Analytics-Admn-201 Questions and Answers

Comments on visualizations foster collaboration in Tableau Server—let’s break down the requirements:

Commenting Prerequisites:

Site-Level Enablement: Comments must be activated for the site.

Permission: Users need the "Add Comment" capability on the content.

Site Role: Minimum role of Viewer allows commenting if permissions are set.

Option B (Add Comments must be allowed in permissions): Correct.

Details: In the Permissions dialog (e.g., for a workbook), set "Add Comment" to "Allowed" for users/groups. Default is "Denied" unless explicitly enabled.

How: Content > Workbooks > Actions > Permissions > Edit Rule.

Why: Permissions are granular—site enablement alone isn’t enough.

Option D (Comments must be enabled on the site Settings page): Correct.

Details: Go to Site > Settings > General > Allow Comments—check the box.

Why: This is a site-wide toggle (default: off). Without it, no one can comment, regardless of permissions.

Option A (Minimum site role of Explorer - can publish): Incorrect.

Why: Viewer role suffices if permissions allow—Explorer (can publish) isn’t required (it adds publishing, not commenting).

Option C (Server Settings page): Incorrect.

Why: Comments are a site-level feature, not server-wide—no such toggle exists in TSM’s Server Settings.

Why This Matters: Enabling comments at both site and content levels ensures controlled collaboration—key for team insights.

When Tableau Server uses Active Directory (AD) for authentication, group synchronization imports AD groups and assigns a minimum site role (e.g., Viewer, Explorer) to users in that group. This ensures users meet a baseline access level. The behavior for existing users during sync is:

If the user’s current site role provides more access than the minimum (e.g., Explorer vs. Viewer), their role remains unchanged.

If the user’s current role provides less access than the minimum (e.g., Unlicensed vs. Viewer), their role is upgraded to the minimum.

This preserves higher privileges while enforcing a floor. “Reduces access” means the minimum role is lower than the current role (e.g., Viewer vs. Explorer), in which case the existing role stays.

Option A (It will change to the minimum site role only if the minimum site role reduces access): Correct. The user’s role changes only if the minimum increases access (e.g., Unlicensed to Viewer); otherwise, it stays higher.

Option B (It will change only if the minimum provides more access): Incorrect wording. This is the inverse of the actual behavior—change occurs when needed to meet the minimum, not to exceed it.

Option C (It will always change): Incorrect. Existing higher roles are preserved.

Option D (It will never change): Incorrect. It changes if the current role is below the minimum.

Tableau Server’s user-based licensing model assigns licenses to individual users (Creator, Explorer, Viewer) rather than machines or cores. Key features include:

Subscription license: Licenses are typically subscription-based, renewed annually or monthly, aligning with Tableau’s pricing model.

Distinct user roles: It supports three roles (Creator, Explorer, Viewer), each with specific capabilities, enabling granular access control.

Option A (A subscription license): Correct. User-based licenses are subscription-based by default.

Option B (Enables distinct user roles): Correct. The model defines Creator, Explorer, and Viewer roles.

Option C (Restricts the number of machine cores): Incorrect. This applies to core-based licensing, not user-based.

Option D (A perpetual license): Incorrect. Perpetual licenses were phased out; user-based licenses are subscription-based as of recent models.

Kerberos delegation allows Tableau Server to pass a user’s Kerberos credentials to a data source for seamless authentication (SSO)—let’s explore which sources support it:

Kerberos Overview:

Used with Active Directory (AD) for SSO in Windows environments.

Tableau Server delegates the user’s ticket to the data source, avoiding embedded credentials.

Requires:

Data source support for Kerberos.

Proper configuration (e.g., SPN, constrained delegation).

Supported Data Sources: Per Tableau’s documentation:

Option A (Teradata): Correct.

Details: Supports Kerberos delegation—common in enterprise data warehouses.

Config: Enable in TSM (tsm authentication kerberos configure) and set SPN for Teradata.

Option C (SQL Server): Correct.

Details: Fully supports Kerberos—widely used with AD-integrated SQL Server instances.

Config: Requires AD setup and "Trustworthy" delegation in SQL Server.

Option D (SAP HANA): Correct.

Details: Supports Kerberos SSO via delegation—popular in SAP ecosystems.

Config: Needs HANA Kerberos setup (e.g., keytab) and Tableau Server integration.

Option B (PostgreSQL): Incorrect.

Why: Supports Kerberos authentication natively, but Tableau Server doesn’t enable delegation to PostgreSQL—users must embed credentials or use other methods (e.g., OAuth).

Why This Matters: Kerberos delegation enhances security by avoiding stored passwords—knowing supported sources ensures SSO feasibility.

Tableau Server’s minimum hardware recommendations for a production single-node deployment ensure reliable performance for small to medium workloads. As of the latest documentation:

CPU: 8 cores (2.0 GHz or higher) to handle concurrent users, rendering, and background tasks.

RAM: 32 GB to support in-memory processing (e.g., VizQL, Data Engine) and caching.

Disk Space: 50 GB free for installation, logs, extracts, and temporary files.

Let’s break it down:

Option C (8-Core CPU, 32 GB RAM, 50 GB free disk space): Correct. This matches Tableau’s official minimum for production:

8 cores ensure sufficient parallelism for processes like Backgrounder and VizQL.

32 GB RAM supports multiple users and extract refreshes.

50 GB disk space accommodates growth (initial install is ~1–2 GB, but logs and extracts expand).

Option A (4-Core, 16 GB RAM, 50 GB): Incorrect. Too low for production—4 cores and 16 GB RAM are below the threshold for reliable performance under load.

Option B (2-Core, 8 GB RAM, 15 GB): Incorrect. This is for non-production (e.g., trial) setups, insufficient for production stability.

Option D (4-Core, 64 GB RAM, 50 GB): Incorrect. 4 cores are inadequate, though 64 GB RAM exceeds the minimum (32 GB).

Why This Matters: Under-spec hardware can lead to slow performance, failed refreshes, or crashes in production—adhering to the minimum ensures stability.

Tableau Server uses caching to speed up workbook loading by storing query results. After a scheduled extract refresh updates the data, the cache may need recomputing—let’s dive into the mechanics:

Caching Basics:

VizQL Cache: Stores rendered views and query results for faster access.

Refresh Trigger: A scheduled refresh updates the underlying extract (.hyper), but the cache isn’t automatically invalidated—it’s demand-driven.

Recompute Conditions: Tableau recomputes the cache when the workbook is accessed (viewed) and its data has changed (e.g., via refresh).

Evaluation:

Option B (The workbook has upcoming scheduled refresh tasks): Correct.

Why: An upcoming refresh task indicates the workbook relies on an extract with a schedule. After the refresh runs, the data changes, priming the cache for recomputation on next view. Without a schedule, no refresh occurs, so this is a prerequisite.

Detail: Schedules are set in Schedules > Tasks—e.g., "Daily at 2 AM."

Option D (The workbook has been viewed recently): Correct.

Why: Viewing triggers cache recomputation if the data has changed (e.g., post-refresh). Tableau uses a "lazy caching" model—cache updates only when a user loads the workbook, ensuring fresh results.

Detail: "Recently" isn’t strictly defined but implies post-refresh access.

Option A (Published in the last month): Incorrect.

Why: Publish date is irrelevant—cache recomputation ties to data changes and access, not publication timing.

Option C (All Users group has permission rule allowing access): Incorrect.

Why: Permissions enable viewing, but recomputation requires actual access (viewing) and a refresh event, not just potential access.

Why This Matters: Caching balances performance and freshness—understanding triggers prevents stale data surprises.

In an HA Tableau Server cluster, the Coordination Service (ZooKeeper ensemble) maintains cluster state—let’s find the best way to check it:

Coordination Service:

Runs on multiple nodes (3 or 5 in HA) to ensure quorum and failover.

Status indicates if it’s running and synced—critical for cluster health.

Option C (Run tsm status -v): Correct.

Details: tsm status --verbose lists all processes across nodes, including Coordination Service (e.g., "Coordination Service: RUNNING").

Why Best: Provides detailed, node-specific status in the CLI—e.g., "Node 1: RUNNING, Node 2: RUNNING."

Use: Run on the initial node; -v ensures full output.

Option A (TSM web client Status page): Incorrect.

Why: The TSM UI (Server > Status) shows process counts (e.g., "Coordination Service: 3 instances"), but not detailed per-node status—less granular than CLI.

Option B (tsm maintenance ziplogs): Incorrect.

Why: Generates log archives for troubleshooting, not a real-time status check.

Option D (Tableau Server Status page): Incorrect.

Why: The Server Status page (Server > Status in the web UI) monitors application processes (e.g., VizQL), not TSM’s Coordination Service.

Why This Matters: Coordination Service health ensures HA stability—tsm status -v is the admin’s go-to for precision.

Tableau Server supports multiple authentication methods, including Local Authentication, Active Directory, Kerberos, SAML, and OpenID Connect. OpenID Connect (OIDC) is an identity layer built on OAuth 2.0, commonly used for single sign-on (SSO). In Tableau Server, OIDC is implemented as a variant of SAML (Security Assertion Markup Language) authentication because both are SSO protocols managed through the same configuration workflow.

To use OpenID Connect:

Configure Tableau Server for SAML/SSO.

Provide an OIDC-compatible identity provider (IdP) configuration (e.g., Google, Okta).

Set up the IdP metadata and certificates in TSM.

Option D (SAML): Correct. Tableau Server treats OIDC as a subset of its SAML authentication framework, so you configure it under the SAML settings in TSM.

Option A (Local Authentication): Incorrect. Local Authentication uses Tableau’s internal user database, not an external SSO protocol like OIDC.

Option B (Kerberos): Incorrect. Kerberos is a network authentication protocol for Windows environments, unrelated to OIDC.

Option C (Active Directory): Incorrect. AD uses LDAP or Kerberos, not OIDC, for authentication.

In a high-availability (HA) Tableau Server setup, the Repository (PostgreSQL) has an active and passive instance. Failover occurs if the active Repository fails. Let’s dive into the process:

HA Setup:

Two Repository instances across nodes (active/passive).

Failover switches to the passive instance if the active one becomes unavailable (e.g., crash, network issue).

Cluster Controller:

Role: Monitors all processes (e.g., Repository, File Store) across nodes, detecting failures via heartbeats and status checks.

Failover Decision: If the active Repository stops responding, Cluster Controller initiates failover, promoting the passive instance to active.

Coordination: Works with Coordination Service (ZooKeeper) to update topology but makes the initial detection call.

Option A (Cluster Controller): Correct.

Why: It’s the watchdog process, constantly monitoring Repository health and triggering failover when needed.

Option B (Coordination Service): Incorrect.

Role: ZooKeeper maintains cluster state and coordinates topology updates post-failover, but doesn’t detect the failure—Cluster Controller does.

Option C (Gateway): Incorrect.

Role: Routes client requests—unrelated to internal process monitoring or failover.

Option D (Backgrounder): Incorrect.

Role: Executes background tasks—no involvement in Repository failover decisions.

Why This Matters: Understanding failover ensures HA reliability—Cluster Controller is the linchpin for resilience.

Importing an AD group into Tableau Server syncs user management—let’s analyze the process and options:

AD Group Import Process:

How: In the UI (Users > Groups > Add Group > Active Directory), enter the AD group name, set a site role, and sync.

Behavior:

Existing Users: If a user is already in Tableau Server, their site role remains unchanged unless manually adjusted—sync applies the minimum role only if it upgrades access.

New Users: Added to Tableau with the site role specified during import.

Config: Requires AD authentication enabled in TSM.

Option D (New users created are assigned the site role specified during import): Correct.

Details: When importing (e.g., "SalesTeam" group, site role: Explorer):

New users get Explorer.

Existing users keep their role unless it’s below Explorer (e.g., Unlicensed → Explorer).

Why: Ensures consistent onboarding—new users align with the group’s intended access.

Option A (Existing users’ roles change to match import): Incorrect.

Why: Existing roles persist unless lower than the minimum—e.g., Viewer stays Viewer if import sets Explorer, but Unlicensed upgrades. Not a full overwrite.

Option B (Requires a .csv file): Incorrect.

Why: AD import uses live sync via LDAP—no .csv needed (that’s for local auth imports).

Option C (Change group name during import): Incorrect.

Why: The AD group name is fixed—you can’t rename it in Tableau during sync (it mirrors AD). Post-import renaming is possible but not part of the process.

Why This Matters: Accurate AD sync ensures seamless user management—missteps can disrupt access or licensing.

In Tableau Server, roles and permissions dictate who can perform specific administrative tasks. A "server administrator" has full control over the entire Tableau Server deployment, while site administrators manage specific sites. Some tasks are restricted to server administrators due to their server-wide impact.

Option B (Adding a site): Creating a new site in a multi-site Tableau Server environment is a server-level task that only a server administrator can perform. Sites are logical partitions within the server, and adding a site affects the overall server structure. Site administrators cannot create new sites; they can only manage existing ones.

Option D (Adding users): Adding users to Tableau Server (e.g., via the TSM interface or tabcmd) is a server administrator task when it involves adding users at the server level or assigning them to the default site. While site administrators can add users to their specific site in a multi-site environment, the initial addition of users to the server requires server administrator privileges. The question’s phrasing (“always require”) suggests a server-wide context, making this a correct choice.

Option A (Creating a schedule): This is incorrect because both server administrators and site administrators can create schedules for tasks like extract refreshes or subscriptions within their scope. It’s not exclusive to server administrators.

Option C (Locking project permissions): This is incorrect because locking project permissions can be done by a site administrator or project leader with appropriate permissions. It’s a project-level action, not a server-level task requiring a server administrator.