Role-based access control

Role-based access control

With Role-Based Access Control (RBAC) Beta, ThoughtSpot administrators can assign and manage granular privileges to users.


The RBAC feature is in beta and is turned off by default. To enable this feature on your cluster, contact ThoughtSpot Support. Note that once you enable RBAC, it cannot be disabled.

Roles and privilegesπŸ”—

A Role is a collection of privileges that determines users' access to ThoughtSpot objects and workflows. Roles can be high-level, like Super Admin, or specific based on your organization’s structure and requirements.

When the RBAC feature is enabled on your instance, administrators can grant granular privileges and thus implement fine-grained access control to ThoughtSpot features, objects, and metadata.

For example, on ThoughtSpot instances with no RBAC, members of the groups with administration privileges can view and administer users, groups, and roles. With RBAC, you can assign granular privileges and restrict application-wide access only to super admin users.

ThoughtSpot privilege (without RBAC)ThoughtSpot RBAC Roles

Can administer ThoughtSpot

This privilege grants administration permissions to manage users and groups on instances that do not have the RBAC feature enabled.

RBAC allows multiple Roles with granular privileges for administration control:

  • User administration: Can manage Users

  • Group administration: Can manage Groups

  • Role administrator: Can manage Roles

  • Org administration: Can manage Orgs

  • Authentication administration: Can manage Authentication

  • Application administration: Can manage Application settings

For a complete list of Roles and privileges, see Role categories and privileges.

Role assignmentπŸ”—

Administrators can create a Role with a specific set of privileges and assign this Role to a group via UI or REST API calls. Users inherit Role privileges from the groups to which they are assigned. To assign a Role to a user, administrators must assign the Role to a group and ensure that the intended users are added to this group.

The following figure illustrates the Role and Group assignment in ThoughtSpot:


Roles are unique to an Org and can be created only within the context of an Org.

Role categories and privilegesπŸ”—

The RBAC feature groups access privileges under specific categories for granular access control and ease of use. You can create a role with a specific privilege from any role category and assign it to a group.


All ThoughtSpot instances include a Super Admin role with ADMINISTRATION privilege by default. The Super admin user can access and modify users, Groups, and Roles, and has all other privileges. If the Orgs feature is enabled on your instance, the Super admin user can create and manage Orgs and configure multi-tenancy. The Super admin role cannot be assigned, modified, or deleted.

Admin controlπŸ”—

Includes Role privileges that allow administrative access to create and manage ThoughtSpot objects such as users, groups, and Roles.

Role typePrivilegeDescription

Org administration

UI: Can manage Orgs

Applicable to ThoughtSpot instances with Orgs. Users with ORG_ADMINISTRATION privilege can create and manage metadata objects, groups, and users in their respective Orgs.

User administration

UI: Can manage users

Allows administrators to create, edit, and manage users via UI or REST API calls.

Group administration

UI: Can manage Groups

Allows administrators to create, edit, and manage groups via UI or REST API calls.

Role administration

UI: Can manage Roles

Allows administrators to create, edit, and manage Roles vis UI or REST API calls.

Authentication administration

UI: Can manage Authentication

Allows administrators to manage authentication and authorization process for ThoughtSpot users.

Application administration

UI: Can manage Application settings

Provides access to manage cluster-wide application settings, activation and de-activation of features on an instance.

System monitoring

UI: Can view System activities

Allows administrators to manage system activities.

Billing administration

UI: Can view Billing Information

Allows view access to billing information.

Trusted authentication control

UI: Can Enable or Disable Trusted Authentication

Allows users with super admin (ADMINISTRATION) or DEVELOPER privilege to enable or disable Trusted authentication for applications embedding ThoughtSpot content.

Tag administration

UI: Can manage tags

Allows administrators to create and edit tags.

Application controlπŸ”—

The application control privileges include the following:

Role typePrivilegeDescription

SpotIQ access

UI: Has SpotIQ privilege

Allows access to the SpotIQ feature in ThoughtSpot.


UI: Has developer privilege

Allows users to access the following features and workflows:

  • Access Develop page and Playground

  • Embed a ThoughtSpot application page, object, or full experience in an external application

  • Customize styles for embedded content

  • Add custom actions to the embedded objects such as Liveboard and visualizations

  • View and manage security settings for ThoughtSpot embedding.

Liveboard job administration

UI: Can schedule for others

Allows users to schedule, edit, and delete Liveboard jobs.

ThoughtSpot Sync

UI: Can Manage Sync settings

Allows setting up secure pipelines to external business apps and sync data using ThoughtSpot Sync.

ThoughtSpot Sage

UI: Can preview ThoughtSpot Sage

Allows access to ThoughtSpot Sage features such as AI-assisted search and AI-generated answers.

Catalog management

UI: Can manage catalogue

Allows users to create, edit, and manage a data connection to Alation, and import metadata.

R Analysis

UI: Can invoke Custom R Analysis

Allows invoking R scripts to explore search answers and share custom scripts.

Liveboard verification

UI: Can verify Liveboard

Allows Liveboard users to verify Liveboard access requests and mark a Liveboard as verified.

Object access controlπŸ”—

The SHAREWITHALL (Can share with all users) Role privilege allows users to share objects with all the users and groups in ThoughtSpot.

Data controlπŸ”—

The application control privileges include the following:

Role typePrivilegeDescription

Data upload

UI: Can upload user data

Allows users to upload data to ThoughtSpot.

Row-level-security (RLS) bypass

UI: Can administer and bypass RLS

Allows access to the following operations:

  • Create, edit, or delete existing RLS rules

  • Enable or disable Bypass RLS on a worksheet For more information, see Row-level security.

Custom calendars

UI: Can manage custom calendars

Allows creating, editing, and deleting custom Calendars.

Data Connection

UI: Can create/edit Connections

Allows creating, editing, and managing connections to external data warehouses.

Data objects

UI: Can manage data models

Allows users to create, edit, delete, and manage Worksheets, Models, Tables, and Views.

Data download controlπŸ”—

The DATADOWNLOADING (Can download Data) Role privilege allows users to download data from objects such as Liveboards and Answers.

How to create and assign RolesπŸ”—

You can create and assign Roles to a group on the Admin page of the UI or by using the REST API v1 and v2 endpoints.

REST API v1 endpoints for Role administration and assignmentπŸ”—

Operation typeAPI endpoints

CRUD operations

To create, edit, and manage Role objects, use the following endpoints:

Role assignment to groups

Object query

To get the details of Roles assigned to a group object, use the following API endpoint: * GET /tspublic/v1/group/
Note that the API response shows the assigned Roles and privileges in the assignedRoles and granularPrivilges arrays.

REST API v2 endpoints for Role administration and assignmentπŸ”—

Operation typeDescription

CRUD operations

Role assignment to groups

To assign a Role to a group object, use one of the following endpoints:

Object query

  • POST /api/rest/2.0/roles/search
    To get Roles assigned to specific groups, specify the name or GUID of the Role in the group_identifiers attribute.
    Similarly, to search for Roles configured in an Org, specify the name or the GUID of the Org in the org_identifiers attribute.

  • POST /api/rest/2.0/groups/search
    To filter group objects assigned to a particular Role, specify the name or GUID of the Role in the role_identifiers attribute.

  • POST /api/rest/2.0/users/search
    To get user objects that have a particular Role assigned, specify the name or GUID of the Role in the role_identifiers attribute.

Migrating to RBACπŸ”—

The Role privileges function in the same way as group privileges. When RBAC is enabled, the corresponding group privileges are automatically migrated to Role privileges. For example, if a group has DATADOWNLOADING access, the DATADOWNLOADING Role privilege will be assigned to the group after RBAC is enabled. Similarly, if a group has DATAMANAGEMENT (Can manage data) access, the following Role privileges will be assigned to the group:

  • Can manage custom calendars (CAN_MANAGE_CUSTOM_CALENDAR)

  • Can create/edit Connections (CAN_CREATE_OR_EDIT_CONNECTIONS)

  • Can manage data models (CAN_MANAGE_WORKSHEET_VIEWS_TABLES)

For granular access, you can create a Role with required privileges and assign it to groups.