Killing a Tableau Server Session

Within an embedded application, it can be difficult to make sure that sign-out is achieved in both the application and Tableau Server. Tableau Server supports SAML signout commands, but for all sorts of reasons, this might not always work.

Luckily, it is possible to use the REST API to kill any session programmatically, but you need the session identifier from the Tableau Repository. The question is, how do you know what session belongs to a user? There is a sessions view, but you need a little bit more to get filtering down to the username level:

system_users.name AS user_name,
FROM sessions
JOIN users ON sessions.user_id = users.id
JOIN system_users ON users.system_user_id = system_users.id
WHERE system_users.name = '{username}'

Once you have the session ID, you can send a REST API sign out command.

tableau_tools has both of these commands wrapped in a simple interface.

server = ''
username = ''
password = ''
readonly_user_password = ""
d = TableauRestApiConnection25(server, username, password)
tab_rep = TableauRepository(server, readonly_user_password)
uname = 'some_username'
sessions_cur = tab_rep.query_sessions(username=uname)
for row in sessions_cur:

The signout() method has an optional parameter called “session_token”, that accepts the values of the session_id column of the sessions table and _sessions views (when they are set to the old style of ID — see below). Older versions of tableau_tools had you set the token property directly, but the only way to accomplish this now is through the signout(session_token=”session_id”) method.

Using this in later versions of Tableau Server (10.1+)

In Tableau 10.1, there was a change to the structure of Session IDs to provide additional security features. Unfortunately, this broke the technique listed above. If you do have the need for manually killing sessions via the REST API, you’ll need to revert back to the previous type of Session ID using the following tabadmin setting (or its equivalent in TSM in 2018.2+)

tabadmin set features.ProtectVizPortalSessionIds false

tabadmin configure

Yes, you will need to restart the server for that change to take effect.


Using the JavaScript API without Embedding

Tamás Földi always has amazing stuff, but this one really blows my mind- Tableau JavaScript API without Embedding .

Using the Web Data Connector to publish arbitrary extra content to Tableau Server is pretty amazing when you think about it; it also works for embedding web edit in an iframe.

Update for more recent Tableau Server versions (2017-11-15):

We recently encountered a customer wanting to implement this functionality and they were having trouble accessing the getWorkbook() method of the Viz object. Apparently Tableau Server now makes the Viz object available prior to it being fully initialized, and any web content starts to load immediately. So if you want to use this technique, you should put in an interval check to keep trying until the workbook is actually available. It looks something like this:

var myInterval;
function start_timer(){
myInterval = setInterval(js_api_test, 200); //https://www.w3schools.com/jsref/met_win_setinterval.asp
function js_api_test() {
try {
var sheet = parent.parent.tableau.VizManager.getVizs()[0].getWorkbook().getActiveSheet(); //Error: "Unable to get property getWorkbook()"
clearInterval(myInterval); //https://www.w3schools.com/jsref/met_win_clearinterval.asp
console.log("Successfully retrieved Tableau sheet object");

// start doing anything else you'd like to do here

catch (err) {
console.log("No dice!");

You would place a call to the start_timer() function in the onload function of the body tag of your HTML page. Rather than jump directly into the code, you start a repeating interval timer that puts in a bit of delay, and will retry until it actually gets the workbook object. Once that object is found, the interval is cleared and you can start doing whatever you want relative to the viz the page is embedded within.


Using Trusted Tickets for SSO Login to the Tableau Server UI (VizPortal)

There are many situations where a customer wants to have an SSO integration with Tableau Server, but wants the end user to have full access to the Tableau Server UI (called VizPortal), as opposed to embedding Tableau views directly into the product (which only invokes VizSQLServer). This is not an issue when using SAML authentication, but Trusted Authentication requires that the trusted ticket be redeemed against a valid workbook.

By using the fact that the redemption of a Trusted Ticket creates a Tableau Server Session in the browser, the following technique will allow a smooth SSO process directly into the Tableau Server UI.


CSS magic tricks with Embedded Tableau Server views

Tableau 9.2 is right around the corner and one of the biggest changes on the Server side will be an updated toolbar. There is now an Undo and Redo button, and everything has been rearranged in a logical manner. The buttons that appear or disappear based on permissions are now on the right. And all of the export and download buttons are now combined together into a Download drop down menu.

9_2 toolbar

Also, it’s gray. The toolbar has been white for a long time but it’s 100% gray in Tableau 9.2

What isn’t changing? The Download/Save As permission is still one single permission, so if you are exposing Tableau to the outside world and want to allow Web Edit but not Downloading, you’ll still need to hide the toolbar and recreate all of the functionality you want to enable. But with a little ingenuity, we can pinpoint exactly what we’d like to hide and really control what we keep and what we hide.


Scheduled e-mails from embedded Tableau visualizations

Scheduling e-mails is easy in Tableau Server — as long as an SMTP server has been specified in the “Configure Tableau Server” program, there will be an e-mail subscription icon in the top of a viz when the user has permissions. The e-mail that is sent includes a PNG snapshot of the viz with a link to go directly to the view in Tableau Server. This poses a problem if you are embedding the views in your own portal and only want users to experience the embedded experience, as they will hit the Tableau Server vizportal UI directly, without the ?embed=y parameter and without any single sign-on.

The best way around this issue is to set up a “listener program” to “capture” the view at a different location than the real Tableau Server address, most likely in your main web application path. The “Tableau Server Location” entry box in the Tableau Server Configuration program will take any text string, and the final URLs are simply this “location” appended with the view location. For example, I have a very simple listener PHP script set up at /alerts/route_alert.php . By adding the “?view=” parameter at the end, the resulting URL in the generated e-mail will be:


email configuration
After capturing the view location, you can set up a process to redirect to the appropriate page which embeds the given view (and perhaps log in for single sign-on). You could theoretically implement this same idea but do the routing via reverse proxy rules as well, but a dynamic listener page is more flexible as you can continually add routing rules, authentication, etc.

Big thanks to Reed Walton at Tableau for this solution.

Utilizing Tableau Server’s Search Server in an Embedded Portal

Tableau Server 9.0 has an amazing search functionality — if you type in values into the top search box, it looks across everything available in the Tableau Server instantly and brings back results incredibly quickly. It’s not any particular secret that the Search & Browse process is powered by Apache Solr/Lucene . It’s a blazing fast piece of technology that supports a lot of the instantaneous feel in Tableau Server 9.0 (the portal and the REST API also use Solr).

I was asked recently how to do some of the same search functionality that exists in Tableau Server 9.0, but in an embedded portal. Some of it is possible via the REST API, while other requests would require opening up the PostgreSQL Repository. I wasn’t even sure some of the requests were possible — yet when I typed into the multi-search box, it seemed to be searching across all of the attributes we were looking to tap into.