Role-based access control

Role-based access control

With Role-Based Access Control (RBAC) Beta, ThoughtSpot administrators can assign and manage granular privileges to users.

Important

The RBAC feature is in beta and is turned off by default. To enable this feature on your cluster, contact ThoughtSpot Support. Note that once you enable RBAC, it cannot be disabled.

Roles and privilegesπŸ”—

A Role is a collection of privileges that determines users' access to ThoughtSpot objects and workflows. Roles can be high-level, like Super Admin, or specific based on your organization’s structure and requirements.

When the RBAC feature is enabled on your instance, administrators can grant granular privileges and thus implement fine-grained access control to ThoughtSpot features, objects, and metadata.

For example, on ThoughtSpot instances with no RBAC, members of the groups with administration privileges can view and administer users, groups, and roles. With RBAC, you can assign granular privileges and restrict application-wide access only to super admin users.

ThoughtSpot privilege (without RBAC)ThoughtSpot RBAC Roles

Can administer ThoughtSpot

This privilege grants administration permissions to manage users and groups on instances that do not have the RBAC feature enabled.

RBAC allows multiple roles with granular privileges for administration control:

  • User administrator role with Can manage Users privilege

  • Group administrator role with Can manage Groups privilege

  • Role administrator role with Can manage Roles privilege

  • Org administrator role with Can manage Orgs privilege

  • Authentication administrator role with Can manage Authentication* privilege

  • Application administration role with Can manage Application settings* privilege

For a complete list of Roles and privileges, see Role categories and privileges.

Role assignmentπŸ”—

Administrators can create a Role with a specific set of privileges and assign this Role to a group via UI or REST API calls. Users inherit Role privileges from the groups to which they are assigned. To assign a Role to a user, administrators must assign the Role to a group and ensure that the intended users are added to this group.

The following figure illustrates the Role and Group assignment in ThoughtSpot:

Roles
Note

Roles are unique to an Org and can be created only within the context of an Org.

Role categories and privilegesπŸ”—

The RBAC feature groups access privileges under specific categories for granular access control and ease of use. You can create a role with a specific privilege from any role category and assign it to a group.

Important

All ThoughtSpot instances include a Super Admin role with ADMINISTRATION privilege by default. The Super admin user can access and modify users, Groups, and Roles, and has all other privileges. If the Orgs feature is enabled on your instance, the Super admin user can create and manage Orgs and configure multi-tenancy. The Super admin role cannot be assigned, modified, or deleted.

Admin controlπŸ”—

Includes Role privileges that allow administrative access to create and manage ThoughtSpot objects such as users, groups, and Roles.

Role typePrivilegeDescription

Role administration

ROLE_ADMINISTRATION (Can manage Roles)

Allows administrators to create, edit, and manage Roles vis UI or REST API calls.

User administration

USER_ADMINISTRATION (Can manage users)

Allows administrators to create, edit, and manage users via UI or REST API calls.

Group administration

GROUP_ADMINISTRATION (Can manage Groups)

Allows administrators to create, edit, and manage groups via UI or REST API calls.

Org administration

ORG_ADMINISTRATION (Can manage Orgs)

Applicable to ThoughtSpot instances with Orgs. Users with ORG_ADMINISTRATION privilege can create and manage metadata objects, groups, and users in their respective Orgs.

Authentication administration

AUTHENTICATION_ADMINISTRATION (Can manage Authentication)

Allows administrators to manage authentication and authorization process for ThoughtSpot users.

Application administration

APPLICATION_ADMINISTRATION (Can manage Application settings)

Provides access to manage cluster-wide application settings, feature activation and de-activation on an instance.

System monitoring

SYSTEM_INFO_ADMINISTRATION (Can view System activities)

Allows administrators to manage system activities.

Billing administration

BILLING_INFO_ADMINISTRATION (Can view Billing Information)

Allows view access to billing information.

Trusted authentication control

CONTROL_TRUSTED_AUTH (Can Enable or Disable Trusted Authentication)

Allows users with super admin (ADMINISTRATION) or DEVELOPER privilege to enable or disable Trusted authentication for applications embedding ThoughtSpot content. This privilege is applicable only to instances that have an embedding license.

Tag administration

TAGMANAGEMENT (Can manage tags)

Allows administrators to create and edit tags.

Application controlπŸ”—

The application control privileges include the following:

Role typePrivilegeDescription

SpotIQ access

A3ANALYSIS (Has SpotIQ privilege)

Allows access to the SpotIQ feature in ThoughtSpot.

Developer

DEVELOPER (Has developer privilege)

Allows users to access the following features and workflows:

  • Access Developer portal and Playground

  • Embed full ThoughtSpot application, page, or individual objects in an external application

  • Customize styles for embedded content

  • Add custom actions to the embedded objects such as Liveboard and visualizations

  • View and manage security settings for ThoughtSpot embedding.

Liveboard job administration

JOBSCHEDULING (Can schedule for others)

Allows users to schedule, edit, and delete Liveboard jobs.

ThoughtSpot Sync

SYNCMANAGEMENT (Can Manage Sync settings)

Allows setting up secure pipelines to external business apps and sync data using ThoughtSpot Sync.

Catalog management

CAN_CREATE_CATALOG (Can manage catalogue)

Allows users to create, edit, and manage a data connection to Alation, and import metadata.

R Analysis

RANALYSIS(Can invoke Custom R Analysis)

Allows invoking R scripts to explore search answers and share custom scripts.

ThoughtSpot Sage

PREVIEW_THOUGHTSPOT_SAGE (Can preview ThoughtSpot Sage)

Allows access to ThoughtSpot Sage features such as AI-assisted search and AI-generated answers.

Liveboard verification

LIVEBOARD_VERIFIER (Can verify Liveboard)

Allows Liveboard users to verify Liveboard access requests and mark a Liveboard as verified.

Data access controlπŸ”—

The application control privileges include the following:

Role typePrivilegeDescription

Data management

DATAMANAGEMENT (Can manage data)

Allows users to create worksheets and views. To edit a worksheet or view created and shared by another user, the user must have edit permission to modify the object.

Data upload

USERDATAUPLOADING (Can upload user data)

Allows users to upload data to ThoughtSpot.

Row-level-security (RLS) bypass

BYPASSRLS (Can administer and bypass RLS)

Allows access to the following operations: Create, edit, or delete existing RLS rules Enable or disable Bypass RLS on a worksheet

Object sharingπŸ”—

The SHAREWITHALL (Can share with all users) Role privilege allows users to share objects with all the users and groups in ThoughtSpot.

Data download accessπŸ”—

The DATADOWNLOADING (Can download Data) Role privilege allows users to download data from objects such as Liveboards and Answers.

How to create and assign RolesπŸ”—

You can create and assign Roles to a group on the Admin page of the UI or by using the REST API v1 and v2 endpoints.

REST API v1 endpoints for Role administration and assignmentπŸ”—

Operation typeAPI endpoints

CRUD operations

To create, edit, and manage Role objects, use the following endpoints:

Role assignment to groups

Object query

To get the details of Roles assigned to a group object, use the following API endpoint: * GET /tspublic/v1/group/
Note that the API response shows the assigned Roles and privileges in the assignedRoles and granularPrivilges arrays.

REST API v2 endpoints for Role administration and assignmentπŸ”—

Operation typeDescription

CRUD operations

Role assignment to groups

To assign a Role to a group object, use one of the following endpoints:

Object query

  • POST /api/rest/2.0/roles/search
    To get Roles assigned to specific groups, specify the name or GUID of the Role in the group_identifiers attribute.
    Similarly, to search for Roles configured in an Org, specify the name or the GUID of the Org in the org_identifiers attribute.

  • POST /api/rest/2.0/groups/search
    To filter group objects associated to a particular Role, specify the name or GUID of the Role in the role_identifiers attribute.

  • POST /api/rest/2.0/users/search
    To get user objects that have a particular Role assigned, specify the name or GUID of the Role in the role_identifiers attribute.

Migrating to RBACπŸ”—

The Role privileges function in the same way as group privileges. When RBAC is enabled, the corresponding group privileges are automatically migrated to Role privileges. For example, a group with DATAMANAGEMENT privilege will be assigned DATAMANAGEMENT (Can manage data) Role privilege. For granular access, you can create a Role with required privileges and assign it to groups.