Beginning with Tableau Server 9.3, a change was made to the Tableau Server License Manager (tablicsrv) configuration. In previous versions, tablicsrv.exe was run under the security context (log on value) of the NT AUTHORITY\Local System, which is the default run as account when creating a new Windows Service. Local System has more access than the License Manager requires to run properly, so the run as user was changed to the more restricted NT AUTHORITY\Local account. The Local Service account is used by License Manager to access and execute files located under the Tableau Server installation directory (
%PROGRAMDATA%\Tableau\Tableau Server) and write to the tablicsrv.log file. These actions rely upon permissions that are inherited through the Users security group on the Tableau Server installation directory.
As shown above, the following permissions (all of which are inherited by Local Service) are granted to the Users security group:
- Read & execute
- List folder contents
- Special permissions (create files/write data)
If Local Service does not have these permissions, Tableau Server will fail to initialize during installation, resulting in the errors above.
Why doesn’t Local Service have the correct permissions?
As a security measure, some organizations remove the Users group from all installation directories in their environments. Usually, such organizations remove the User group with an automated change management software solution such as Group Policy.