When rule-based row level security (RLS) is set, it prevents users from seeing data they shouldn’t in tables and the objects derived from them. You must have administrative rights on ThoughtSpot to set RLS rules.
Before you create a rule, make sure you have read How rule-based RLS works.
Create a rule on a table
You can set RLS rules only on tables. To set up rule-based row level security, do the following:
- Navigate to the Data page and edit by clicking on it.
- Click Row security at the top right side of the page.
Click the + Add row security button.
The system displays the Rule Builder.
You define row level security by creating an expression that gets evaluated for every row and group combination. This powerful feature can be used with up to thousands of groups.
- Open the Rule Builder.
- Give your rule a name.
Enter an expression for your rule.
The rule gets evaluated against an authenticated user for every row and group combination. If the rule evaluates to true, the user can’t see that row’s data. Use the variable ts_groups to refer to the group name.
You can see a list of available operators by clicking on Rule Assistant.
As you type, ThoughtSpot suggests formula syntax, variables, and column names. If you can’t remember the exact column name or variable you want to use, the suggestions can help.
When your expression is valid, a green indicator appears at the bottom of the Rule Builder.
- Click Save.
The rule you created is listed in the rules. You can edit the rule or add more rules by clicking + Add.
Test your rule with restricted and unrestricted users
To test your rule, log in as users in different groups. Search within the table for data both that you test user can and can’t access. Make sure your test users are seeing the appropriate rows.