Users and group privileges

Users and group privileges

To provide access to ThoughtSpot content or define role-based privileges, you need to add users and groups in ThoughtSpot. You can create user accounts and user groups using REST API endpoints.

User creation and updateπŸ”—

You can create users using the /tspublic/v1/user/ REST API endpoint and update user profiles via a PUT call. While you can delete users, it is preferable to deactivate the user instead, which maintains the user’s references within the system.

When configuring SAML SSO in ThoughtSpot UI, you can select the Automatically add SAML users to ThoughtSpot upon first authentication option, which will use the values in the SAML assertion to create a user if they do not exist. ThoughtSpot can also add users to groups sent within the SAML assertion. To enable and configure the SAML groups capabilities, contact your ThoughtSpot team.

By default, ThoughtSpot sends e-mail messages to a new user and enables onboarding workflows when they first log in, even when you are embedding ThoughtSpot content. To alter this behavior at a system-wide level, you need to Customize the onboarding settings. The update user REST API also allows setting onboarding experience values for an individual user through the JSON object of the content argument. If you need to modify the default behavior beyond the available UI options, contact your ThoughtSpot team.

Note

ThoughtSpot supports the local management of user profiles. For initial development and testing purposes, you can create users in ThoughtSpot and manage their profiles locally. However, in large production environments, avoid creating local user profiles to reduce the administration overhead.

User group creation and updateπŸ”—

Groups can be created via the /tspublic/v1/group/ REST API endpoint.

Group privileges are set directly on groups, either at group creation time, an update call, or through the add privilege and remove privilege methods.

User association to groupsπŸ”—

Users can can be added to specific groups when the user is being created, or you can use the add a user to a group endpoint.

The group/addmemberships endpoint allows adding multiple users to multiple groups in a single request.

The set of members within a group can be requested using the /group/listuser/{groupid} or /group/{groupid}/users endpoints.

You can remove a user from a group individually or remove a list of users from many groups at once.

Access control (sharing)πŸ”—

The content a user can access is determined by content shared directly to the user or the groups they belong to. It is easier to manage and audit sharing through groups rather than at the individual user level.

Sharing can be accomplished through the UI or the /security/share REST API endpoint, including removing sharing from a user or group.

Group privilegesπŸ”—

Each user group includes a set of privileges for its users. When a user is assigned to a group in ThoughtSpot, the default privileges associated with a group are assigned to its users. The group privileges allow users belonging to a group to perform specific operations and access workflows. If a user belongs to more than one group, they will have the highest level of privileges from all the groups they belong to.

Note

If a user group belongs to another user group, it inherits privileges from its parent group.

ThoughtSpot administrators can programmatically assign the following types of privileges to a user group:

  • ADMINISTRATION

    Allows users to perform the following functions:

    • Create, edit, and delete users and user groups

    • View and edit access to all data

    • Download a saved answer

  • DEVELOPER

    Allows users to perform the following functions:

    • Access Developer portal

    • Embed ThoughtSpot app or its content in an external application

    • Add custom menu options in the embedded Liveboards and visualizations

    • Re-brand the interface elements of the embedded ThoughtSpot content

  • USERDATAUPLOADING

    Allows users to upload data to ThoughtSpot.

  • DATADOWNLOADING

    Allows users to download ThoughtSpot data from search results and Liveboards.

  • DATAMANAGEMENT

    Allows users to create worksheets and views. To edit a worksheet or view created and shared by another user, the user must have edit permission to modify the object.

  • SHAREWITHALL

    Allows users to share objects with other users and user groups.

  • EXPERIMENTALFEATUREPRIVILEGE

    Allows access to the trial and experimental features that ThoughtSpot makes available to evaluating users and early adopters.

  • JOBSCHEDULING

    Allows scheduling and editing Liveboard jobs.

  • RANALYSIS

    Allows invoking R scripts to explore search answers and sharing custom scripts.

  • A3ANALYSIS

    Allows users to generate and access SpotIQ analyses.

  • BYPASSRLS

    Allows access to the following operations:

    • Create, edit, or delete existing RLS rules

    • Enable or disable Bypass RLS on a worksheet

  • SYNCMANAGEMENT

    Allows setting up secure pipelines to external business apps and sync data using ThoughtSpot Sync.

Note

ThoughtSpot also has a default group called All. When you create new users in ThoughtSpot, they are automatically added to All. By default, the members of the All group do not have permission to download or upload data. To add these privileges, you can use the Group API endpoints.