Role-based access control

Table of Contents

Roles and privileges
Role assignment
Role categories and privileges
How to create and assign Roles
- REST API v1 endpoints for Role administration and assignment
- REST API v2 endpoints for Role administration and assignment
Migrating to RBAC

ThoughtSpot administrators can assign granular privileges to users with Role-Based Access Control (RBAC).

Important

The RBAC feature is turned off by default. To enable this feature on your cluster, contact ThoughtSpot Support. Note that once you enable RBAC, it cannot be disabled.

Roles and privileges🔗

A Role is a collection of privileges that determines users' access to ThoughtSpot objects and workflows. Roles can be high-level, like Super Admin, or specific based on your organization’s structure and requirements.

When the RBAC feature is enabled on your instance, administrators can grant granular privileges and thus implement fine-grained access control to ThoughtSpot features, objects, and metadata.

For example, on ThoughtSpot instances with no RBAC, members of the groups with administration privileges can view and administer users, groups, and roles. With RBAC, you can assign granular privileges and restrict application-wide access only to super admin users.

ThoughtSpot privilege (without RBAC)	ThoughtSpot RBAC Roles
Can administer ThoughtSpot This privilege grants administration permissions to manage users and groups on instances that do not have the RBAC feature enabled.	RBAC allows multiple Roles with granular privileges for administration control: User administration: Can manage Users Group administration: Can manage Groups Role administrator: Can manage Roles Org administration: Can manage Orgs Authentication administration: Can manage Authentication Application administration: Can manage Application settings For a complete list of Roles and privileges, see Role categories and privileges.

ThoughtSpot privilege (without RBAC)

ThoughtSpot RBAC Roles

Can administer ThoughtSpot

This privilege grants administration permissions to manage users and groups on instances that do not have the RBAC feature enabled.

RBAC allows multiple Roles with granular privileges for administration control:

User administration: Can manage Users
Group administration: Can manage Groups
Role administrator: Can manage Roles
Org administration: Can manage Orgs
Authentication administration: Can manage Authentication
Application administration: Can manage Application settings

For a complete list of Roles and privileges, see Role categories and privileges.

Role assignment🔗

Administrators can create a Role with a specific set of privileges and assign this Role to a group via UI or REST API calls. Users inherit Role privileges from the groups to which they are assigned. To assign a Role to a user, administrators must assign the Role to a group and ensure that the intended users are added to this group.

The following figure illustrates the Role and Group assignment in ThoughtSpot:

Note	Roles are unique to an Org and can be created only within the context of an Org.

Role categories and privileges🔗

The RBAC feature groups access privileges under specific categories for granular access control and ease of use. You can create a role with a specific privilege from any role category and assign it to a group.

Important

All ThoughtSpot instances include a Super Admin role with ADMINISTRATION privilege by default. The Super admin user can access and modify users, Groups, and Roles, and has all other privileges. If the Orgs feature is enabled on your instance, the Super admin user can create and manage Orgs and configure multi-tenancy. The Super admin role cannot be assigned, modified, or deleted.

Admin control🔗

Includes Role privileges that allow administrative access to create and manage ThoughtSpot objects such as users, groups, and Roles.

Role type Privilege Description

Org administration

API: ORG_ADMINISTRATION
UI: Can manage orgs

Applicable to ThoughtSpot instances with Orgs. Users with ORG_ADMINISTRATION privilege can create, edit, and delete Orgs.

User administration

API: USER_ADMINISTRATION
UI: Can manage users

Allows users to create, edit, and manage users via UI or REST API calls. On clusters with Orgs enabled, this Role allows users to perform CRUD operations only within their Org context. It does not grant access to manage users in the All Orgs context.

Group administration

API: GROUP_ADMINISTRATION
UI: Can manage groups

Allows users to create, edit, and manage groups via UI or REST API calls.

Role administration

API: ROLE_ADMINISTRATION
UI: Can manage roles

Allows users to create, edit, and manage Roles vis UI or REST API calls.

Authentication administration

API: AUTHENTICATION_ADMINISTRATION
UI: Can manage authentication

Allows users to manage authentication and authorization process for ThoughtSpot users.

Application administration

API: APPLICATION_ADMINISTRATION
UI: Can manage application settings

Provides access to manage cluster-wide application settings, activation and de-activation of features on an instance.

System monitoring

API: SYSTEM_INFO_ADMINISTRATION
UI: Can view system activities

Allows users to manage system activities.

Billing administration

API: BILLING_INFO_ADMINISTRATION
UI: Can view billing information

Allows view access to billing information.

Trusted authentication control

API: CONTROL_TRUSTED_AUTH
UI: Can enable or disable trusted authentication

Allows users with super admin (ADMINISTRATION) or DEVELOPER privilege to enable or disable Trusted authentication for applications embedding ThoughtSpot content.

Tag administration

API: TAGMANAGEMENT
UI: Can manage tags

Allows users to create and edit tags.

Version control with Git

API: CAN_SETUP_VERSION_CONTROL
UI: Can set up version control

Allows users to enable version control for a ThoughtSpot instance or Org.

Analyst studio

API: CAN_MANAGE_ANALYST_STUDIO
UI: Can manage Analyst Studio

Allows users to manage Analyst Studio for ThoughtSpot users.

Note	The Analyst Studio option is not available in the ThoughtSpot embedded application.

Application control🔗

The application control privileges include the following:

Role type Privilege Description

SpotIQ access

API: A3ANALYSIS
UI: Has SpotIQ privilege

Allows access to the SpotIQ feature in ThoughtSpot.

Developer

API: DEVELOPER
UI: Has developer privilege

Allows users to access the following features and workflows:

Access Develop page and Playground
Embed a ThoughtSpot application page, object, or full experience in an external application
Customize styles for embedded content
Add custom actions to the embedded objects such as Liveboard and visualizations
View and manage security settings for ThoughtSpot embedding.

Liveboard job administration

API: JOBSCHEDULING
UI: Can schedule for others

Allows users to schedule, edit, and delete Liveboard jobs.

ThoughtSpot Sync

API: SYNCMANAGEMENT
UI: Can manage sync settings

Allows setting up secure pipelines to external business apps and sync data using ThoughtSpot Sync.

ThoughtSpot Sage

API: PREVIEW_THOUGHTSPOT_SAGE
UI: Can use sage

Allows access to ThoughtSpot Sage features such as AI-assisted search and AI-generated answers.

Catalog management

API: CAN_CREATE_CATALOG
UI: Can manage catalog

Allows users to create, edit, and manage a data connection to Alation, and import metadata.

R Analysis

API: RANALYSIS
UI: Can invoke custom R analysis

Allows invoking R scripts to explore search answers and share custom scripts.

Liveboard verification

API: LIVEBOARD_VERIFIER
UI: Can verify Liveboards

Allows Liveboard users to verify Liveboard access requests and mark a Liveboard as verified.

Version control with Git

API: CAN_MANAGE_VERSION_CONTROL
UI: Can toggle version control for objects

Allows users to enable version control on a Liveboard or Answer.

Analyst studio

API: CAN_ACCESS_ANALYST_STUDIO
UI: Can use Analyst Studio

Allows access to Analyst Studio features.

Note	The Analyst Studio option is not available in the ThoughtSpot embedded application.

Object access control🔗

The SHAREWITHALL (Can share with all users) Role privilege allows users to share objects with all the users and groups in ThoughtSpot.

Data control🔗

The application control privileges include the following:

Role type Privilege Description

Role type	Privilege	Description
Data upload	API: `USERDATAUPLOADING` UI: Can upload user data	Allows users to upload data to ThoughtSpot.
Row-level-security (RLS) bypass	API: `BYPASSRLS` UI: Can administer and bypass RLS	Allows access to the following operations: Create, edit, or delete existing RLS rules Enable or disable Bypass RLS on a worksheet For more information, see Row-level security.
Custom calendars	API: `CAN_MANAGE_CUSTOM_CALENDAR` UI: Can manage custom calendars	Allows creating, editing, and deleting custom Calendars.
Data Connection	API: `CAN_CREATE_OR_EDIT_CONNECTIONS` UI: Can create/edit Connections	Allows creating, editing, and managing connections to external data warehouses.
Data objects	API: `CAN_MANAGE_WORKSHEET_VIEWS_TABLES` UI: Can manage data models	Allows users to create, edit, delete, and manage Worksheets, Models, Tables, and Views.

Data upload

API: USERDATAUPLOADING
UI: Can upload user data

Allows users to upload data to ThoughtSpot.

Row-level-security (RLS) bypass

API: BYPASSRLS
UI: Can administer and bypass RLS

Allows access to the following operations:

Create, edit, or delete existing RLS rules
Enable or disable Bypass RLS on a worksheet For more information, see Row-level security.

Custom calendars

API: CAN_MANAGE_CUSTOM_CALENDAR
UI: Can manage custom calendars

Allows creating, editing, and deleting custom Calendars.

Data Connection

API: CAN_CREATE_OR_EDIT_CONNECTIONS
UI: Can create/edit Connections

Allows creating, editing, and managing connections to external data warehouses.

Data objects

API: CAN_MANAGE_WORKSHEET_VIEWS_TABLES
UI: Can manage data models

Allows users to create, edit, delete, and manage Worksheets, Models, Tables, and Views.

Data download control🔗

The DATADOWNLOADING (Can download Data) Role privilege allows users to download data from objects such as Liveboards and Answers.

How to create and assign Roles🔗

You can create and assign Roles to a group on the Admin page of the UI or by using the REST API v1 and v2 endpoints.

REST API v1 endpoints for Role administration and assignment🔗

Operation type API endpoints

Operation type	API endpoints
CRUD operations	To create, edit, and manage Role objects, use the following endpoints: `POST /tspublic/v1/role` Create a Role `PUT /tspublic/v1/role/{role_identifier}` Edit properties of a Role object. `POST /tspublic/v1/role/search` Get a list of Role objects `DELETE /tspublic/v1/role/{role_identifier}` Delete a Role object
Role assignment to groups	`POST /tspublic/v1/group/addrole` Allows group administrators to assign a specific Role to a group `/tspublic/v1/group/` Allows group administrators to assign one or several Roles to a group `POST /tspublic/v1/group/removerole` Removes the Roles assigned to a group `PUT /tspublic/v1/group/{groupid}` Edit Role associations of a group object
Object query	To get the details of Roles assigned to a group object, use the following API endpoint: * `GET /tspublic/v1/group/` Note that the API response shows the assigned Roles and privileges in the `assignedRoles` and `granularPrivilges` arrays.

CRUD operations

To create, edit, and manage Role objects, use the following endpoints:

POST /tspublic/v1/role
Create a Role
PUT /tspublic/v1/role/{role_identifier}
Edit properties of a Role object.
POST /tspublic/v1/role/search
Get a list of Role objects
DELETE /tspublic/v1/role/{role_identifier}
Delete a Role object

Role assignment to groups

POST /tspublic/v1/group/addrole
Allows group administrators to assign a specific Role to a group
/tspublic/v1/group/
Allows group administrators to assign one or several Roles to a group
POST /tspublic/v1/group/removerole
Removes the Roles assigned to a group
PUT /tspublic/v1/group/{groupid}
Edit Role associations of a group object

Object query

To get the details of Roles assigned to a group object, use the following API endpoint: * GET /tspublic/v1/group/
Note that the API response shows the assigned Roles and privileges in the assignedRoles and granularPrivilges arrays.

REST API v2 endpoints for Role administration and assignment🔗

Operation type Description

Operation type	Description
CRUD operations	`POST /api/rest/2.0/roles/create` Create a Role. `POST /api/rest/2.0/roles/{role_identifier}/update` Edit the properties of a Role object. `POST /api/rest/2.0/roles/search` Get a list of Role objects `POST /api/rest/2.0/roles/{role_identifier}/delete` Delete a Role object
Role assignment to groups	To assign a Role to a group object, use one of the following endpoints: `POST /api/rest/2.0/groups/create` `POST /api/rest/2.0/groups/{group_identifier}/update`
Object query	`POST /api/rest/2.0/roles/search` To get Roles assigned to specific groups, specify the name or GUID of the Role in the `group_identifiers` attribute. Similarly, to search for Roles configured in an Org, specify the name or the GUID of the Org in the `org_identifiers` attribute. `POST /api/rest/2.0/groups/search` To filter group objects assigned to a particular Role, specify the name or GUID of the Role in the `role_identifiers` attribute. `POST /api/rest/2.0/users/search` To get user objects that have a particular Role assigned, specify the name or GUID of the Role in the `role_identifiers` attribute.

CRUD operations

POST /api/rest/2.0/roles/create
Create a Role.
POST /api/rest/2.0/roles/{role_identifier}/update
Edit the properties of a Role object.
POST /api/rest/2.0/roles/search
Get a list of Role objects
POST /api/rest/2.0/roles/{role_identifier}/delete
Delete a Role object

Role assignment to groups

To assign a Role to a group object, use one of the following endpoints:

Object query

POST /api/rest/2.0/roles/search
To get Roles assigned to specific groups, specify the name or GUID of the Role in the group_identifiers attribute.
Similarly, to search for Roles configured in an Org, specify the name or the GUID of the Org in the org_identifiers attribute.
POST /api/rest/2.0/groups/search
To filter group objects assigned to a particular Role, specify the name or GUID of the Role in the role_identifiers attribute.
POST /api/rest/2.0/users/search
To get user objects that have a particular Role assigned, specify the name or GUID of the Role in the role_identifiers attribute.

Migrating to RBAC🔗

The Role privileges function in the same way as group privileges. When RBAC is enabled, the corresponding group privileges are automatically migrated to Role privileges. For example, if a group has DATADOWNLOADING access, the DATADOWNLOADING Role privilege will be assigned to the group after RBAC is enabled. Similarly, if a group has DATAMANAGEMENT (Can manage data) access, the following Role privileges will be assigned to the group:

Can manage custom calendars (CAN_MANAGE_CUSTOM_CALENDAR)
Can create/edit Connections (CAN_CREATE_OR_EDIT_CONNECTIONS)
Can manage data models (CAN_MANAGE_WORKSHEET_VIEWS_TABLES)

For granular access, you can create a Role with required privileges and assign it to groups.