Skip to main content

About Tableau

Tableau is a visual analytics platform, available as Tableau Cloud and Tableau Server. Serval connects to one Tableau site using a Personal Access Token (PAT): you provide your Server URL, an optional Site Content URL, and the PAT name and secret. Serval never sends your PAT directly to Tableau’s data endpoints - for every request, it exchanges the PAT for a short-lived session token scoped to your configured server and site. This integration is currently in Beta. Authentication: Personal Access Token (PAT). Serval stores the token securely and exchanges it for a fresh, short-lived session token on every request - there is no stored session to expire or refresh. Data sync: On demand only - no background sync, polling, or webhooks. Workflows call Tableau at the moment they run. The installable Access Management workflows are event-driven: they run when access is granted or revoked in Serval, not on a schedule.

What the Tableau integration enables

CapabilityDescription
Call any Tableau REST API actionWorkflows can make any authenticated Tableau REST API call the connected account is allowed to make, including newer versionless features like collections, content search, and usage stats.
Access Management workflow bundleInstallable “Access Management” bundle with two plug-and-play workflows: “Provision User to Tableau” assigns the requested Tableau site role when access is granted, and “Deprovision User from Tableau” sets the user’s site role to Unlicensed when it is revoked.
Manage site usersList and look up users on the connected site and change their site roles (requires a PAT created by a site or server administrator).
Browse contentList collections, run content search, and read usage stats; read server info and the current session to identify the active site.
Connection health checksFour built-in checks exercise the connection end to end: API connectivity, session and site access, content access, and user-management permissions.
Anything defined in the Tableau REST API can be accessed through Serval. The integration works with both Tableau Cloud and Tableau Server, and uses Tableau REST API version 3.24 for Tableau’s versioned endpoints - see the Tableau Server version note in the gotchas below.

Get your credentials

You need a Tableau Personal Access Token (PAT). The PAT inherits the permissions of the Tableau account that creates it - Serval can do exactly what that account can do on the connected site. Create it while signed in as the account you want Serval to act as, ideally a dedicated service account (for example, serval-integration) with the right site role. See Tableau’s Personal Access Tokens documentation for full details.
If you plan to use user-management or the Access Management provisioning workflows, create the PAT while signed in as a site or server administrator. A non-admin PAT still works for content-only workflows.
1

Sign in to Tableau as the integration user

Sign in to Tableau Cloud or Tableau Server as the account whose permissions Serval should inherit, on the specific site you want to connect.
2

Open your account settings

Click your profile icon in the top-right corner and select My Account Settings.
3

Create the token

Scroll to the Personal Access Tokens section. Enter a descriptive token name (for example, serval-integration) - you will need this exact name in the Serval connect form - and click Create Token.
4

Copy the secret immediately

Copy the Secret right away: Tableau shows it only once. If you lose it, revoke the token and create a new one.
5

Identify your Server URL

Use the bare host from your Tableau address bar, without https:// or a trailing slash. Tableau Cloud pods look like 10ax.online.tableau.com or prod-uk-a.online.tableau.com; for Tableau Server, use your server’s hostname.
6

Identify your Site Content URL

This is the slug between /site/ and the next slash in your browser URL. For example, in https://10ax.online.tableau.com/#/site/acme-analytics/explore the Site Content URL is acme-analytics. If you use the Default site, leave this blank.
Tableau Server only: Personal Access Tokens are off by default on some Server deployments. A site or server administrator must enable them in site settings before you can create one.

Connect in Serval

1

Open the Tableau connect form

In Serval, choose Tableau from the integrations list. The Configure Tableau dialog opens with four fields; the connection is marked Beta.
2

Enter your Server URL (required)

Helper text: “Your Tableau server URL (without https://). For Tableau Cloud, this is typically something like 10ax.online.tableau.com. For Tableau Server, use your server’s hostname.” Leaving it blank fails with “Server URL is required”. Pasting a full URL still works - Serval automatically strips https://, http://, and any trailing slash.
3

Enter your Site Content URL (optional)

Helper text: “The content URL of the site to connect to. For the Default site, leave this empty. You can find this in the site URL after /site/.”
4

Enter your Personal Access Token Name (required)

Helper text: “The name of your Tableau Personal Access Token. Create one in Tableau under My Account Settings > Personal Access Tokens.” Leaving it blank fails with “Personal Access Token name is required”. The name must match exactly what you entered in Tableau.
5

Enter your Personal Access Token Secret (required)

Helper text: “The secret value of your Tableau Personal Access Token. This is shown only once when the token is created.” Leaving it blank fails with “Personal Access Token secret is required”.
6

Submit and verify

Click Submit to save the connection, then run the health checks below to confirm everything works.
Editing an existing connection: leaving Server URL or Personal Access Token Name blank keeps the stored value. The Personal Access Token Secret appears masked (bullets plus the last 4 characters) - click the pencil icon to enter a new secret, or leave it untouched to keep the existing one. The PAT name is shown back in full so you can verify which token is configured. Site Content URL behaves differently: it is always saved on update, so submitting it empty explicitly switches the connection to the Default site.

Verifying the connection

The Tableau connection ships four health checks:
CheckWhat it verifies
Validate Tableau API ConnectionConfirms your credentials are valid and the Tableau API is reachable.
Check Tableau Session & SiteConfirms the PAT can sign in and the configured site is accessible.
Check Tableau Content AccessConfirms the token can read Tableau content (collections).
Check Tableau User Management ScopeConfirms the PAT can list site users, which user-management and provisioning workflows require.
On success you will see, respectively: “Successfully connected to Tableau API”; “Successfully accessed Tableau site “[site content URL]"" (or “Successfully accessed the default Tableau site” for the Default site); “Successfully accessed Tableau content”; and “PAT can list site users ([number] total).” (or “PAT can list site users.”). On failure, the first three checks show: “Unable to connect to Tableau API. Please verify your credentials are valid and the server URL is correct.”; “Failed to access the configured Tableau site. Please verify your site content URL and that the PAT has access to it.”; and “Failed to access Tableau content. Please verify your token has read permissions.” The user-management check shows “The configured PAT does not have permission to manage site users. Recreate the PAT under a site or server administrator account if user-management workflows are needed.” when Tableau rejects the request for lack of permission, and “Failed to list Tableau site users while checking user-management scope.” for other errors.
If the first three checks pass but Check Tableau User Management Scope fails with the permission message, your PAT was created by a non-administrator account. Content workflows will still work, but user-management and the Access Management provisioning workflows need a PAT recreated under a site or server administrator. If the user-management check instead says “Could not look up the current Tableau site before checking user-management scope. Verify the Session & Site check passes first.”, fix the Session & Site check before troubleshooting permissions.

Gotchas and troubleshooting

PAT name matching is exact, and a mismatched name is the most common cause of a 401. Tableau’s own error summary and detail are surfaced verbatim, in the form “Tableau sign-in failed (HTTP 401, [summary]): [detail]”. If Serval shows “could not reach Tableau at [host]”, the server is unreachable - check the Server URL and your network. A rare “Tableau sign-in succeeded but returned no session token” message means Tableau answered but did not issue a token; retry, and verify the token in Tableau if it persists.
Tableau Cloud PATs expire if not used for 15 consecutive days, and site admins can set an overall expiry from 1 to 365 days (the default is 180 days on sites activated June 2023 or later). Continuous Serval use keeps the PAT alive, but a paused integration can let it lapse. To rotate: create a new PAT in Tableau, then edit the Serval connection and update the Personal Access Token Secret via the pencil icon (and the Personal Access Token Name if it changed).
The PAT inherits its creator’s permissions, and every sign-in targets the configured site. Sign-in fails if the PAT’s account cannot access that site. Use a dedicated service account with the site role your workflows need; user-management and provisioning workflows require a site or server administrator account.
Unlike the other fields, Site Content URL is always saved when you edit the connection. Submitting it empty is an explicit instruction to point the connection at the Default site - it does not mean “keep the current site”. The connection’s display name changes accordingly.
Enter just the hostname, without https:// or a trailing slash. Serval normalizes pasted full URLs automatically, but a wrong host typically surfaces as a sign-in failure showing a truncated raw response instead of a clear Tableau error message. For Tableau Server, the host must also be reachable from Serval over HTTPS (port 443).
Serval calls Tableau’s versioned endpoints with REST API version 3.24, including the sign-in request itself, and Tableau rejects calls that use an API version newer than the server supports. Tableau Cloud always supports this. REST API 3.24 shipped with Tableau 2024.3, a Tableau Cloud-only release, so the first Tableau Server release that supports it is 2025.1 - on older Server releases the connection fails at sign-in. See Tableau’s REST API versions table for the full mapping.
Serval shows the PAT name back in full in the edit form so admins can verify which token is configured. Treat the name as a label, not a secret. The secret is always shown masked as bullets plus its last 4 characters.
The provision and deprovision workflows have no role-mapping table: the Tableau site role is taken directly from the Serval role or entitlement name. Name your Serval roles exactly Viewer, Explorer, ExplorerCanPublish, Creator, or SiteAdministratorExplorer. Install the bundle, then select each workflow as the app’s custom provisioning and deprovisioning workflow - they run on access grant and revocation and take no inputs. Provisioning never creates Tableau accounts: if the user has not signed in to Tableau at least once (for example via SSO), the workflow fails and asks for that first sign-in. Deprovisioning sets the user’s role to Unlicensed only when the revoked entitlement matches their current site role, so stale or secondary grants do not strip access they still hold - and it deliberately never deletes the user (deletion fails if they own content). SSO and identity-provider group access is out of scope for both workflows and must be handled as a separate grant.
The Tableau integration is marked Beta in the connect UI. Behavior and available capabilities may evolve.

Need help? Contact support@serval.com for assistance with your Tableau integration.