Graphed LogoGraphed
Login

How to Revoke Tableau Access for Former Employees

Cody Schneider

When an employee leaves your company, the offboarding checklist is long and full of critical tasks, from collecting their laptop to updating payroll. One of the most important yet often mishandled steps is revoking their access to your data systems - especially powerful tools like Tableau. This guide will walk you through exactly how to remove a former employee's access to Tableau Server or Tableau Cloud, ensuring your data remains secure and your dashboards continue to run smoothly.

Why Revoking Tableau Access is a Critical Step

Leaving a former employee’s account active, even for a short time, opens the door to significant security and operational risks. It's more than just good housekeeping, it’s a non-negotiable part of a secure data governance strategy.

  • Data Security: An active account is a potential entry point for unauthorized access. Whether by a disgruntled former employee or an opportunist who stumbles upon their credentials, leaving the door unlocked puts your sensitive business data - from financial reports to customer lists - at risk of being viewed, downloaded, or altered.

  • Compliance and Privacy: Regulations like GDPR, CCPA, and HIPAA carry strict rules about data access. Failing to properly de-provision users can lead to a compliance violation, resulting in hefty fines and damage to your company’s reputation.

  • License Management and Cost: Tableau licenses, particularly for Creators and Explorers, come at a significant cost. Every active user occupies a valuable seat. Failing to revoke access means you are paying for a license that isn't being used, which could be assigned to a new team member.

  • Operational Integrity: A departed user could inadvertently remain the owner of crucial reports, data sources, or scheduled extract refreshes. If their account is disabled at the system level (like in Active Directory) but not properly handled in Tableau, these processes can fail, causing disruptions for the teams who rely on them.

A structured offboarding process for Tableau prevents these issues, protecting your data, your budget, and your data analytics operations.

The Pre-Revocation Checklist: Don't Just Delete the User!

The biggest mistake administrators make is jumping straight to deleting the user account. While this is an essential final step, doing it first can orphan their content and break critical workflows. Dashboards and data sources without an owner can become inaccessible or fail to refresh. Before you remove the user, follow this essential checklist.

Step 1: Audit and Transfer Content Ownership

Any content a user creates in Tableau - workbooks, data sources, flows - is owned by them. Simply deleting the user can result in this content being deleted or becoming ownerless. To prevent this, you must reassign ownership to another user, such as their manager or, even better, a generic "service" or "admin" account created for this purpose.

How to Transfer Ownership:

  1. Log in to Tableau Server or Tableau Cloud as a Site Administrator.

  2. Navigate to the Users page from the left-hand navigation menu.

  3. Find and click on the name of the user who is leaving.

  4. You'll land on their user profile page. Click on the Content tab to see a list of all the workbooks, data sources, and other assets they own.

  5. Select all the content you wish to reassign. You can use the checkbox at the top of the list to select everything at once.

  6. Click the ... (Actions) menu and select Change Owner.

  7. In the dialog box that appears, search for and select the new owner. It’s highly recommended to use a designated generic admin account for this, as it prevents dashboards from being tied to individual employees who might also leave one day.

  8. Click Save.

By transferring ownership first, you ensure all assets remain active and properly managed after the user's departure.

Step 2: Review and Reassign Subscriptions and Alerts

Users can subscribe themselves and others to receive email updates of workbooks on a set schedule. They can also create data-driven alerts. If a former employee was the owner or recipient of critical subscriptions or alerts, these need to be recreated by an active user to ensure business stakeholders continue receiving their reports.

You can check a previous user's subscriptions by going to their user page, clicking the Actions menu, and selecting "Subscriptions". Review them and work with the relevant teams to recreate any that are essential.

Step 3: Check Embedded Credentials and API Scripts (Advanced)

In some cases, a user might have embedded their personal database credentials into a published data source. Best practice is to use service account credentials, but it's worth checking any important data sources they owned to ensure they don't break when the user’s database access is revoked. You can edit the data source connection to update the credentials.

Additionally, if the user was technical, they might have created scripts using the Tableau REST API authenticated via a Personal Access Token (PAT). Make sure any such automated processes are updated with new credentials to prevent failures.

How to Officially Revoke Access in Tableau

Once you’ve successfully transferred all content and addressed any dependencies, you can proceed with removing the user's access.

The Main Method: Removing the User from the Site

This is the definitive action that revokes access and frees up their license seat.

  1. Log in to your Tableau site as a Site Administrator.

  2. Navigate to the Users page.

  3. Locate the former employee’s account. You can use the search bar to find them quickly.

  4. Select the checkbox next to their username.

  5. Click the ... (Actions) menu and choose Remove.

  6. A confirmation dialog will appear. Confirm that you want to remove the user.

The user will be immediately removed from the site. They will no longer be able to log in, and their license becomes available for another user.

An Interim Step: Changing the Site Role to "Unlicensed"

In some situations, you may want to disable a user's access immediately but hold off on full removal while you audit their content. Setting their site role to "Unlicensed" is the perfect way to do this.

Why Use "Unlicensed"?

  • It instantly revokes their ability to log in and interact with any content.

  • It keeps their user account in Tableau, preserving their content ownership. This makes it easier to find and transfer all their assets without anything getting lost.

How to Set a User to Unlicensed:

  1. On the Users page, find the user.

  2. Select the checkbox next to their name.

  3. Click the ... (Actions) menu, then select Change Site Role.

  4. From the dropdown menu, choose Unlicensed and then click OK.

REMEMBER: This should be a temporary state. Once your content audit and transfer are complete, you should proceed with the full removal process outlined above to keep your user list clean.

Handling Users from Active Directory or an SSO Provider

If your Tableau environment is integrated with an external identity management system like Active Directory (AD) or an SSO provider like Okta or Azure AD, the process has an important extra layer.

For Organizations Using Active Directory (AD)

When Tableau Server is configured to sync with AD, users and groups are managed there. The fundamental first step in offboarding is to disable or delete the user in Active Directory. This is your company's source of truth for user identities.

When the next AD sync happens, Tableau will see that the user is no longer in their assigned group. Depending on your configuration, Tableau might automatically remove the user from the site or set their role to Unlicensed. However, you should not wait for the sync to happen.

The best practice is twofold:

  1. First, disable the user in Active Directory. This immediately severs their primary login credentials.

  2. Then, manually remove the user in Tableau using the steps described earlier. This ensures access is revoked instantly and avoids any sync delays.

For Organizations Using SAML / SSO (Okta, Azure AD, etc.)

With a Single Sign-On (SSO) integration, authentication is controlled by your Identity Provider (IdP). Similar to AD, the first and most critical action is to deactivate the user in the IdP (e.g., Okta, Azure AD, OneLogin). This action prevents them from passing the authentication check required to access Tableau and many other company applications.

However, disabling them in the IdP does not automatically remove them from Tableau. Their user profile will still exist in your user list, and they will continue to occupy a license seat. Therefore, you must still complete the offboarding process within Tableau itself - transfer their content and then remove their user profile to finalize the process and reclaim the license.

Final Verification and Auditing

After you’ve removed a user, a quick check can provide peace of mind.

  • Search for the User: From the Users page, search for the person you just removed. They should no longer appear in the list.

  • Review Admin Insights: Use Tableau's built-in Admin Views to audit access regularly. Views like "Actions by All Users" can help you track who is accessing what, and it's a good practice to review these reports quarterly to spot any dormant or unauthorized accounts.

  • Create an Offboarding Policy Document: Standardize this process. A documented checklist ensures everyone on your team follows the same secure procedure, reducing the risk of human error.

Final Thoughts

Systematically revoking Tableau access is a critical piece of your data governance and security strategy. By following a structured process - transferring valuable content before deleting the user, updating their licenses and permissions, and confirming the removal with an audit - you protect your data and ensure your analytics workflows continue running without interruption.

Juggling user management and reporting across systems like Tableau, Google Analytics, and CRMs like Salesforce can feel fragmented and time-consuming. We built Graphed because we believe getting insights from your data shouldn't be that complicated. We centralize all your marketing and sales data, allowing you to create live, powerful dashboards simply by asking questions in plain English. This empowers your entire team to make data-driven decisions without a steep learning curve or waiting hours for manual reports to be built.