Summary and recommendation
Tableau user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Tableau Cloud organizes access through three license tiers Creator, Explorer, and Viewer each setting a hard ceiling on what a user can do, regardless of any content-level permissions granted below it.
Site roles are additive to license tiers: a user must hold a Creator license to become a Site Administrator Creator.
SCIM 2.0 provisioning is available on all Tableau Cloud tiers, but SAML SSO must be fully configured before SCIM can be enabled.
Quick facts
| Admin console path | Tableau Cloud → Site Admin → Users (left navigation) |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Tableau Cloud (any tier) |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Creator | Full authoring in Tableau Cloud and Tableau Desktop; can publish, connect to data sources, build flows (Prep), manage projects and permissions on owned content | Cannot administer site-level settings unless also granted Site Administrator role | Tableau Cloud (Standard or Enterprise) | $75/user/month (Standard); $115/user/month (Enterprise) | Creator license is required to use Tableau Desktop or Tableau Prep Builder; assigning a lower role to a Creator-licensed user wastes the seat |
| Explorer | Can interact with and edit published views, create workbooks using existing published data sources, manage own content | Cannot connect to new data sources or publish new data sources; cannot use Tableau Desktop or Prep Builder | Tableau Cloud (Standard or Enterprise) | $42/user/month (Standard); $70/user/month (Enterprise) | Explorer (can publish) sub-role allows publishing workbooks but still cannot create new data source connections |
| Viewer | Can view and interact with published dashboards and views; can subscribe to views and download summary data | Cannot edit or publish content; cannot create workbooks or connect to data | Tableau Cloud (Standard or Enterprise) | $15/user/month (Standard); $35/user/month (Enterprise) | Viewer cannot be granted permissions above their license ceiling regardless of project-level permission settings |
| Site Administrator Creator | All Creator capabilities plus full site administration: manage users, groups, projects, schedules, and site settings | Cannot access server-level (multi-site) administration on Tableau Cloud; that is handled by Tableau-managed infrastructure | Tableau Cloud (Standard or Enterprise) | Consumes a Creator seat | Site Administrator role is additive to a license tier; a user must hold a Creator license to be a Site Administrator Creator |
| Site Administrator Explorer | All Explorer capabilities plus site administration functions | Cannot publish new data sources or use Tableau Desktop/Prep; admin capabilities are the same as Site Administrator Creator except bounded by Explorer license ceiling | Tableau Cloud (Standard or Enterprise) | Consumes an Explorer seat | Certain admin tasks that require Creator-level data access are unavailable to Site Administrator Explorer |
| Unlicensed | No access to site content; account exists in the system but cannot sign in | Cannot view, edit, or publish any content | N/A – no license consumed | No charge; does not consume a paid seat | Users imported via IdP/SCIM provisioning may land as Unlicensed if no role mapping is configured; they appear in the user list but cannot access the site |
Permission model
- Model type: hybrid
- Description: Tableau Cloud uses a two-layer permission model. The first layer is the site role (license tier), which sets a hard ceiling on what a user can ever do. The second layer is content-level capability rules applied to users or groups on specific projects, workbooks, views, and data sources. Capabilities (e.g., View, Download, Edit, Delete) can be explicitly Allowed or Denied at the content level, but they cannot exceed the ceiling set by the site role. Groups are the recommended unit for managing content permissions at scale.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Per-content-object (project, workbook, view, data source, flow) with inherited defaults from parent project; individual capability toggles per user or group
How to add users
- Sign in to Tableau Cloud as a Site Administrator.
- Navigate to the left navigation panel and select 'Users'.
- Click 'Add Users'.
- Choose 'Add Users by Email' to add individually, or 'Import Users from CSV' for bulk.
- Enter the user's email address.
- Select a site role (e.g., Viewer, Explorer, Creator) from the role dropdown.
- Optionally assign the user to one or more groups.
- Click 'Add Users'. An invitation email is sent to each new user.
Required fields: Email address, Site role
Watch out for:
- If SAML SSO is enforced on the site, the email address must match the identity provider's username/email attribute exactly; mismatches prevent sign-in.
- Users added manually while SCIM provisioning is active may have their attributes overwritten on the next IdP sync.
- Invitation emails expire; if a user does not accept within the expiry window, the admin must resend the invitation.
- Adding a user does not automatically grant them access to any content; project or workbook permissions must be configured separately.
- The total number of licensed users cannot exceed the seat count purchased; attempting to add users beyond the contracted limit will be blocked.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Yes | Users → Add Users → Import Users from CSV (CSV columns: Email, Site Role, Admin Level, Auth Setting, Group) |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Tableau Cloud (all tiers) – requires SAML SSO configured first |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Tableau Cloud allows admins to remove (delete) users from the site. Before deletion, the admin must reassign or delete all content owned by that user. If the user owns content that has not been reassigned, Tableau will prompt the admin to handle it before the removal can complete. Once removed, the user account no longer exists on the site and the license seat is freed.
- Sign in to Tableau Cloud as a Site Administrator.
- Navigate to 'Users' in the left navigation.
- Locate the user to remove using search or the user list.
- Check the checkbox next to the user's name.
- Click 'Actions' and select 'Remove Users'.
- If the user owns content, Tableau will display a prompt to reassign owned content to another user or delete it.
- Confirm the reassignment or deletion of owned content.
- Confirm the removal. The user is deleted from the site and the seat is released.
| Data impact | Behavior |
|---|---|
| Owned records | All workbooks, data sources, flows, and projects owned by the user must be reassigned to another user or deleted before removal can complete. Tableau enforces this step in the removal workflow. |
| Shared content | Content shared with the removed user (i.e., content they had permissions on but did not own) remains on the site; only the removed user's permission entry is deleted. |
| Integrations | Scheduled extract refreshes and subscriptions owned by the removed user are deleted when the user is removed. |
| License freed | The license seat is freed immediately upon successful removal and becomes available for reassignment. |
Watch out for:
- A user cannot be removed while they still own content; the admin must explicitly reassign or delete all owned content first.
- If the site uses SCIM provisioning, a user deprovisioned in the IdP will be removed from Tableau Cloud automatically on the next sync; manual removal in Tableau is not required in that workflow.
- Removing a user deletes their personal space content (My Workbooks) unless it is moved to a shared project first.
- Subscriptions and data-driven alerts set up by the removed user are permanently deleted and cannot be recovered.
- There is no 'deactivate' or 'suspend' state in Tableau Cloud; the only options are to keep the user (potentially setting them to Unlicensed role to revoke access without deleting) or to fully remove them.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Creator | Tableau Cloud web authoring, Tableau Desktop, Tableau Prep Builder, full data source publishing | $75/user/month (Standard); $115/user/month (Enterprise) |
| Explorer | Tableau Cloud web authoring with existing published data sources, view and interact with dashboards | $42/user/month (Standard); $70/user/month (Enterprise) |
| Viewer | View and interact with published dashboards, subscribe to views, download summary data | $15/user/month (Standard); $35/user/month (Enterprise) |
- Where to check usage: Tableau Cloud → Site Admin → General (or Status) → License Usage; also visible under Users list with role column showing current seat consumption
- How to identify unused seats: Admins can review the 'Last Sign In' column on the Users page to identify users who have not signed in recently. Tableau Cloud also provides Activity Log and Admin Insights (a pre-built data source) that includes user login frequency and last-active dates for identifying inactive licensed users.
- Billing notes: Tableau Cloud is sold on an annual subscription basis. Seat counts are contracted annually; adding seats mid-term is typically prorated. Reducing seats below the contracted minimum requires waiting until renewal. The Tableau+ bundle (includes agentic AI features) is available as an add-on or separate SKU. Pricing listed is standard list price; actual pricing may vary by contract or reseller.
The cost of manual management
Every app has a version of this problem, but Tableau's role model makes it sharper than most. Assigning a lower site role to a Creator-licensed user wastes the seat - the license cost is incurred regardless of the role displayed. There is no native suspend or deactivate state;
the only way to block access without deleting a user is to manually set their site role to Unlicensed, a workaround that requires deliberate action on every offboarding.
Content ownership reassignment is a required blocking step before any user can be removed, which compounds the manual effort when a departing user owns many workbooks or data sources.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
Manual administration is workable for small, stable teams where role assignments rarely change and content ownership is well-organized. It becomes a liability at scale: every app added to a growing stack multiplies the offboarding steps, and Tableau's content-ownership gate means a single missed reassignment blocks user removal entirely.
Teams already running Okta, Microsoft Entra ID, or OneLogin have a clear path to SCIM-based automation. Teams without SSO cannot use SCIM at all and must manage provisioning entirely by hand or via the REST API.
Bottom line
Tableau Cloud's permission model is precise but layered - license tier, site role, and content-level capabilities each interact, and misconfiguration at any layer produces access outcomes that are hard to audit after the fact.
Manual administration is viable for small teams but introduces real risk at scale: no suspend state, a blocking content-ownership step on every removal, and IdP sync behavior that can silently undo manual role changes.
Teams with SSO already in place should treat SCIM provisioning as the default path; those without it should factor the ongoing manual overhead into their operational planning.
Automate Tableau workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
