed Tableau content in external applications, configure the embedding allowed domains list to restrict which origins can embed your content. Do not leave this open to all domains.
### Authentication Configuration
Tableau Cloud supports multiple authentication methods. The default Tableau ID authentication works out of the box but does not integrate with your identity provider.
**SAML (Single Sign-On):** Configure SAML SSO to authenticate users against your organisation's identity provider (Okta, Azure AD, Google Workspace, PingFederate). SSO provides several operational benefits: users do not maintain separate Tableau passwords; deprovisioning a user in your IdP can automatically revoke Tableau access; group membership in the IdP can synchronise to Tableau groups via SCIM.
**SCIM provisioning:** With SCIM, user creation, update, and deprovisioning are automated via your IdP. Users are created in Tableau automatically when added to the Tableau group in Okta (or equivalent). When a user leaves the organisation and is deactivated in the IdP, their Tableau access is automatically revoked. This eliminates the manual user management overhead of quarterly access reviews.
Configuring SAML and SCIM requires coordination between the Tableau admin and the identity team. The setup is a one-time investment that pays dividends in reduced ongoing administration.
User and Group Management
### Licence Types and Assignment
Tableau Cloud has three licence types: Creator, Explorer, and Viewer. Assigning the correct licence type to each user is both a cost management concern (Creators are the most expensive licence) and a governance concern (Creators can publish content, which requires governance controls).
- **Creator:** Full Tableau Desktop, Web Editing, and Tableau Prep access. Assign to analysts and developers who build content.
- **Explorer:** Can view and explore content, interact with dashboards, and do limited web editing. Assign to business users who need to self-serve but not build from scratch.
- **Viewer:** Can view published content and interact with filters and parameters. Assign to executives and consumers who use pre-built dashboards.
Review the actual usage of each licence type in the Admin Views. Creators who never use Tableau Desktop or publish content are over-licensed; downgrade them to Explorer. Explorers who never use web editing are over-licensed; downgrade to Viewer.
### Groups and Group-Based Permissions
Groups are the right mechanism for managing content permissions at scale. Assigning permissions to individual users requires updating permissions for every content item when a new user joins or a user changes roles. Groups make this maintainable: assign permissions to groups, and manage group membership to control access.
The group structure should reflect your access control model. For example:
- Analytics Team (Creator licence, access to all projects including Certified)
- Finance Users (Explorer licence, access to Finance project)
- Executive Viewers (Viewer licence, access to Executive Dashboard project)
- All Employees (Viewer licence, access to Company-Wide project)
When a new analyst joins, add them to Analytics Team. When the finance VP needs access to finance reports, add them to Finance Users. No per-content-item permission grants needed.
If SCIM is configured, group membership is managed in the IdP and synchronised automatically to Tableau.
### User Provisioning and Deprovisioning
Without SCIM, user provisioning is manual. The process:
1. Receive request for new user access (ideally through a ticketing system, not informal email)
2. Create user in Tableau Cloud with the appropriate licence type
3. Add user to relevant groups
4. Confirm access with the user
Deprovisioning is more critical for security compliance. Former employees who retain Tableau access are a security risk. The deprovisioning process:
1. Receive notification of employee departure (or detect via quarterly access review)
2. Remove user's group memberships
3. Downgrade licence to Unlicensed
4. Remove user or retain as Unlicensed (retaining preserves content ownership attribution)
A quarterly access review using the Admin Views (or REST API) to compare active Tableau users against the HR system's active employee list catches deprovisioning gaps.
Project and Permissions Architecture
### Project Structure
Projects in Tableau Cloud are the primary organisational unit for content and permissions. A well-designed project structure is essential for scalable governance.
Common project architectures:
Governance tier model:
- Certified (restricted publish access, highest quality standards)
- Standard (analytics team can publish, business users can view)
- Sandbox (individual contributors can publish, exploration only)
Business domain model:
- Finance
- Sales and CRM
- Product and Engineering
- Marketing
- HR and People
- Executive
**Hybrid model:** Governance tiers as top-level projects, domain sub-projects within each tier.
The governance tier model enforces quality standards; the domain model enables domain-based access control. The hybrid model does both.
### Permission Inheritance
Tableau Cloud supports permission inheritance: permissions set on a parent project propagate to child projects and their content unless explicitly overridden.
Use inheritance strategically. Set broad read access at the project level (all Finance Users can view content in the Finance project) without setting it on each individual workbook. Set restricted publish access at the project level (only Analytics Team members can publish to Certified).
Explicit permissions on individual workbooks override inherited permissions. Use workbook-level permissions sparingly — they create maintenance overhead and governance exceptions that are hard to audit.
Extract and Refresh Management
### Monitoring Extract Refresh Health
Extracts that fail silently are a common source of "stale data" complaints. The Admin Views provide extract refresh history and failure tracking, but by default, admins are not alerted when refreshes fail.
Set up data-driven alerts (available in Tableau Cloud) or use the REST API to query refresh job status and trigger notifications via your alerting system (PagerDuty, Slack, email) when refreshes fail.
The REST API endpoint for job status is GET /api/version/sites/site-id/jobs. A nightly scheduled check for failed refresh jobs catches issues before business users notice stale data.
### Refresh Scheduling Best Practices
Refresh schedules that concentrate on the same hour create backgrounder contention — all refreshes queue simultaneously and the last ones finish hours after the scheduled time.
Stagger refresh schedules across the day. Group extracts by their data freshness requirement: extracts that need hourly updates run on the hour; daily extracts that business users check at 9am run at 7am (before users arrive, with 2 hours buffer for failures); weekly extracts run overnight on Sunday.
For very large extracts, consider Tableau's incremental refresh capability — refreshing only new rows since the last refresh rather than rebuilding the full extract on every run. Incremental refresh dramatically reduces refresh duration and resource consumption for large fact table extracts.
### Extract Size Management
Oversized extracts slow every operation — refresh duration, dashboard load time, and data source connection time all scale with extract size.
Audit extract sizes using the Admin Views. For extracts over 1GB, review whether:
- Date range filtering can reduce the extract to a relevant time window
- Aggregation can pre-summarise at the extract level rather than the workbook level
- The extract connects to a dbt mart table (pre-aggregated) rather than a raw fact table
Admin Views and REST API
### Key Admin Views
Tableau Cloud includes built-in Admin Views that query site usage and health. The most useful for ongoing administration:
**Stats for Space Used:** Workbooks and data sources by size. Identifies candidates for size reduction.
**Top Creators:** Most active content creators. Useful for identifying power users and potential champions for governance initiatives.
**Traffic to Views:** Most-accessed views. Prioritise maintenance and quality investment on high-traffic content.
**Stats for Load Times:** View load time distributions. Identifies the slowest-loading content for performance investigation.
**Background Task for Extracts:** Refresh job history and duration trends. Identifies extracts with increasing refresh times.
### REST API for Administration
The Tableau REST API enables programmatic access to site administration capabilities — everything you can do in the UI, you can do via the API. Common administrative automation use cases:
**Bulk user operations:** Creating users from a CSV export of new hires, removing users based on an HR system extract, updating licence types in bulk based on usage data.
**Content audit:** Listing all workbooks, data sources, and their owners, creation dates, last access dates, and sizes for governance reporting.
**Permission audit:** Querying all permissions on all projects and content items to produce an access control report.
**Refresh monitoring:** Querying job status to detect failed refreshes and trigger alerts.
The REST API requires authentication with a personal access token (PAT). Create a dedicated service account with Site Admin role for API automation; do not use a personal user account.
Our managed BI services include Tableau Cloud site administration and governance — contact us to discuss Tableau Cloud administration for your organisation.
A former Microsoft data architect audits your data foundation, identifies your top priorities, and sends you a written plan. Free. No pitch.
Book a Call →