User access to non-embedded content

User access to non-embedded content

If you have embedded ThoughtSpot content in your app, you may want to control how users access the ThoughtSpot cluster. You can do so by:

Control access to non-embedded content🔗

If you have embedded ThoughtSpot using Visual Embed SDK v1.22.0 or later, the blockNonEmbedFullAppAccess property in the SDK is set to true by default. Due to this, your application users cannot access or navigate to the ThoughtSpot application experience outside the context of your app.

If you are not using Visual Embed SDK to embed ThoughtSpot, you can turn on the Block non-embed full app access feature on the Develop > Customizations > Security Settings page. This will restrict your users from opening non-embedded ThoughtSpot pages from their embedded app context. Note that this feature does not restrict ThoughtSpot users with administrator or developer privileges from accessing ThoughtSpot pages.

Selectively assign access Early Access🔗

With the current implementation, if you have embedded ThoughtSpot content in your app, users can access only the ThoughtSpot pages embedded within the context of your host app. Trying to give some users the ability to access the ThoughtSpot cluster requires giving every such user the administrator or developer privilege, which is not recommended.

There are cases when you want to give your internal users access to embedded content via ThoughtSpot URL (not via embedded app) without giving them the administrator or developer privileges which poses security risks. If a malicious user wants to access embedded content via ThoughtSpot cluster (non-embedded route) they can check the iframe URL via the network tab and access the content.

With selective user access, you can allow internal users to securely access non-embedded content without giving them the administrator or developer privilege.

Selective user access is granted only at the group level and not to individual users. Users with administrator or developer privilege can create a group(s) of users requiring access to non-embedded content. Any user can be added or removed to such groups as required, at any point in time. The underlying group management functionality remains unchanged, and can be modified via the Admin page.

Once the group is created complete the following steps:

  1. On your ThoughtSpot application instance, go to Develop > Customizations > Security settings.

  2. Click the Edit button > Block non-embed full app access.

  3. Enable the Block non-embed full app access to true. It is false by default.

    Block non-embed full app access

  4. Click Advanced Settings.

    Block non-embed full app access

  5. Select the groups you want to allow access to ThoughtSpot pages through both the ThoughtSpot Cluster URL and the embedded context of your host app.

  6. Click Save.

  7. Click Save Changes.

Currently, there is no support for selective user access through the APIs.

Note

Users assigned this role via a group will be able to access the ThoughtSpot cluster even when blockNonEmbedFullAppAccess = TRUE in the SDK, just like the users with administrator or developer privilege. The selective user access granted through the Security Settings overrides the blockNonEmbedFullAppAccess SDK flag settings.

Selective user access for Org enabled clusters🔗

If you have Orgs enabled on your ThoughtSpot cluster, ensure you are signed in to the intended Org. Also, an administrator or developer must create groups of ThoughtSpot embedded users requiring access to the non-embedded content. Once these prerequisites are verified, you can proceed with granting the access to the user group.

While Block non-embed full app access can be turned on for All Orgs, Advanced Settings cannot be enabled at the All Orgs level. It is only visible inside the respective orgs. If Block non-embed full app access is turned on in All Orgs, it will be applied to all the current orgs as well as to the newly created orgs. But, if this behavior is toggled for a specific Org, then the Org specific behavior supersedes the Block non-embed full app access in All Orgs.