We recently had an employee leave our team. They changed the owner on their workbooks and data sources published to our Tableau Server to another team member.
Changing the owner removed embedded passwords and broke scheduled refreshes. We had to edit the connection on the server for each workbook and data source to re-embed the password. This can be quite time consuming when an employee has many workbooks/data sources.
Have any other organizations dealt with this? Has anyone come up with a more streamlined way to handle this type of transition?
Thank you!
@Jennifer Reinink ,
Great question and one that is super frustrating because there is no easy way!
I've been an admin for a decade and this has always been a problem. I have developers across the globe and rarely know ahead of time if they are leaving. We have some required documents new license holders are supposed to read for such things as this but it's rare for them to actually read them (based on the questions I get it's pretty clear they didn't read the documents!). We have a lot of contractors that come in, create some workbooks, then leave, which leaves my team to clean up their messes.
One thing we encourage here at DTNA is the use of a service account. At Intel we called these "faceless" accounts because there isn't a specific person the account is assigned to. Basically, they are a regular user account but the password never expires. This allows a content owner to leave but have the data connection continue to work. Typically the service account is known by the group to which the report is used by so if the content does get a new owner they are easily able to re-add the credentials.
We will contact their manager, however, finding a manager for a contractor is often impossible (far too much sleuthing work if even possible) so more often than not we contact the Project owner where their content is located. We will also change the previous owner's email address to the person we contact so they will be aware of failures (like with scheduled extracts). If there is content in more than one Project we use the email address of the Project owner for the Project that has the most of their content.
When we do know about a developer leaving we ALWAYS remind them that changing ownership will delete the embedded credentials by design -- it's a baked-in security feature -- so delete what they really don't need and work with their content owner replacement ahead of time for a smooth ownership transfer.
While I understand the logic behind removing credentials during ownership transfer, I still wish it could be skipped if done by the server admin or some other method. When using service accounts this would make ownership transfers painless for the most part. Even if the content used the previous owner's credentials, the ownership and email address of the new owner would be there, so the extracts would continue until the prior owner's password failed and the new owner would then be notified by the TS like it normally does.
TS = Tableau Server
