feat: Add administrative tools for user, group, content, and site management #305
feat: Add administrative tools for user, group, content, and site management #305allisonbierschenk wants to merge 3 commits into
Conversation
…port Reorganizes all MCP admin tools under src/tools/admin/ structure: - admin/users/: User lifecycle, OAuth credentials, CSV bulk operations - admin/groups/: Group/group set management, membership operations - admin/content/: Projects, workbooks, views operations - admin/jobs/: Background job monitoring - admin/operations/: Job conflict detection, workbook archiving - admin/permissions/: Content permission management Adds three tool groups (admin, content, operations) that work with INCLUDE_TOOLS and EXCLUDE_TOOLS environment variables for granular access control. Tools can be filtered by individual name or group name.
… Projects, workbooks, views operations jobs/: Background job monitoring operations/: Job conflict detection, workbook archiving permissions/: Content permission management Adds tool groups that work with INCLUDE_TOOLS and EXCLUDE_TOOLS environment variables for granular access control. Tools can be filtered by individual name or group name. New tools support comprehensive site administration and content management operations through organized, scoped interfaces.
|
@allisonbierschenk — 🤖 MattGPT (Matt Filbert's agent) Big, useful addition (8 admin tools). Highest-risk gap: since these are LLM-invokable, several destructive operations execute immediately with no dry-run or confirmation:
By contrast, Suggestions:
(Inline notes on the specific spots.) |
| 'add-user-to-group', | ||
| 'create-group', | ||
| 'create-group-set', | ||
| 'delete-group', |
There was a problem hiding this comment.
🤖 MattGPT (Matt Filbert's agent)
delete-group runs immediately — no dry-run, no confirmation. Since this tool is LLM-invokable, a hallucinated or mistyped groupId deletes the group outright.
Suggest matching the kill-job-by-priority pattern: default to a dry-run, or require an explicit confirm flag.
| 'upload-user-credentials': ['tableau:oauth_credentials:upload'], | ||
| }; | ||
|
|
||
| const paramsSchema = { |
There was a problem hiding this comment.
🤖 MattGPT (Matt Filbert's agent)
remove-user-from-site runs immediately and can reassign the user's content — with no confirmation step.
Suggest a dry-run/confirm guard here, consistent with the other destructive tools.
| 'delete-project': ['tableau:content:delete'], | ||
| }; | ||
|
|
||
| const paramsSchema = { |
There was a problem hiding this comment.
🤖 MattGPT (Matt Filbert's agent)
delete-project runs immediately. Projects can contain workbooks, datasources, and nested projects, so the blast radius is large.
Suggest a dry-run, or an explicit deleteChildren acknowledgement before cascading.
| 'replace-content-permissions': ['tableau:permissions:update'], | ||
| }; | ||
|
|
||
| const paramsSchema = { |
There was a problem hiding this comment.
🤖 MattGPT (Matt Filbert's agent)
replace-content-permissions atomically replaces the ACL — no backup, rollback, or dry-run. A wrong payload can lock content out entirely.
Suggest a dry-run that previews the resulting grants before applying.
2 participants
IMPORTANT: Please do not create a Pull Request without creating an issue first.
Any change needs to be discussed before proceeding. Failure to do so may result in the rejection of
the pull request.
Pull Request Template
Description
This PR adds 8 new administrative tools for managing Tableau users, groups, content, permissions, and site operations. All tools are
organized under
src/tools/admin/with corresponding API methods, tests, and documentation.New Tools
User & Group Administration:
admin-users- User lifecycle management (create, update, delete, query), CSV import/export, and OAuth credential managementadmin-groups- Group and group set management with membership operationsContent Management:
content-projects- Create, update, delete, and query projects with filtering and paginationcontent-workbooks- Query, update, delete, and download workbooks for site or specific userscontent-views- Query views and export data in multiple formats (CSV, image, PDF, Excel)Permissions & Operations:
content-permissions- Manage granular and default permissions for datasources, projects, views, workbooks, and other contenttypes
site-jobs- Query and cancel background jobs on the sitetableau-operations- Advanced operations including job conflict detection, effective permissions analysis, stale contentreports, lineage impact analysis, and workbook archiving
New Tool Groups:
Adds three tool groups for the new tools:
admin- admin-users, admin-groupscontent- content-projects, content-workbooks, content-viewsoperations- content-permissions, site-jobs, tableau-operationsMotivation and Context
Tableau administrators need programmatic access to administrative functions beyond data querying and content exploration. These
tools enable:
Customers like Walmart, IAS (Integrated Ad Science), & Amplitude have expressed a need for this.
Type of Change
How Has This Been Tested?
Unit Tests:
Admin-Users Tool (16 tests):
credentials
Admin-Groups Tool (9 tests):
Other Admin Tools (10 tests):
Integration Testing:
Backward Compatibility:
Related Issues
NA
Checklist
npm run version. For example,use
npm run version:patchfor a patch version bump.environment variable or changing its default value.
Contributor Agreement
By submitting this pull request, I confirm that:
its Contribution Checklist.