A standalone Python application that automates user provisioning and removal for Tableau Cloud/Server. The scripts expects a list of "joiners" and "leavers" to be provided and will automatically provision users in the joiners list as unlicensed with Grant License On Sign In (GLSI) enabled and will unlicense/remove users in the leavers list.
This implementation expects the "joiners" and "leavers" to be sourced from tables in Snowflake, but this can be overridden by writing your own function to populate the user_list_to_provision and user_list_to_unlicense lists containing a list of email addresses/usernames.
Step 1
Create 2 tables in your Snowflake Account, one containing the list of users you need to add to your Tableau Cloud/Server site and the other containing the list of users you want to remove. Both of these tables need a field called "Email Address" which will become their Tableau username.
Step 2
Create a Group in Tableau Server/Cloud which will be used to set the minimum site role using the Grant role on sign in feature. The example below uses a group called Grant_Role_On_Sign_In which will automatically promote users from unlicenced to a viewer when they first sign in.
Step 3
Ensure you have a working python 3.x installation with the following packages installed:
pip install tableauserverclient
pip install pyyaml
pip install cryptoyaml
pip install snowflake-connector-python
Step 4
Configure the settings.yaml file with the parameters for your environment including your Tableau Cloud/Server credentials, Snowflake credentials, app and email notification settings:
Step 5
Run the application using the command:
python main.py
A successfull run should result in a series of INFO messages being written to the console and a new log file being generated in the ./logs directory:
Step 6
Review the log file to identify any ERROR entries corresponding to users who were not succesfully added/unlicensed/removed from Tableau Cloud/Server. Note that log files are retained for the period defined by the LOG RETENTION variable in the settings.yaml configuration file.
Step 7
If EMAIL_NOTIFICATIONS is set to True in the settings.yaml configuration file then in the event of an error an email will be automatically be sent with the log file attached for review to the email address(es) listed in the EMAIL_TO variable:
Step 8 (Optional)
In order to securely encrypt the credentials stored in the settings.yaml file you can optionally generate an encrypted version by running the command:
python encrypt_yaml.py
This will generate the files:
settings.yaml.aes: encrypted copy of settings.yaml
key: the key file to decrypt settings.yaml.aes
You can now delete/move settings.yaml and run the application.
To store the key file in an alternative location you will need to set the CRYPTOYAML_SECRET environment variable as per the cryptoyaml documentation here
