Authentication and authorization
User access in ThoughtSpot is determined by the privileges assigned to the groups to which they belong. Users and groups are stored locally in ThoughtSpot, even if the users are authenticated using the SAML SSO or trusted authentication method.
How to synchronize authorization settings from external systems🔗
The SSO method in ThoughtSpot is mostly concerned with determining who the user is (authentication). To set what a user can see and do (authorization), you will need to define access control using the features described in Access control and data security. While an administrator can set all of these values within the ThoughtSpot UI or through direct REST API commands, you may need to synchronize authorization settings automatically from other systems within your environment.
There are three general ways to synchronize authorization settings with external systems:
Schedule batch sync processes to ThoughtSpot
Integrate ThoughtSpot sync commands into existing system processes
Send ThoughtSpot sync commands when an SSO user session is created
User authentication and authorization🔗
If using SAML for SSO, ThoughtSpot can create users automatically from the SAML assertion, and add the user to existing ThoughtSpot groups.
REST APIs for access control🔗
Additional REST API commands can be sent to ThoughtSpot to set all of the other authorization properties beyond group membership. These commands are relevant regardless of whether you are building a scheduled sync process or setting the values when creating a user session.
Groups and privileges🔗
Row-level security (RLS) rules place the group name (not the display name) directly within SQL queries. To give a user a particular value within an RLS rule, you create a group whose name matches a value within the database, then assign the user to that group.
User assignment to groups🔗
Users must belong to groups to inherit the authentication aspects assigned to those groups. You can add a user to a group individually or add multiple users to one or several groups in bulk. Similarly, you can remove a user from a group or remove multiple users from one or several groups in a single API call.