> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up a Tableau connector

> C1 provides identity governance for Tableau. Integrate your Tableau instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.

## Capabilities

| Resource  | Sync                                                          | Provision                                                     |
| --------- | ------------------------------------------------------------- | ------------------------------------------------------------- |
| Accounts  | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Groups    | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Sites     | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Licenses  | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Projects  | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Workbooks | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Views     | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |

The Tableau connector supports [automatic account provisioning and deprovisioning](/product/admin/account-provisioning).

## Permission inheritance

Tableau uses a permission inheritance model that affects how access is synced and provisioned:

* **Projects with `LockedToProject`**: When a project's content permissions are set to `LockedToProject`, workbooks inside that project inherit the project's permissions and cannot be granted or revoked independently — permissions must be changed at the project level instead.

* **Workbooks with `showTabs=true`**: Views (dashboards) inside these workbooks inherit their permissions from the workbook. View-level permissions cannot be granted or revoked independently — attempting to do so returns a clear error. Use the workbook entitlement instead.

* **Workbooks with `showTabs=false`**: Views have their own independent permission assignments, which can be granted and revoked directly.

## Gather Tableau credentials

Configuring the connector requires you to pass in credentials generated in Tableau. Gather these credentials before you move on.

<Warning>
  A user with the **Server Administrator** role in Tableau Server or **Site Administrator** in Tableau Cloud must perform this task.
</Warning>

To work with the Tableau APIs, you'll need either an installation of Tableau Server or membership in the [Tableau Developer Program](https://www.tableau.com/developer), which grants you a personal Tableau Cloud sandbox.

### Generate a Personal Access Token

<Steps>
  <Step>
    Sign into Tableau Server or Tableau Cloud.
  </Step>

  <Step>
    In the menu bar at the top of the page, click your profile image or initials and select **My Account Settings** from the menu.
  </Step>

  <Step>
    In the **Personal Access Tokens** area of the page, enter a name for your new token (such as "C1 integration") and then click **Create**.
  </Step>

  <Step>
    Carefully copy and save the newly generated token and its name.
  </Step>
</Steps>

### Locate your server path and site ID

<Steps>
  <Step>
    Locate your server path, which is the base URL for your Tableau server.
  </Step>

  <Step>
    Locate your site ID, which is the value that appears after `/site/` in the full URL for your Tableau instance.

    Examples:

    For a Tableau Server instance with the URL `http://SampleServer#/site/SecurityTeam/projects`, the server path is `SampleServer` and the site ID is `SecurityTeam`.

    For a Tableau Cloud instance with the URL `https://10ay.online.tableau.com#/site/MarketingTeam/workbooks`, the server path is `10ay.online.tableau.com` and the site ID is `MarketingTeam`.

    **Done.** Next, move on to the connector configuration instructions.
  </Step>
</Steps>

## Configure the Tableau connector

<Warning>
  To complete this task, you'll need:

  * The **Connector Administrator** or **Super Administrator** role in C1
  * Access to the set of Tableau credentials generated by following the instructions above
</Warning>

<Tabs>
  <Tab title="Cloud-hosted">
    **Follow these instructions to use a built-in, no-code connector hosted by C1.**

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **Tableau** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Tableau connector:

        * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)

        * Add the connector to a managed app (select from the list of existing managed apps)

        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.

        If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        Find the **Settings** area of the page and click **Edit**.
      </Step>

      <Step>
        Enter the site ID and server path into the **Site ID** and **Server path** fields.
      </Step>

      <Step>
        Enter the name of the personal access token into the **Access token name** field.
      </Step>

      <Step>
        Enter the personal access token value into the **Access token secret** field.
      </Step>

      <Step>
        Click **Save**.
      </Step>

      <Step>
        The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
      </Step>
    </Steps>

    **Done.** Your Tableau connector is now pulling access data into C1.
  </Tab>

  <Tab title="Self-hosted">
    **Follow these instructions to use the Tableau connector, hosted and run in your own environment.**

    When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.

    ### Resources

    * [Official download center](https://dist.conductorone.com/ConductorOne/baton-tableau): For stable binaries (Windows/Linux/macOS) and container images.

    * [GitHub repository](https://github.com/conductorone/baton-tableau): Access the source code, report issues, or contribute to the project.

    ### Step 1: Set up a new Tableau connector

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
      </Step>

      <Step>
        Search for **Baton** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Tableau connector:

        * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)

        * Add the connector to a managed app (select from the list of existing managed apps)

        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.

        If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        In the **Settings** area of the page, click **Edit**.
      </Step>

      <Step>
        Click **Rotate** to generate a new Client ID and Secret.

        Carefully copy and save these credentials. We'll use them in Step 2.
      </Step>
    </Steps>

    ### Step 2: Create Kubernetes configuration files

    Create two Kubernetes manifest files for your Tableau connector deployment:

    #### Secrets configuration

    ```yaml theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-tableau-secrets.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: baton-tableau-secrets
    type: Opaque
    stringData:
      # C1 credentials
      BATON_CLIENT_ID: <C1 client ID>
      BATON_CLIENT_SECRET: <C1 client secret>
      
      # Tableau credentials
      BATON_ACCESS_TOKEN_NAME: <Name of the Tableau access token>
      BATON_ACCESS_TOKEN_SECRET: <Tableau access token>
      BATON_SERVER_PATH: <Base URL for your Tableau server>
      BATON_SITE_ID: <Tableau site ID>

      # Optional: override the Tableau API version (default: 3.27)
      # Only set this if your Tableau Server requires a specific API version.
      # BATON_API_VERSION: "3.27"

      # Optional: include if you want C1 to provision access using this connector
      BATON_PROVISIONING: true
    ```

    See the connector's README or run `--help` to see all available configuration flags and environment variables.

    #### Deployment configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-tableau.yaml
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: baton-tableau
      labels:
        app: baton-tableau
    spec:
      selector:
        matchLabels:
          app: baton-tableau
      template:
        metadata:
          labels:
            app: baton-tableau
            baton: true
            baton-app: tableau
        spec:
          containers:
          - name: baton-tableau
            image: ghcr.io/conductorone/baton-tableau:latest
            imagePullPolicy: IfNotPresent
            env:
            - name: BATON_HOST_ID
              value: baton-tableau
            envFrom:
            - secretRef:
                name: baton-tableau-secrets
    ```

    ### Step 3: Deploy the connector

    <Steps>
      <Step>
        Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
      </Step>

      <Step>
        Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Tableau connector to. Tableau data should be found on the **Entitlements** and **Accounts** tabs.
      </Step>
    </Steps>

    **Done.** Your Tableau connector is now pulling access data into C1.
  </Tab>
</Tabs>

## Configure IDP-based account provisioning

When provisioning Tableau accounts (Licenses resource type), the connector supports two optional fields in the provisioning mapping that control how new accounts are authenticated:

| Field                      | Description                                                                                                                                                                |
| -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **IDP Configuration Name** | Name of an IDP configuration defined on your Tableau site (e.g., a SAML provider). When set, new accounts are created using that IDP. Requires Tableau API version ≥ 3.22. |
| **With MFA**               | When set to `true`, new accounts are created using Tableau's built-in MFA authentication. Takes precedence over **IDP Configuration Name** if both are set.                |

These fields appear in the **provisioning mapping** for the Licenses entitlement in C1 and are not part of the connector's base configuration.

### Behavior reference

| Configuration                                       | Result                                                                                             |
| --------------------------------------------------- | -------------------------------------------------------------------------------------------------- |
| Neither field set                                   | Account created with Tableau site default authentication                                           |
| **IDP Configuration Name** set, IDP found           | Account created with the named IDP                                                                 |
| **IDP Configuration Name** set, IDP not found       | Provisioning fails with an explicit error naming the missing IDP                                   |
| **IDP Configuration Name** set, API version \< 3.22 | Provisioning fails with an explicit error — upgrade your Tableau Server or remove the field        |
| **With MFA** = `true`                               | Account created with Tableau MFA — **IDP Configuration Name** is ignored regardless of API version |

<Note>
  If your Tableau Server uses an API version older than 3.22 and you do not set **IDP Configuration Name**, account provisioning uses the site default authentication without error. The IDP endpoint is only required when you explicitly configure an IDP name.
</Note>