> ## Documentation Index
> Fetch the complete documentation index at: https://docs.serval.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Tableau

> Connect Tableau Cloud or Tableau Server to Serval with a Personal Access Token to automate user provisioning, content access, and anything in the Tableau REST API.

## About Tableau

Tableau is a visual analytics platform, available as Tableau Cloud and Tableau Server. Serval connects to one Tableau site using a Personal Access Token (PAT): you provide your Server URL, an optional Site Content URL, and the PAT name and secret. Serval never sends your PAT directly to Tableau's data endpoints - for every request, it exchanges the PAT for a short-lived session token scoped to your configured server and site. This integration is currently in **Beta**.

**Authentication:** Personal Access Token (PAT). Serval stores the token securely and exchanges it for a fresh, short-lived session token on every request - there is no stored session to expire or refresh.

**Data sync:** On demand only - no background sync, polling, or webhooks. Workflows call Tableau at the moment they run. The installable Access Management workflows are event-driven: they run when access is granted or revoked in Serval, not on a schedule.

## What the Tableau integration enables

| Capability                        | Description                                                                                                                                                                                                                                                          |
| --------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Call any Tableau REST API action  | Workflows can make any authenticated Tableau REST API call the connected account is allowed to make, including newer versionless features like collections, content search, and usage stats.                                                                         |
| Access Management workflow bundle | Installable "Access Management" bundle with two plug-and-play workflows: "Provision User to Tableau" assigns the requested Tableau site role when access is granted, and "Deprovision User from Tableau" sets the user's site role to Unlicensed when it is revoked. |
| Manage site users                 | List and look up users on the connected site and change their site roles (requires a PAT created by a site or server administrator).                                                                                                                                 |
| Browse content                    | List collections, run content search, and read usage stats; read server info and the current session to identify the active site.                                                                                                                                    |
| Connection health checks          | Four built-in checks exercise the connection end to end: API connectivity, session and site access, content access, and user-management permissions.                                                                                                                 |

Anything defined in the [Tableau REST API](https://help.tableau.com/current/api/rest_api/en-us/REST/rest_api_ref.htm) can be accessed through Serval. The integration works with both Tableau Cloud and Tableau Server, and uses Tableau REST API version 3.24 for Tableau's versioned endpoints - see the Tableau Server version note in the gotchas below.

## Get your credentials

You need a Tableau **Personal Access Token (PAT)**. The PAT inherits the permissions of the Tableau account that creates it - Serval can do exactly what that account can do on the connected site. Create it while signed in as the account you want Serval to act as, ideally a dedicated service account (for example, serval-integration) with the right site role. See Tableau's [Personal Access Tokens documentation](https://help.tableau.com/current/online/en-us/security_personal_access_tokens.htm) for full details.

<Tip>
  If you plan to use user-management or the Access Management provisioning workflows, create the PAT while signed in as a **site or server administrator**. A non-admin PAT still works for content-only workflows.
</Tip>

<Steps>
  <Step title="Sign in to Tableau as the integration user">
    Sign in to Tableau Cloud or Tableau Server as the account whose permissions Serval should inherit, on the specific site you want to connect.
  </Step>

  <Step title="Open your account settings">
    Click your profile icon in the top-right corner and select **My Account Settings**.
  </Step>

  <Step title="Create the token">
    Scroll to the **Personal Access Tokens** section. Enter a descriptive token name (for example, serval-integration) - you will need this exact name in the Serval connect form - and click **Create Token**.
  </Step>

  <Step title="Copy the secret immediately">
    Copy the **Secret** right away: Tableau shows it only once. If you lose it, revoke the token and create a new one.
  </Step>

  <Step title="Identify your Server URL">
    Use the bare host from your Tableau address bar, without https\:// or a trailing slash. Tableau Cloud pods look like 10ax.online.tableau.com or prod-uk-a.online.tableau.com; for Tableau Server, use your server's hostname.
  </Step>

  <Step title="Identify your Site Content URL">
    This is the slug between /site/ and the next slash in your browser URL. For example, in [https://10ax.online.tableau.com/#/site/acme-analytics/explore](https://10ax.online.tableau.com/#/site/acme-analytics/explore) the Site Content URL is acme-analytics. If you use the Default site, leave this blank.
  </Step>
</Steps>

<Warning>
  **Tableau Server only:** Personal Access Tokens are off by default on some Server deployments. A site or server administrator must enable them in site settings before you can create one.
</Warning>

## Connect in Serval

<Steps>
  <Step title="Open the Tableau connect form">
    In Serval, choose Tableau from the integrations list. The **Configure Tableau** dialog opens with four fields; the connection is marked Beta.
  </Step>

  <Step title="Enter your Server URL (required)">
    Helper text: "Your Tableau server URL (without https\://). For Tableau Cloud, this is typically something like 10ax.online.tableau.com. For Tableau Server, use your server's hostname." Leaving it blank fails with "Server URL is required". Pasting a full URL still works - Serval automatically strips https\://, http\://, and any trailing slash.
  </Step>

  <Step title="Enter your Site Content URL (optional)">
    Helper text: "The content URL of the site to connect to. For the Default site, leave this empty. You can find this in the site URL after /site/."
  </Step>

  <Step title="Enter your Personal Access Token Name (required)">
    Helper text: "The name of your Tableau Personal Access Token. Create one in Tableau under My Account Settings > Personal Access Tokens." Leaving it blank fails with "Personal Access Token name is required". The name must match exactly what you entered in Tableau.
  </Step>

  <Step title="Enter your Personal Access Token Secret (required)">
    Helper text: "The secret value of your Tableau Personal Access Token. This is shown only once when the token is created." Leaving it blank fails with "Personal Access Token secret is required".
  </Step>

  <Step title="Submit and verify">
    Click **Submit** to save the connection, then run the health checks below to confirm everything works.
  </Step>
</Steps>

<Note>
  **Editing an existing connection:** leaving Server URL or Personal Access Token Name blank keeps the stored value. The Personal Access Token Secret appears masked (bullets plus the last 4 characters) - click the pencil icon to enter a new secret, or leave it untouched to keep the existing one. The PAT name is shown back in full so you can verify which token is configured. Site Content URL behaves differently: it is always saved on update, so submitting it empty explicitly switches the connection to the Default site.
</Note>

## Verifying the connection

The Tableau connection ships four health checks:

| Check                               | What it verifies                                                                                |
| ----------------------------------- | ----------------------------------------------------------------------------------------------- |
| Validate Tableau API Connection     | Confirms your credentials are valid and the Tableau API is reachable.                           |
| Check Tableau Session & Site        | Confirms the PAT can sign in and the configured site is accessible.                             |
| Check Tableau Content Access        | Confirms the token can read Tableau content (collections).                                      |
| Check Tableau User Management Scope | Confirms the PAT can list site users, which user-management and provisioning workflows require. |

On success you will see, respectively: "Successfully connected to Tableau API"; "Successfully accessed Tableau site "\[site content URL]"" (or "Successfully accessed the default Tableau site" for the Default site); "Successfully accessed Tableau content"; and "PAT can list site users (\[number] total)." (or "PAT can list site users.").

On failure, the first three checks show: "Unable to connect to Tableau API. Please verify your credentials are valid and the server URL is correct."; "Failed to access the configured Tableau site. Please verify your site content URL and that the PAT has access to it."; and "Failed to access Tableau content. Please verify your token has read permissions." The user-management check shows "The configured PAT does not have permission to manage site users. Recreate the PAT under a site or server administrator account if user-management workflows are needed." when Tableau rejects the request for lack of permission, and "Failed to list Tableau site users while checking user-management scope." for other errors.

<Tip>
  If the first three checks pass but **Check Tableau User Management Scope** fails with the permission message, your PAT was created by a non-administrator account. Content workflows will still work, but user-management and the Access Management provisioning workflows need a PAT recreated under a site or server administrator. If the user-management check instead says "Could not look up the current Tableau site before checking user-management scope. Verify the Session & Site check passes first.", fix the Session & Site check before troubleshooting permissions.
</Tip>

## Gotchas and troubleshooting

<AccordionGroup>
  <Accordion title="Sign-in fails with a 401 - check the PAT name first">
    PAT name matching is exact, and a mismatched name is the most common cause of a 401. Tableau's own error summary and detail are surfaced verbatim, in the form "Tableau sign-in failed (HTTP 401, \[summary]): \[detail]". If Serval shows "could not reach Tableau at \[host]", the server is unreachable - check the Server URL and your network. A rare "Tableau sign-in succeeded but returned no session token" message means Tableau answered but did not issue a token; retry, and verify the token in Tableau if it persists.
  </Accordion>

  <Accordion title="Tableau Cloud PATs expire after 15 days of non-use">
    Tableau Cloud PATs expire if not used for 15 consecutive days, and site admins can set an overall expiry from 1 to 365 days (the default is 180 days on sites activated June 2023 or later). Continuous Serval use keeps the PAT alive, but a paused integration can let it lapse. To rotate: create a new PAT in Tableau, then edit the Serval connection and update the Personal Access Token Secret via the pencil icon (and the Personal Access Token Name if it changed).
  </Accordion>

  <Accordion title="Serval can only do what the PAT's account can do">
    The PAT inherits its creator's permissions, and every sign-in targets the configured site. Sign-in fails if the PAT's account cannot access that site. Use a dedicated service account with the site role your workflows need; user-management and provisioning workflows require a site or server administrator account.
  </Accordion>

  <Accordion title="A blank Site Content URL on edit switches to the Default site">
    Unlike the other fields, Site Content URL is always saved when you edit the connection. Submitting it empty is an explicit instruction to point the connection at the Default site - it does not mean "keep the current site". The connection's display name changes accordingly.
  </Accordion>

  <Accordion title="Server URL should be the bare host">
    Enter just the hostname, without https\:// or a trailing slash. Serval normalizes pasted full URLs automatically, but a wrong host typically surfaces as a sign-in failure showing a truncated raw response instead of a clear Tableau error message. For Tableau Server, the host must also be reachable from Serval over HTTPS (port 443).
  </Accordion>

  <Accordion title="Tableau Server must support REST API version 3.24">
    Serval calls Tableau's versioned endpoints with REST API version 3.24, including the sign-in request itself, and Tableau rejects calls that use an API version newer than the server supports. Tableau Cloud always supports this. REST API 3.24 shipped with Tableau 2024.3, a Tableau Cloud-only release, so the first Tableau Server release that supports it is 2025.1 - on older Server releases the connection fails at sign-in. See Tableau's [REST API versions](https://help.tableau.com/current/api/rest_api/en-us/REST/rest_api_concepts_versions.htm) table for the full mapping.
  </Accordion>

  <Accordion title="The PAT name is visible; only the secret is masked">
    Serval shows the PAT name back in full in the edit form so admins can verify which token is configured. Treat the name as a label, not a secret. The secret is always shown masked as bullets plus its last 4 characters.
  </Accordion>

  <Accordion title="Access Management workflows match Serval role names to Tableau site roles exactly">
    The provision and deprovision workflows have no role-mapping table: the Tableau site role is taken directly from the Serval role or entitlement name. Name your Serval roles exactly Viewer, Explorer, ExplorerCanPublish, Creator, or SiteAdministratorExplorer. Install the bundle, then select each workflow as the app's custom provisioning and deprovisioning workflow - they run on access grant and revocation and take no inputs. Provisioning never creates Tableau accounts: if the user has not signed in to Tableau at least once (for example via SSO), the workflow fails and asks for that first sign-in. Deprovisioning sets the user's role to Unlicensed only when the revoked entitlement matches their current site role, so stale or secondary grants do not strip access they still hold - and it deliberately never deletes the user (deletion fails if they own content). SSO and identity-provider group access is out of scope for both workflows and must be handled as a separate grant.
  </Accordion>

  <Accordion title="Beta integration">
    The Tableau integration is marked Beta in the connect UI. Behavior and available capabilities may evolve.
  </Accordion>
</AccordionGroup>

***

Need help? Contact **[support@serval.com](mailto:support@serval.com)** for assistance with your Tableau integration.
