User access to non-embedded content

User access to non-embedded content

If you have embedded ThoughtSpot content in your app, you may want to control how users access the ThoughtSpot cluster. You can do so by:

Control access to non-embedded content🔗

You can turn on the Block non-embed full app access feature on the Develop > Customizations > Security Settings page. This will restrict your users from opening non-embedded ThoughtSpot pages from their embedded app context. Note that this feature does not restrict ThoughtSpot users with administrator or developer privileges from accessing ThoughtSpot pages.

Selectively assign access🔗

With selective user access, administrators can allow internal users to securely access non-embedded content without explicitly giving them the administrator or developer privilege.

Selective user access is granted only at the group level and not to individual users. Users with administrator or developer privilege can create a group(s) of users requiring access to non-embedded content. Any user can be added or removed to such groups as required, at any point in time. The underlying group management functionality remains unchanged, and can be modified via the Admin page.

Once the group is created complete the following steps:

  1. On your ThoughtSpot application instance, go to Develop > Customizations > Security settings.

  2. Click the Edit button > Block non-embed full app access.

  3. Enable the Block non-embed full app access to true. It is false by default.

    Block non-embed full app access

  4. Click Advanced Settings.

    Block non-embed full app access

  5. Select the groups you want to allow access to ThoughtSpot pages through both the ThoughtSpot Cluster URL and the embedded context of your host app.

  6. Click Save.

  7. Click Save Changes.

Note

Currently, there is no support for selective user access through the APIs.

Selective user access for Org-enabled clusters🔗

If you have Orgs enabled on your ThoughtSpot instance, ensure you are signed in to the intended Org. Also, an administrator or developer must create groups of ThoughtSpot embedded users requiring access to the non-embedded content. Once these prerequisites are verified, you can proceed with granting the access to the user group.

While Block non-embed full app access can be turned on for All Orgs, Advanced Settings cannot be enabled at the All Orgs level. It is only visible inside the respective Orgs. If Block non-embed full app access is turned on in All Orgs, it will be applied to all the current Orgs as well as to the newly created Orgs. However, if this behavior is toggled for a specific Org, the Org-specific behavior supersedes the Block non-embed full app access setting in All Orgs.

Control access to non-embedded content (pre-10.6.0.cl)🔗

For ThoughtSpot releases 10.5.0.cl or earlier, if you have embedded ThoughtSpot using Visual Embed SDK v1.22.0 or later, the blockNonEmbedFullAppAccess property in the SDK is set to true by default. Due to this, your application users cannot access or navigate to the ThoughtSpot application experience outside the context of your app.

You can turn on the selective user access feature by going to Admin > Early access features > Selective User Access and editing the status to Enabled. The selective user access granted through the Security Settings overrides the blockNonEmbedFullAppAccess SDK settings.

It is highly recommended that you switch to selective user access for better security and uninterrupted operations. Support for the SDK blockNonEmbedFullAppAccess will end soon.