Authorization is the question of "what can the user do?", while authentication is concerned with who the user is and if they can sign in at all.

Often both authentication and authorization details are provided via the single sign-on (SSO) mechanism, but the capabilities themselves are separate within ThoughtSpot.

ThoughtSpot divides authorization into several distinct concepts:

  • Privileges: What system capabilities can you do?

    • Roles: groupings of privileges

    • Runtime granular control of buttons and menu actions in the embedded app (applicable to embedded ThoughtSpot instances)

  • Access Control: What objects can you see or edit?

    • Sharing

  • Data Security: In a data source, what will be returned by the query?

    • Row-Level security

    • Column-level security