SCA-C01 Tableau Server Certified Associate Exam Questions and Answers

In Tableau Server,projectsorganize content (workbooks, data sources) and use permissions to control access. "Locking permissions" restricts how permissions are managed within a project—let’s explore this exhaustively:

Permission Management Modes:

Managed by Owner: Default mode. Content owners (e.g., workbook publishers) can set permissions on their items, inheriting project defaults as a starting point.

Locked to the Project: Project-level permissions are enforced, and content owners cannot modify them. This ensures consistency across all items in the project.

How to Lock:

In the Tableau Server web UI:

Go toContent > Projects.

Select a project, clickActions > Permissions.

In the Permissions dialog, changePermissions Managementfrom "Customizable" (Managed by Owner) to "Locked."

Set the desired permissions (e.g., Viewer, Editor) for users/groups, which then apply uniformly to all content.

Via REST API: Use the updateProject endpoint with "permissionsLocked": true.

Option B (You can lock permissions to a project by changing Customizable to Locked): Correct.

Details: This is the precise action in the UI—switching from "Customizable" to "Locked" locks permissions at the project level.

Impact: Owners lose the ability to override permissions on individual workbooks/data sources, enforcing governance.

Example: Set "All Users" to Viewer (Locked)—all content in the project is view-only, regardless of owner intent.

Option A (Locking permissions must be enabled on the Server Settings page): Incorrect.

Why: Locking is a per-project setting, not a server-wide toggle. The Server Settings page (via TSM) controls global configs (e.g., authentication), not project permissions.

Option C (Content permissions are locked by default): Incorrect.

Default: New projects are "Managed by Owner" (Customizable), allowing flexibility unless explicitly locked by an admin.

Option D (By setting the appropriate Project permission role): Incorrect.

Confusion: "Project permission role" isn’t a term—permissions are set via rules (e.g., Viewer, Editor), but locking is a separate action (Customizable → Locked).

Why This Matters: Locking permissions ensures uniform access control, critical for regulated environments or large teams where consistency trumps flexibility.

Kerberos delegationallows Tableau Server to pass a user’s Kerberos credentials to a data source for seamless authentication (SSO)—let’s explore which sources support it:

Kerberos Overview:

Used with Active Directory (AD) for SSO in Windows environments.

Tableau Server delegates the user’s ticket to the data source, avoiding embedded credentials.

Requires:

Data source support for Kerberos.

Proper configuration (e.g., SPN, constrained delegation).

Supported Data Sources: Per Tableau’s documentation:

Option A (Teradata): Correct.

Details: Supports Kerberos delegation—common in enterprise data warehouses.

Config: Enable in TSM (tsm authentication kerberos configure) and set SPN for Teradata.

Option C (SQL Server): Correct.

Details: Fully supports Kerberos—widely used with AD-integrated SQL Server instances.

Config: Requires AD setup and "Trustworthy" delegation in SQL Server.

Option D (SAP HANA): Correct.

Details: Supports Kerberos SSO via delegation—popular in SAP ecosystems.

Config: Needs HANA Kerberos setup (e.g., keytab) and Tableau Server integration.

Option B (PostgreSQL): Incorrect.

Why: Supports Kerberos authentication natively, but Tableau Server doesn’t enable delegation to PostgreSQL—users must embed credentials or use other methods (e.g., OAuth).

Why This Matters: Kerberos delegation enhances security by avoiding stored passwords—knowing supported sources ensures SSO feasibility.

Tableau Server provides multiple methods to creategroups(collections of users) andprojects(content containers), catering to UI, CLI, and programmatic needs. Let’s dissect each option with depth:

Option B (Tableau Server browser interface): Correct.

Groups: Go toUsers > Groups > Add Group, name it, and optionally sync with Active Directory.

Projects: Go toContent > Projects > New Project, set name, description, and permissions.

Details: The web UI is intuitive, requiring server/site administrator rights. It’s ideal for manual, ad-hoc creation with immediate visibility.

Permissions: For projects, you can set default permissions or lock them here.

Option C (tabcmd): Correct.

Groups: tabcmd creategroup "GroupName" creates a local group. Add users with tabcmd addusers "GroupName" --users "user1,user2".

Projects: tabcmd createproject -n "ProjectName" -d "Description" creates a project.

Details: tabcmd is a command-line tool for batch operations or scripting (e.g., automating group/project setup). It requires a server admin login (tabcmd login).

Limitation: No AD sync via tabcmd—that’s UI or REST API territory.

Option D (REST API): Correct.

Groups: Use the POST /api/api-version/sites/site-id/groups endpoint with a payload (e.g., {"group": {"name": "GroupName"}}). Supports AD import too.

Projects: Use POST /api/api-version/sites/site-id/projects (e.g., {"project": {"name": "ProjectName", "description": "Desc"}}).

Details: The REST API is programmatic, ideal for integration with external systems or bulk automation. Requires authentication via a token and server/site admin rights.

Power: Offers full control, including nested projects and custom permissions.

Option A (tsm customize): Incorrect.

Purpose: tsm customize modifies TSM UI branding (e.g., logos, colors) via commands like tsm customize --logo "path/to/logo.png".

Why Wrong: It’s unrelated to creating groups or projects—it’s for cosmetic server configuration, not content/user management.

Why This Matters: Offering UI, CLI, and API options ensures flexibility—manual for small tasks, automation for scale—critical in enterprise deployments.

Tableau Server supports multi-tenancy via sites, each with customizable settings managed by server or site administrators. Let’s analyze what’s configurable per site:

Site Settings: Found in the web UI underSite > Settings > General. Server admins can override site admin settings.

Option B (Limitation on storage space): Correct.

Details: Server admins can set astorage quotaper site (e.g., 100 GB) to cap disk usage for extracts and workbooks.

How: In TSM or site settings (if enabled)—e.g., tsm configuration set -k site.storage.quota -v 100000.

Impact: Prevents one site from monopolizing resources in multi-site deployments.

Option D (Language and locale): Correct.

Details: Each site can set itslanguage(e.g., English, French) andlocale(e.g., date/number formats).

How: Site settings UI—e.g., "Language: French, Locale: France."

Impact: Tailors the user experience per site’s audience.

Option A (Ability to embed credentials): Incorrect.

Details: Embedding credentials (e.g., in data sources) is a server-wide setting (tsm data-access), not per-site. Site admins can’t override it.

Option C (Limitation on number of users): Incorrect.

Details: User limits are tied to licenses (server-wide), not configurable per site. Site admins manage user assignments, not quotas.

Why This Matters: Site-specific settings enable tailored governance and resource allocation in multi-tenant environments.

In a high-availability (HA) Tableau Server setup, theRepository(PostgreSQL) has an active and passive instance. Failover occurs if the active Repository fails. Let’s dive into the process:

HA Setup:

Two Repository instances across nodes (active/passive).

Failover switches to the passive instance if the active one becomes unavailable (e.g., crash, network issue).

Cluster Controller:

Role: Monitors all processes (e.g., Repository, File Store) across nodes, detecting failures via heartbeats and status checks.

Failover Decision: If the active Repository stops responding, Cluster Controller initiates failover, promoting the passive instance to active.

Coordination: Works with Coordination Service (ZooKeeper) to update topology but makes the initial detection call.

Option A (Cluster Controller): Correct.

Why: It’s the watchdog process, constantly monitoring Repository health and triggering failover when needed.

Option B (Coordination Service): Incorrect.

Role: ZooKeeper maintains cluster state and coordinates topology updates post-failover, but doesn’t detect the failure—Cluster Controller does.

Option C (Gateway): Incorrect.

Role: Routes client requests—unrelated to internal process monitoring or failover.

Option D (Backgrounder): Incorrect.

Role: Executes background tasks—no involvement in Repository failover decisions.

Why This Matters: Understanding failover ensures HA reliability—Cluster Controller is the linchpin for resilience.

Tableau Server’s licensing ties product keys to specific machines. Moving an environment requires managing activations to stay compliant. Let’s break this down:

Licensing Rules:

A product key can be activated on multiple machines (e.g., Dev, Test, Prod), but only up to the licensed limit (typically 3 for such setups).

Deactivation frees the key for reuse elsewhere.

Recommended Workflow:

Deactivate first: Use tsm licenses deactivate on the old Test machine to release the key.

Then activate: Install on the new hardware and activate with tsm licenses activate -k .

Why: Ensures compliance and avoids activation conflicts (e.g., exceeding the key’s limit).

Option B (Deactivate on Test, then install/activate on new hardware): Correct.

Steps:

On old Test: tsm licenses deactivate.

Install Tableau Server on new hardware.

On new Test: tsm licenses activate -k .

Benefit: Clean, compliant transfer—preserves license integrity.

Option A (Activate new, then deactivate old): Incorrect.

Risk: If the key’s limit is reached (e.g., 3 activations), the new activation fails until deactivation occurs. Order matters.

Option C (Activate new, keep old as backup): Incorrect.

Issue: Exceeds license limit (4 activations) and risks non-compliance. Backup requires deactivation or a separate key.

Option D (Activate new, obliterate old): Incorrect.

Details: tableau-server-obliterate.cmd wipes the entire install (data, config)—overkill and doesn’t formally deactivate the key via TSM, potentially leaving licensing inconsistent.

Why This Matters: Proper license management prevents activation errors and ensures legal use across environments.

Table recommendations in Tableau Server suggest popular tables and data sources to users when they create new content in the web authoring environment. This feature is enabled by default but can be disabled at the site level.

Option A (Disable the option using the site Settings page): Correct. A site administrator can disable table recommendations by navigating to the site’s Settings > General page in the Tableau Server web interface and unchecking the option "Enable table recommendations." This prevents users on that site from seeing these suggestions, offering a straightforward UI-based solution.

Option B (Use the command: tsm configuration set -k recommendations.enabled -v false): Incorrect. There is no recommendations.enabled key in the TSM configuration settings. This feature is managed per site, not server-wide via TSM.

Option C (Publish data sources only to projects with permissions locked): Incorrect. Locking permissions restricts access but doesn’t disable the recommendation feature itself. Users with access would still see recommendations.

Option D (Disable the option using the server Settings page): Incorrect. Table recommendations are a site-specific setting, not a server-wide setting. The server Settings page (via TSM) controls global configurations, not this feature.

Tableau Server uses internal secrets (tokens) for secure communication between its processes (e.g., Repository, File Store). These are automatically generated during installation and can be regenerated if compromised or for security maintenance. The command to update these is:

tsm security regenerate-internal-tokens: This regenerates the internal security tokens, ensuring all processes use the new tokens after a restart.

Option C (tsm security regenerate-internal-tokens): Correct. This is the documented command for updating internal secrets.

Option A (tsm data-access caching set -r 1): Incorrect. This command configures caching behavior, not security tokens.

Option B (tsm licenses refresh): Incorrect. This refreshes license data, unrelated to internal secrets.

Option D (tsm security validate-asset-keys): Incorrect. This validates encryption keys for assets, not internal tokens.

Tableau Server’s minimum hardware recommendations for a production single-node deployment ensure reliable performance for small to medium workloads. As of the latest documentation:

CPU: 8 cores (2.0 GHz or higher) to handle concurrent users, rendering, and background tasks.

RAM: 32 GB to support in-memory processing (e.g., VizQL, Data Engine) and caching.

Disk Space: 50 GB free for installation, logs, extracts, and temporary files.

Let’s break it down:

Option C (8-Core CPU, 32 GB RAM, 50 GB free disk space): Correct. This matches Tableau’s official minimum for production:

8 cores ensure sufficient parallelism for processes like Backgrounder and VizQL.

32 GB RAM supports multiple users and extract refreshes.

50 GB disk space accommodates growth (initial install is ~1–2 GB, but logs and extracts expand).

Option A (4-Core, 16 GB RAM, 50 GB): Incorrect. Too low for production—4 cores and 16 GB RAM are below the threshold for reliable performance under load.

Option B (2-Core, 8 GB RAM, 15 GB): Incorrect. This is for non-production (e.g., trial) setups, insufficient for production stability.

Option D (4-Core, 64 GB RAM, 50 GB): Incorrect. 4 cores are inadequate, though 64 GB RAM exceeds the minimum (32 GB).

Why This Matters: Under-spec hardware can lead to slow performance, failed refreshes, or crashes in production—adhering to the minimum ensures stability.

Importing an AD group into Tableau Server syncs user management—let’s analyze the process and options:

AD Group Import Process:

How: In the UI (Users > Groups > Add Group > Active Directory), enter the AD group name, set a site role, and sync.

Behavior:

Existing Users: If a user is already in Tableau Server, their site role remains unchanged unless manually adjusted—sync applies the minimum role only if it upgrades access.

New Users: Added to Tableau with the site role specified during import.

Config: Requires AD authentication enabled in TSM.

Option D (New users created are assigned the site role specified during import): Correct.

Details: When importing (e.g., "SalesTeam" group, site role: Explorer):

New users get Explorer.

Existing users keep their role unless it’s below Explorer (e.g., Unlicensed → Explorer).

Why: Ensures consistent onboarding—new users align with the group’s intended access.

Option A (Existing users’ roles change to match import): Incorrect.

Why: Existing roles persist unless lower than the minimum—e.g., Viewer stays Viewer if import sets Explorer, but Unlicensed upgrades. Not a full overwrite.

Option B (Requires a .csv file): Incorrect.

Why: AD import uses live sync via LDAP—no .csv needed (that’s for local auth imports).

Option C (Change group name during import): Incorrect.

Why: The AD group name is fixed—you can’t rename it in Tableau during sync (it mirrors AD). Post-import renaming is possible but not part of the process.

Why This Matters: Accurate AD sync ensures seamless user management—missteps can disrupt access or licensing.

Tableau Desktop and Tableau Server have versioning considerations when publishing content, particularly regarding compatibility between older Desktop versions (e.g., 10.5) and newer Server versions (e.g., 2020.1). Let’s break this down step-by-step:

Version Context: Tableau Desktop 10.5 was released in 2017 and used the .tde (Tableau Data Extract) format for extracts. Tableau Server 2020.1, released in 2020, introduced the .hyper extract format (starting with version 10.5, but fully standardized later). When publishing from an older Desktop version to a newer Server version, Tableau ensures backward compatibility but may upgrade certain components.

Publishing Process: With a Creator site role and Publisher permissions, you have the rights to publish workbooks to the specified project. Tableau Server accepts workbooks from older Desktop versions (e.g., 10.5) and upgrades them to the current Server version (2020.1) duringpublishing. This process is seamless for the workbook itself, but extracts require special handling.

Extract Handling: If the workbook contains embedded .tde extracts (stored within the .twb or .twbx file), Tableau Server 2020.1 converts these to .hyper format upon publishing. This conversion is necessary because .hyper replaced .tde as the default extract engine starting in Tableau 10.5 and beyond, offering better performance and scalability. During this process, Tableau Desktop or Server displays a warning to inform the user of the upgrade, as it’s a one-way conversion (you can’t revert to .tde on the Server).

Now, let’s evaluate the options:

Option A (You will successfully publish without any errors or warnings): Incorrect. While the publishing succeeds, a warning about the .tde to .hyper conversion appears if the workbook contains embedded extracts. Without extracts, no warning occurs, but the question’s context implies extracts are likely involved (common in visualizations).

Option B (Error message: unable to publish to a newer version): Incorrect. Tableau supports publishing from older Desktop versions to newer Server versions. There’s no outright error blocking this; compatibility is maintained.

Option C (Warning: embedded .tde extracts will be upgraded to .hyper): Correct. This is the precise warning displayed when a workbook with .tde extracts is published to a Server version that uses .hyper. It ensures the user is aware of the format change, which might affect extract refresh schedules or performance expectations.

Option D (Warning: workbook will be upgraded to a new version): Partially correct but less specific. The workbook is upgraded to 2020.1 compatibility, but the warning focuses on the extract format change (.tde to .hyper), not the workbook version generically. Option C is more accurate.

Why This Matters: The .tde to .hyper shift improves query performance and supports larger datasets, but users need to know about it for planning (e.g., extract refresh schedules might need adjustment). The warning ensures transparency.

Single Sign-On (SSO) allows users to authenticate once (e.g., via a corporate identity provider) and access Tableau Server without re-entering credentials. Tableau Server supports several SSO methods:

OpenID Connect (OIDC): An OAuth 2.0-based protocol for SSO, configured via Tableau’s SAML settings with an OIDC-compatible IdP (e.g., Google, Okta).

Kerberos with Active Directory: A ticket-based SSO protocol, widely used in Windows environments with AD integration.

SAML: A flexible SSO standard using XML assertions, supporting various IdPs (e.g., ADFS, PingFederate).

Let’s evaluate:

Option A (OpenID Connect): Correct. OIDC is an SSO method, implemented as a SAML variant in Tableau Server, enabling seamless login.

Option C (Kerberos with Active Directory): Correct. Kerberos provides SSO in AD environments, delegating authentication to the domain controller.

Option D (Security Assertion Markup Language - SAML): Correct. SAML is a core SSO method in Tableau, widely adopted for enterprise integrations.

Option B (Local Authentication): Incorrect. Local Authentication uses Tableau’s internal user database, requiring manual credential entry—no SSO support.

Why This Matters: SSO enhances user experience and security by leveraging existing identity systems, reducing password fatigue.

TSM commands manage Tableau Server maintenance—let’s validate their syntax:

Command Requirements:

Some need arguments (e.g., file paths); others are standalone.

Valid and Complete: Must work as-is without errors.

Option C (tsm maintenance cleanup): Correct.

Details: Removes temporary files and old logs—no arguments required (optional flags like -l exist).

Use: tsm maintenance cleanup—runs fully.

Option D (tsm maintenance ziplogs): Correct.

Details: Creates a zip of logs (e.g., tsm-logs.zip)—no arguments needed (optional -d for date range).

Use: tsm maintenance ziplogs—complete and valid.

Option A (tsm maintenance backup): Incorrect.

Why: Requires -f .tsbak (e.g., tsm maintenance backup -f backup.tsbak)—incomplete without it.

Option B (tsm maintenance restore): Incorrect.

Why: Needs -f .tsbak (e.g., tsm maintenance restore -f backup.tsbak)—not standalone.

Why This Matters: Correct syntax ensures maintenance tasks execute without errors—critical for server health.