Orgs administration
The multi-tenancy feature logically partitions a ThoughtSpot cloud instance into multiple tenant-specific environments called Orgs. With Orgs, each tenant’s data is isolated and protected with access control, and is invisible to the other tenants that share the same ThoughtSpot application instance.
If the Orgs feature is enabled on your instance, your cluster administrator can create an Org for each tenant account, configure groups and users, and control access to data objects. Each Org serves as an independent container with its own set of users and data, and provides the same user experience as that of a regular ThoughtSpot instance.
The Orgs feature requires either the ThoughtSpot Enterprise Edition or the ThoughtSpot Embedded Enterprise Edition. See ThoughtSpot pricing and editions. If you have either of these editions, contact ThoughtSpot Support to enable Orgs. Orgs is enabled for all new Enterprise customers by default. Orgs will be enabled for existing customer clusters in an upcoming release. To learn about multi-tenancy using groups instead of Orgs, refer to Multi-tenancy with groups. If you are a new ThoughtSpot customer, and you don’t see Orgs enabled in your cluster, please contact ThoughtSpot Support. Please note that once enabled Orgs cannot be disabled. To understand what changes are required to enable Orgs, see below. |
This article is an overview of the administrative tasks required of the administrators of an Orgs-enabled ThoughtSpot cluster.
After you enable the Orgs feature on a cluster, you can’t turn off the ability to create Orgs. However, your environment remains a single-tenant environment until you create an Org. You can also delete all the Orgs you created, and just use the Primary Org, if you would like a single-tenant environment with Orgs enabled. |
Cluster administrators and Org administrators
Cluster administrators and Org administrators have some of the same privileges and responsibilities. While these roles overlap, they are not the same.
Cluster administrators can do the following tasks:
-
Org management: creating, editing, and deleting Orgs
-
User management for any user in any Org
-
Group management for any group in any Org
-
Connection management: creating, editing, and deleting any connection in any Org. Cluster admins can also share connections with Org admins and users with the can manage data permission, allowing those users to add, remove, and modify tables in the connection.
For a cluster administrator, the Admin Console in the Primary Org has an All orgs section, to manage cross-Org configuration, and a Primary org section, to manage configuration for the Primary Org.
Org administrators can do the following tasks:
-
User management for any user in the Org(s) in which the Org administrator has admin privileges
-
Group management for any group in the Org(s) in which the Org administrator has admin privileges
-
Connection management: creating, editing, and deleting the connections in the Orgs in which the Org administrator has admin privileges. By default, Org administrators do not have view or edit access to connections created by cluster administrators, unless the cluster admin shares the connection with them. If a cluster admin shares a connection with them, Org admins can add, remove, and modify tables in that connection.
-
[TSE only] Trusted authentication configuration: ThoughtSpot Embedded users can configure trusted authentication, which establishes a ThoughtSpot session in the browser without requiring a user to sign in directly to ThoughtSpot or be redirected to a third-party IdP.
To enable Org-specific trusted auth and an Org-specific Develop tab, you must ask ThoughtSpot Support.
For an Org administrator, the Admin Console does not have an All orgs section. The Org administrator can only manage configuration for their specific Org.
Create and manage Orgs
To create an Org on a multi-tenant ThoughtSpot instance, you need cluster administrator privileges. By default, the administrator of the Primary Org is a cluster administrator. The cluster administrator can create Orgs using either the UI or the REST API endpoints. In this section, you can learn how to create, edit, and delete Orgs.
To create Orgs using the REST API endpoints, refer to Orgs API.
Create Orgs
To create Orgs using the UI, follow these steps:
-
Make sure you are in the Primary Org. Select the Org switcher in the top navigation bar to the left of the help icon. Select Primary.
-
Select Admin in the top navigation bar.
-
Select All orgs in the left panel.
-
Under Org Management, select Orgs.
-
On this page, you can create new Orgs, edit existing Orgs, and delete existing Orgs. Note that you cannot delete the Primary Org.
-
To create a new Org, select + Add new org in the upper-right corner of the screen.
-
The Add new org modal appears. Add a unique name and an optional description, and select Save. The Org name must be unique throughout the cluster.
Edit Orgs
To edit an Org name or description using the UI, follow these steps:
-
Make sure you are in the Primary Org. Select the Org switcher in the top navigation bar to the left of the help icon. Select Primary.
-
Select Admin in the top navigation bar.
-
Select All orgs in the left panel.
-
Under Org Management, select Orgs.
-
On this page, you can create new Orgs, edit existing Orgs, and delete existing Orgs. Note that you cannot delete the Primary Org.
-
Find the Org you would like to edit. You can use the Orgs search bar at the upper left of your screen, above the list of Orgs.
-
Select the Edit button for the Org you would like to edit.
-
Edit the name or description of the Org, and select Save.
Delete Orgs
To delete an Org using the UI, follow these steps:
-
Make sure you are in the Primary Org. Select the Org switcher in the top navigation bar to the left of the help icon. Select Primary.
-
Select Admin in the top navigation bar.
-
Select All orgs in the left panel.
-
Under Org Management, select Orgs.
-
On this page, you can create new Orgs, edit existing Orgs, and delete existing Orgs. Note that you cannot delete the Primary Org.
-
Find the Org you would like to delete. You can use the Orgs search bar at the upper left of your screen, above the list of Orgs.
-
Select the Delete button for the Org you would like to remove.
-
A confirmation pop-up window appears, warning you that this action permanently deletes all users in the Org and all objects they created. Type in CONFIRM.
-
Select Delete. Note that you cannot delete the Primary Org.
When you delete an Org, you delete all its users and all objects they created. However, if a user in the deleted Org also exists in an Org you did not delete, ThoughtSpot deletes all the user objects in the deleted Org, but that user continues to exist in the other Org. ThoughtSpot completely deletes all objects existing in the deleted Org. These objects cannot be retrieved later. |
ThoughtSpot does not allow deleting primary Org. |
When deleted, the Org and its objects will become inaccessible immediately. However, the objects will remain in the internal ThoughtSpot System for seven days from the deletion date. To restore a deleted Org, or to clean up objects from the Org before deletion, contact ThoughtSpot Support within seven days. |
If you want to reuse a deleted Org name or other associated object names right after deletion, contact, ThoughtSpot Support. They can help you set the data retention period, allowing you to use those names immediately. The complete removal of the deleted Org and associated objects occurs during a scheduled background process, which takes place only after the configured data retention period has passed. |
All Org scope
On a multi-tenant ThoughtSpot instance, all operations are run in the Org context that the user is currently in. If a cluster administrator wants to perform a CRUD (Create, Read, Update, or Delete) operation or apply a configuration change to all Orgs, they must be in the Primary Org, in the All orgs section of the Admin Console.
For example, to add a user to multiple Orgs, the administrator must be in the Primary Org, in the All orgs > Users section of the Admin Console. If the administrator is in Org 1, for example, the Users section of the Admin console does not have the option to add users to Orgs, only to groups. You should only use the All orgs > Users section of the Admin Console to add users to multiple Orgs. Use the individual Org’s Admin Console > Users section to add users to individual Orgs, and to add users to groups.
Cluster-level configurations
The following features can only be configured or viewed on a cluster level, for all Orgs. Cluster level configurations like Style customization and all of the System Liveboards are now available per Org.
-
Adding users to multiple Orgs at a time
-
Identity and Access Management: local and SAML user authentication
-
Style customization
-
User adoption Liveboard
-
Performance tracking Liveboard
-
Billing information: Credit Usage Liveboard
-
The following Developer functionality: CSP, CORS, and TSE style customization. All other Developer functionality is available for configuration at the individual Org level.
To enable Org-specific trusted auth and an Org-specific Develop tab, you must ask ThoughtSpot Support. -
Custom calendar
-
Search and SpotIQ settings
-
Email and onboarding settings
Manage users and groups
On a multi-tenant instance, the cluster and Org administrators can create and administer users and groups. The cluster administrator can perform CRUD (Create, Read, Update, and Delete) operations on user and group objects of all Orgs, whereas the Org administrator can create and administer users and groups only in the Org context to which they belong.
To manage Org groups, the cluster administrator must switch to the appropriate Org. This includes management of the groups a specific user belongs to. To manage Org users, the cluster administrator can be in the primary Org or the specific Org the user belongs to. You should only use the All orgs > Users section of the Admin Console to add users to multiple Orgs. Use the individual Org’s Admin Console > Users section to add users to individual Orgs, and to add users to groups. |
Add users to Orgs
The cluster administrator can add a user to multiple Orgs at a time as the cluster administrator, or add a user to one specific Org as that Org’s administrator.
To add a user to multiple Orgs at a time, you must be in the Primary Org, in the All orgs > Users section of the Admin Console.
You should only use the All orgs > Users section of the Admin Console to add users to multiple Orgs. Use the individual Org’s Admin Console > Users section to add users to individual Orgs, and to add users to groups.
For more information about creating users, see Create, edit, or delete a user in a multi-tenant environment.
Usernames must be unique across the cluster, not just the Org. |
Remove users from Orgs
You can remove a user from multiple Orgs at a time as the cluster administrator, or remove a user from one specific Org as that Org’s administrator.
To remove a user from multiple Orgs at a time, the cluster administrator must be in the Primary Org, in the All orgs > Users section of the Admin Console.
For more information about deleting users, see Create, edit, or delete a user in a multi-tenant environment.
Manage groups in Orgs
You can only add, modify, and delete groups at the individual Org level. You cannot add, modify, or delete groups for multiple Orgs at a time.
For more information about managing groups, see Create, edit, or delete a group in a multi-tenant environment.
User authentication
You manage user authentication at the All orgs level of the Admin Console. You cannot manage or configure SAML or local user authentication to work in different ways for different Orgs in the same cluster.
For more information about SAML and local user authentication, refer to Managing authentication with SAML and Managing local authentication.
ThoughtSpot does not support OpenID Connect integration for authentication in an Orgs environment. |
Application settings
You manage application settings, such as search and SpotIQ settings, email and onboarding settings, and style customization, at the All orgs level of the Admin Console. Cluster level configurations like Style Customization and all of the System Liveboards have now been made available per Org.
For more information about application settings, refer to Managing search and SpotIQ settings, Managing email and onboarding settings, and Style customization.
View and analyze user, performance and billing information
You can view and analyze system Liveboards about user adoption, app performance, and credit usage at the All orgs level of the Admin Console. These Liveboards are applicable to the entire cluster, but you can filter them by Org to view data specific to each Org.
For more information about these system Liveboards, refer to User Adoption Liveboard, Performance Tracking Liveboard, and Credit Usage Liveboard.
View status of and sign the ThoughtSpot user agreement
You sign the ThoughtSpot user agreement for the entire cluster. You do not need to sign it for each Org. You can sign the revised user agreement or view the currently signed user agreement for your cluster from the All Orgs > Terms section of the Admin Console.
For more information about the ThoughtSpot user agreement, refer to ThoughtSpot Cloud Subscription Agreement.