Role-based access control

Role-based access control

ThoughtSpot administrators can assign granular privileges to users with Role-Based Access Control (RBAC).

Important

The RBAC feature is turned off by default. To enable this feature on your cluster, contact ThoughtSpot Support. Note that once you enable RBAC, it cannot be disabled.

Roles and privilegesπŸ”—

A Role is a collection of privileges that determines users' access to ThoughtSpot objects and workflows. Roles can be high-level, like Super Admin, or specific based on your organization’s structure and requirements.

When the RBAC feature is enabled on your instance, administrators can grant granular privileges and thus implement fine-grained access control to ThoughtSpot features, objects, and metadata.

For example, on ThoughtSpot instances with no RBAC, members of the groups with administration privileges can view and administer users, groups, and roles. With RBAC, you can assign granular privileges and restrict application-wide access only to super admin users.

ThoughtSpot privilege (without RBAC)ThoughtSpot RBAC Roles

Can administer ThoughtSpot

This privilege grants administration permissions to manage users and groups on instances that do not have the RBAC feature enabled.

RBAC allows multiple Roles with granular privileges for administration control:

  • User administration: Can manage Users

  • Group administration: Can manage Groups

  • Role administrator: Can manage Roles

  • Org administration: Can manage Orgs

  • Authentication administration: Can manage Authentication

  • Application administration: Can manage Application settings

For a complete list of Roles and privileges, see Role categories and privileges.

Role assignmentπŸ”—

Administrators can create a Role with a specific set of privileges and assign this Role to a group via UI or REST API calls. Users inherit Role privileges from the groups to which they are assigned. To assign a Role to a user, administrators must assign the Role to a group and ensure that the intended users are added to this group.

The following figure illustrates the Role and Group assignment in ThoughtSpot:

Roles
Note

Roles are unique to an Org and can be created only within the context of an Org.

Role categories and privilegesπŸ”—

The RBAC feature groups access privileges under specific categories for granular access control and ease of use. You can create a role with a specific privilege from any role category and assign it to a group.

Important

All ThoughtSpot instances include a Super Admin role with ADMINISTRATION privilege by default. The Super admin user can access and modify users, Groups, and Roles, and has all other privileges. If the Orgs feature is enabled on your instance, the Super admin user can create and manage Orgs and configure multi-tenancy. The Super admin role cannot be assigned, modified, or deleted.

Admin controlπŸ”—

Includes Role privileges that allow administrative access to create and manage ThoughtSpot objects such as users, groups, and Roles.

Role typePrivilegeDescription

Org administration

API: ORG_ADMINISTRATION
UI: Can manage orgs

Applicable to ThoughtSpot instances with Orgs. Users with ORG_ADMINISTRATION privilege can create, edit, and delete Orgs.

User administration

API: USER_ADMINISTRATION
UI: Can manage users

Allows users to create, edit, and manage users via UI or REST API calls. On clusters with Orgs enabled, this Role allows users to perform CRUD operations only within their Org context. It does not grant access to manage users in the All Orgs context.

Group administration

API: GROUP_ADMINISTRATION
UI: Can manage groups

Allows users to create, edit, and manage groups via UI or REST API calls.

Role administration

API: ROLE_ADMINISTRATION
UI: Can manage roles

Allows users to create, edit, and manage Roles vis UI or REST API calls.

Authentication administration

API: AUTHENTICATION_ADMINISTRATION
UI: Can manage authentication

Allows users to manage authentication and authorization process for ThoughtSpot users.

Application administration

API: APPLICATION_ADMINISTRATION
UI: Can manage application settings

Provides access to manage cluster-wide application settings, activation and de-activation of features on an instance.

System monitoring

API: SYSTEM_INFO_ADMINISTRATION
UI: Can view system activities

Allows users to manage system activities.

Billing administration

API: BILLING_INFO_ADMINISTRATION
UI: Can view billing information

Allows view access to billing information.

Trusted authentication control

API: CONTROL_TRUSTED_AUTH
UI: Can enable or disable trusted authentication

Allows users with super admin (ADMINISTRATION) or DEVELOPER privilege to enable or disable Trusted authentication for applications embedding ThoughtSpot content.

Tag administration

API: TAGMANAGEMENT
UI: Can manage tags

Allows users to create and edit tags.

Application controlπŸ”—

The application control privileges include the following:

Role typePrivilegeDescription

SpotIQ access

API: A3ANALYSIS
UI: Has SpotIQ privilege

Allows access to the SpotIQ feature in ThoughtSpot.

Developer

API: DEVELOPER
UI: Has developer privilege

Allows users to access the following features and workflows:

  • Access Develop page and Playground

  • Embed a ThoughtSpot application page, object, or full experience in an external application

  • Customize styles for embedded content

  • Add custom actions to the embedded objects such as Liveboard and visualizations

  • View and manage security settings for ThoughtSpot embedding.

Liveboard job administration

API: JOBSCHEDULING
UI: Can schedule for others

Allows users to schedule, edit, and delete Liveboard jobs.

ThoughtSpot Sync

API: SYNCMANAGEMENT
UI: Can manage sync settings

Allows setting up secure pipelines to external business apps and sync data using ThoughtSpot Sync.

ThoughtSpot Sage

API: PREVIEW_THOUGHTSPOT_SAGE
UI: Can use sage

Allows access to ThoughtSpot Sage features such as AI-assisted search and AI-generated answers.

Catalog management

API: CAN_CREATE_CATALOG
UI: Can manage catalog

Allows users to create, edit, and manage a data connection to Alation, and import metadata.

R Analysis

API: RANALYSIS
UI: Can invoke custom R analysis

Allows invoking R scripts to explore search answers and share custom scripts.

Liveboard verification

API: LIVEBOARD_VERIFIER
UI: Can verify Liveboards

Allows Liveboard users to verify Liveboard access requests and mark a Liveboard as verified.

Version control with Git

API: CAN_MANAGE_VERSION_CONTROL
UI: Can toggle version control for objects

Allows users to connect Git branches to ThoughtSpot for version control.

Object access controlπŸ”—

The SHAREWITHALL (Can share with all users) Role privilege allows users to share objects with all the users and groups in ThoughtSpot.

Data controlπŸ”—

The application control privileges include the following:

Role typePrivilegeDescription

Data upload

API: USERDATAUPLOADING
UI: Can upload user data

Allows users to upload data to ThoughtSpot.

Row-level-security (RLS) bypass

API: BYPASSRLS
UI: Can administer and bypass RLS

Allows access to the following operations:

  • Create, edit, or delete existing RLS rules

  • Enable or disable Bypass RLS on a worksheet For more information, see Row-level security.

Custom calendars

API: CAN_MANAGE_CUSTOM_CALENDAR
UI: Can manage custom calendars

Allows creating, editing, and deleting custom Calendars.

Data Connection

API: CAN_CREATE_OR_EDIT_CONNECTIONS
UI: Can create/edit Connections

Allows creating, editing, and managing connections to external data warehouses.

Data objects

API: CAN_MANAGE_WORKSHEET_VIEWS_TABLES
UI: Can manage data models

Allows users to create, edit, delete, and manage Worksheets, Models, Tables, and Views.

Data download controlπŸ”—

The DATADOWNLOADING (Can download Data) Role privilege allows users to download data from objects such as Liveboards and Answers.

How to create and assign RolesπŸ”—

You can create and assign Roles to a group on the Admin page of the UI or by using the REST API v1 and v2 endpoints.

REST API v1 endpoints for Role administration and assignmentπŸ”—

Operation typeAPI endpoints

CRUD operations

To create, edit, and manage Role objects, use the following endpoints:

Role assignment to groups

Object query

To get the details of Roles assigned to a group object, use the following API endpoint: * GET /tspublic/v1/group/
Note that the API response shows the assigned Roles and privileges in the assignedRoles and granularPrivilges arrays.

REST API v2 endpoints for Role administration and assignmentπŸ”—

Operation typeDescription

CRUD operations

Role assignment to groups

To assign a Role to a group object, use one of the following endpoints:

Object query

  • POST /api/rest/2.0/roles/search
    To get Roles assigned to specific groups, specify the name or GUID of the Role in the group_identifiers attribute.
    Similarly, to search for Roles configured in an Org, specify the name or the GUID of the Org in the org_identifiers attribute.

  • POST /api/rest/2.0/groups/search
    To filter group objects assigned to a particular Role, specify the name or GUID of the Role in the role_identifiers attribute.

  • POST /api/rest/2.0/users/search
    To get user objects that have a particular Role assigned, specify the name or GUID of the Role in the role_identifiers attribute.

Migrating to RBACπŸ”—

The Role privileges function in the same way as group privileges. When RBAC is enabled, the corresponding group privileges are automatically migrated to Role privileges. For example, if a group has DATADOWNLOADING access, the DATADOWNLOADING Role privilege will be assigned to the group after RBAC is enabled. Similarly, if a group has DATAMANAGEMENT (Can manage data) access, the following Role privileges will be assigned to the group:

  • Can manage custom calendars (CAN_MANAGE_CUSTOM_CALENDAR)

  • Can create/edit Connections (CAN_CREATE_OR_EDIT_CONNECTIONS)

  • Can manage data models (CAN_MANAGE_WORKSHEET_VIEWS_TABLES)

For granular access, you can create a Role with required privileges and assign it to groups.