Delete Datasource
Deletes a published data source from the current Tableau site as the destructive step of the Stale Content Cleanup workflow.
This tool is admin-only and is registered only when the ADMIN_TOOLS_ENABLED environment variable is
enabled. Non-administrator callers are rejected before any action is taken.
The tool is two-phase to keep the destructive action safe:
- Preview (default —
confirmomitted orfalse): tags the data source withpending-deletion(reversible, visible in the Tableau UI; label configurable via thetagargument), reports the data source name, project, and owner, warns which workbooks and flows depend on it and may break, and does not delete anything. - Delete (
confirm: true): permanently removes the data source. Before deleting, the server re-fetches the data source and verifies it carries the pending-deletion tag applied in the preview step. A confirmed delete against an untagged data source is rejected (see the server-authoritative gate note). On Tableau Cloud the data source is moved to the recycle bin and can be restored for a limited time before permanent removal; on Tableau Server there is no recycle bin and deletion is permanent.
Between the preview and the delete, the calling agent is instructed (via the tool description and the preview response) to surface the data source identity and its dependent content to the user and obtain explicit approval before deleting. This human-approval step is a prompt-level expectation, not a server guarantee: the tag gate proves a preview ran, but the server cannot observe whether a human actually approved. An agent that calls preview and then confirm itself satisfies the gate with no human in the loop. Enforcing true human-in-the-loop (out-of-band approval the agent cannot forge) is tracked as follow-up work.
MCP-Apps confirm panel (cooperative human-in-the-loop)
When the mcp-apps feature flag is enabled, this tool ships with an MCP App and the
preview phase renders an in-iframe confirm panel (data source name, project, owner, and a live
countdown) instead of returning preview text the model could act on. The destructive delete is then
performed only when a person clicks Delete data source in that panel, which invokes the
model-invisible confirm-delete-datasource tool (visibility: ['app']). With the flag on, the
model-driven confirm: true path is closed — the assistant cannot delete on the user's behalf;
the only route to deletion is the human gesture. The confirm tool re-verifies both the live
pending-deletion tag and a fresh, single-use human approval recorded during the preview (within
MUTATION_PREVIEW_TTL_MINUTES, default 5); either missing rejects the delete. When the flag is off
the tool behaves exactly as the two-phase confirm/tag flow described above.
This is cooperative human-in-the-loop: it depends on the MCP client honoring visibility: ['app']
(hiding the confirm-* tool from the model) and rendering the confirm panel. The human approval is
recorded during the model-driven preview phase, so a non-cooperating client that ignores the
visibility hint could still drive preview → confirm-* back-to-back with no human gesture. For this
data source tool the live pending-deletion tag re-check still proves a preview ran, but neither
gate proves a human approved. Server-enforced HITL (an approval primitive the model cannot forge or
reach) is tracked as follow-up work (W-23125362).
Server-authoritative gate
The confirm phase does not trust any caller-supplied value. It re-fetches the data source from
Tableau and only deletes if the data source is currently tagged pending-deletion (or the custom
tag value). The tag is server-side state that the caller can only set by running the preview
phase, so the gate genuinely proves a preview happened — it cannot be bypassed by computing or
guessing a token, which the prior confirmationToken (a caller-derivable sha256) could be. The
live re-fetch deliberately ignores any cached copy so the check reflects the data source's current
state at delete time.
What this gate does and does not guarantee. It proves a preview ran (closing the caller-computable-token bypass). It does not prove a human approved — an agent that runs both the preview and the confirm satisfies it on its own. Server-enforced human-in-the-loop requires an out-of-band approval primitive (e.g. MCP URL-mode elicitation) and is tracked as follow-up work.
Every mutation attempt — both the preview and the confirmed delete, and both allowed and denied
attempts (for example a non-admin caller, or a confirm without a prior preview) — emits a structured
authoritative audit record to the server's durable log sink (logger audit, level notice), not
just to the tool-response text. Each record captures the actor identity (username, user/site LUID,
site name), the tool, action, phase, the target (id, name, project, owner), the confirmation evidence
kind (tag here), and the result. The raw tag is described, never anything secret. This routing is
centralized in the shared mutation guard so every TMCP mutation tool audits identically.
Deleting a published data source does not delete the workbooks or flows that use it. Those items remain but lose this data source (their views/extracts may break). The preview phase surfaces these dependents so you can decide before deleting. The dependency check uses the Metadata API; if the Metadata API is disabled or unavailable, the preview notes that and still allows deletion.
Tool scoping
This tool honors the same tool-scoping rules as the
read tools (for example Get Datasource Metadata). If the server is
configured with a bounded context (such as INCLUDE_DATASOURCE_IDS or INCLUDE_PROJECT_IDS), a data
source that falls outside that scope cannot be previewed or deleted — the request is rejected before
any tag or delete, so there are no side effects. Being an administrator does not bypass tool scoping.
APIs called
- Add Tags to Data Source (preview phase)
- Query Data Source (preview phase)
- Metadata API (preview phase — downstream workbook/flow dependency check)
- Query User On Site (owner lookup + admin check)
- Delete Data Source (delete phase)
Required arguments
datasourceId
The LUID of the published data source to delete, potentially retrieved by the List Datasources tool.
Example: 222ea993-9391-4910-a167-56b3d19b4e3b
Optional arguments
confirm
When omitted or false, runs the non-destructive preview (tags, warns about dependents, and
reports). When true, permanently deletes the data source — but only if the data source already
carries the pending-deletion tag from a prior preview (verified by a live re-fetch; see
server-authoritative gate). Pass the same tag value used in the
preview if you overrode the default.
Example: true
tag
The label applied to the data source during the preview phase to mark it as pending deletion.
Reversible and visible in the Tableau UI. Defaults to pending-deletion; callers (for example a
stale-content cleanup workflow) can override it with their own vocabulary.
Example: stale-pending-deletion
Side effects
- Preview adds the pending-deletion tag (
pending-deletionby default, or thetagvalue) to the data source. This is reversible and visible in the Tableau UI. No content is deleted. - Delete removes the data source. On Tableau Cloud it is moved to the recycle bin and can be restored for a limited time before it is permanently purged; on Tableau Server there is no recycle bin and deletion is permanent. Dependent workbooks and flows are not deleted but lose this data source. Always run the preview first, review the dependency warning, and confirm the data source identity before deleting.