Privileges and Roles

Privileges and Roles

System privileges determine the workflows and actions that users can perform within the ThoughtSpot application context.


ThoughtSpot allows you to define several types of privileges:

  • Role-specific privileges for administrators, developers, and other user personas.

  • Data-related privileges to allow or prevent access to upload, download, or manage data.

  • Workflow-specific privileges to enable or disable access to features such as SpotIQ analysis, scheduling Liveboards, or the experimental features available for evaluation and early adoption.

For more information about privileges, see Understand groups and privileges.


In ThoughtSpot and later versions, privileges can be assigned via Roles and assigned to groups if Role-Based Access Control (RBAC) is enabled. The RBAC feature is in beta and turned off by default on ThoughtSpot instances. To enable this feature on your instance, contact ThoughtSpot Support.

If RBAC is not enabled, administrators can configure privileges and assign it directly to groups.

User and group shareability๐Ÿ”—

Shareable is a property of a user or group object which controls visibility of users and groups in the Share dialog. If a userโ€™s visibility and the group that they belong to is Shareable and the user initiating the share action also belongs to the same group, the userโ€™s email address will be displayed in the Share dialog.

Users with administration or Can share with all users (SHAREWITHALL) privilege will see all users and groups in the Share dialog.

Granular control of menu actions within browser๐Ÿ”—

If you are using Visual Embed SDK to embed ThoughtSpot objects and you want to restrict user access to certain menu actions, you can use the visibleActions, disabledActions or hiddenActions attributes. For more information, see Show or hide UI actions.