Orgs administration

The multi-tenancy feature logically partitions a ThoughtSpot cloud instance into multiple tenant-specific environments called Orgs. With Orgs, each tenant’s data is isolated and protected with access control, and is invisible to the other tenants that share the same ThoughtSpot application instance.

If the Orgs feature is enabled on your instance, your cluster administrator can create an Org for each tenant account, configure groups and users, and control access to data objects. Each Org serves as an independent container with its own set of users and data, and provides the same user experience as that of a regular ThoughtSpot instance.

The Orgs feature requires either the ThoughtSpot Enterprise Edition or the ThoughtSpot Embedded Enterprise Edition. See ThoughtSpot pricing and editions.

If you have either of these editions, contact ThoughtSpot Support to enable Orgs. The Orgs feature is off by default. To learn about multi-tenancy using groups instead of Orgs, refer to Multi-tenancy with groups.

This article is an overview of the administrative tasks required of the administrators of an Orgs-enabled ThoughtSpot cluster.

After you enable the Orgs feature on a cluster, you can’t turn off the ability to create Orgs. However, your environment remains a single-tenant environment until you create an Org. You can also delete all the Orgs you created, and just use the Primary Org, if you would like a single-tenant environment with Orgs enabled.

Cluster administrators and Org administrators

Cluster administrators and Org administrators have some of the same privileges and responsibilities. While these roles overlap, they are not the same.

Cluster administrators can do the following tasks:

  • Org management: creating, editing, and deleting Orgs

  • User management for any user in any Org

  • Group management for any group in any Org

  • Connection management: creating, editing, and deleting any connection in any Org. Cluster admins can also share connections with Org admins and users with the can manage data permission, allowing those users to add, remove, and modify tables in the connection.

For a cluster administrator, the Admin Console in the Primary Org has an All orgs section, to manage cross-Org configuration, and a Primary org section, to manage configuration for the Primary Org.

Org admin console for the cluster administrator

Org administrators can do the following tasks:

  • User management for any user in the Org(s) in which the Org administrator has admin privileges

  • Group management for any group in the Org(s) in which the Org administrator has admin privileges

  • Connection management: creating, editing, and deleting the connections in the Orgs in which the Org administrator has admin privileges. By default, Org administrators do not have view or edit access to connections created by cluster administrators, unless the cluster admin shares the connection with them. If a cluster admin shares a connection with them, Org admins can add, remove, and modify tables in that connection.

  • [TSE only] Trusted authentication configuration: ThoughtSpot Embedded users can configure trusted authentication, which establishes a ThoughtSpot session in the browser without requiring a user to sign in directly to ThoughtSpot or be redirected to a third-party IdP.

    To enable Org-specific trusted auth and an Org-specific Develop tab, you must ask ThoughtSpot Support.

For an Org administrator, the Admin Console does not have an All orgs section. The Org administrator can only manage configuration for their specific Org.

Org admin console for the Org administrator

Create and manage Orgs

To create an Org on a multi-tenant ThoughtSpot instance, you need cluster administrator privileges. By default, the administrator of the Primary Org is a cluster administrator. The cluster administrator can create Orgs using either the UI or the REST v1 API endpoints. In this section, you can learn how to create, edit, and delete Orgs.

To create Orgs using the REST v1 API endpoints, refer to Orgs API.

Create Orgs

To create Orgs using the UI, follow these steps:

  1. Make sure you are in the Primary Org. Select the Org switcher in the top navigation bar to the left of the help icon. Select Primary.

    Org switcher
  2. Select Admin in the top navigation bar.

  3. Select All orgs in the left panel.

  4. Under Org Management, select Orgs.

    In the admin console
  5. On this page, you can create new Orgs, edit existing Orgs, and delete existing Orgs. Note that you cannot delete the Primary Org.

  6. To create a new Org, select + Add new org in the upper-right corner of the screen.

  7. The Add new org modal appears. Add a unique name and an optional description, and select Save. The Org name must be unique throughout the cluster.

Edit Orgs

To edit an Org name or description using the UI, follow these steps:

  1. Make sure you are in the Primary Org. Select the Org switcher in the top navigation bar to the left of the help icon. Select Primary.

    Org switcher
  2. Select Admin in the top navigation bar.

  3. Select All orgs in the left panel.

  4. Under Org Management, select Orgs.

    In the admin console
  5. On this page, you can create new Orgs, edit existing Orgs, and delete existing Orgs. Note that you cannot delete the Primary Org.

  6. Find the Org you would like to edit. You can use the Orgs search bar at the upper left of your screen, above the list of Orgs.

  7. Select the Edit button for the Org you would like to edit.

  8. Edit the name or description of the Org, and select Save.

Delete Orgs

To delete an Org using the UI, follow these steps:

  1. Make sure you are in the Primary Org. Select the Org switcher in the top navigation bar to the left of the help icon. Select Primary.

    Org switcher
  2. Select Admin in the top navigation bar.

  3. Select All orgs in the left panel.

  4. Under Org Management, select Orgs.

    In the admin console
  5. On this page, you can create new Orgs, edit existing Orgs, and delete existing Orgs. Note that you cannot delete the Primary Org.

  6. Find the Org you would like to delete. You can use the Orgs search bar at the upper left of your screen, above the list of Orgs.

  7. Select the Delete button for the Org you would like to edit.

  8. A confirmation pop-up window appears, warning you that this action permanently deletes all users in the Org and all objects they created. Type in CONFIRM.

  9. Select Delete. Note that you cannot delete the Primary Org.

When you delete an Org, you delete all its users and all objects they created. However, if a user in the deleted Org also exists in an Org you did not delete, ThoughtSpot deletes all the user objects in the deleted Org, but that user continues to exist in the other Org. ThoughtSpot completely deletes all objects existing in the deleted Org. These objects cannot be retrieved later.

All Org scope

On a multi-tenant ThoughtSpot instance, all operations are run in the Org context that the user is currently in. If a cluster administrator wants to perform a CRUD (Create, Read, Update, or Delete) operation or apply a configuration change to all Orgs, they must be in the Primary Org, in the All orgs section of the Admin Console.

For example, to add a user to multiple Orgs, the administrator must be in the Primary Org, in the All orgs > Users section of the Admin Console. If the administrator is in Org 1, for example, the Users section of the Admin console does not have the option to add users to Orgs, only to groups. You should only use the All orgs > Users section of the Admin Console to add users to multiple Orgs. Use the individual Org’s Admin Console > Users section to add users to individual Orgs, and to add users to groups.

Cluster-level configurations

The following features can only be configured or viewed on a cluster level, for all Orgs. You cannot configure these features to work in different ways for different Orgs in the same cluster. Therefore, the cluster administrator must perform the configuration or other management of the following features:

  • Adding users to multiple Orgs at a time

  • Identity and Access Management: local and SAML user authentication

  • Style customization

  • User adoption Liveboard

  • Performance tracking Liveboard

  • Billing information: Credit Usage Liveboard

  • The following Developer functionality: CSP, CORS, and TSE style customization. All other Developer functionality is available for configuration at the individual Org level.

    To enable Org-specific trusted auth and an Org-specific Develop tab, you must ask ThoughtSpot Support.
  • Custom calendar

  • Search and SpotIQ settings

  • Email and onboarding settings

Manage users and groups

On a multi-tenant instance, the cluster and Org administrators can create and administer users and groups. The cluster administrator can perform CRUD (Create, Read, Update, and Delete) operations on user and group objects of all Orgs, whereas the Org administrator can create and administer users and groups only in the Org context to which they belong.

To manage Org groups, the cluster administrator must switch to the appropriate Org. This includes management of the groups a specific user belongs to. To manage Org users, the cluster administrator can be in the primary Org or the specific Org the user belongs to.

You should only use the All orgs > Users section of the Admin Console to add users to multiple Orgs. Use the individual Org’s Admin Console > Users section to add users to individual Orgs, and to add users to groups.

Add users to Orgs

The cluster administrator can add a user to multiple Orgs at a time as the cluster administrator, or add a user to one specific Org as that Org’s administrator.

To add a user to multiple Orgs at a time, you must be in the Primary Org, in the All orgs > Users section of the Admin Console.

You should only use the All orgs > Users section of the Admin Console to add users to multiple Orgs. Use the individual Org’s Admin Console > Users section to add users to individual Orgs, and to add users to groups.

For more information about creating users, see Create, edit, or delete a user in a multi-tenant environment.

Usernames must be unique across the cluster, not just the Org.

Remove users from Orgs

You can remove a user from multiple Orgs at a time as the cluster administrator, or remove a user from one specific Org as that Org’s administrator.

To remove a user from multiple Orgs at a time, the cluster administrator must be in the Primary Org, in the All orgs > Users section of the Admin Console.

For more information about deleting users, see Create, edit, or delete a user in a multi-tenant environment.

Manage groups in Orgs

You can only add, modify, and delete groups at the individual Org level. You cannot add, modify, or delete groups for multiple Orgs at a time.

For more information about managing groups, see Create, edit, or delete a group in a multi-tenant environment.

Group names must be unique across the cluster, not just the Org.

User authentication

You manage user authentication at the All orgs level of the Admin Console. You cannot manage or configure SAML or local user authentication to work in different ways for different Orgs in the same cluster.

For more information about SAML and local user authentication, refer to Managing authentication with SAML and Managing local authentication.

ThoughtSpot does not support OpenID Connect integration for authentication in an Orgs environment.

Application settings

You manage application settings, such as search and SpotIQ settings, email and onboarding settings, and style customization, at the All orgs level of the Admin Console. You cannot configure these features to work in different ways for different Orgs in the same cluster.

For more information about application settings, refer to Managing search and SpotIQ settings, Managing email and onboarding settings, and Style customization.

View and analyze user, performance and billing information

You can view and analyze system Liveboards about user adoption, app performance, and credit usage at the All orgs level of the Admin Console. These Liveboards are applicable to the entire cluster, but you can filter them by Org to view data specific to each Org.

For more information about these system Liveboards, refer to User Adoption Liveboard, Performance Tracking Liveboard, and Credit Usage Liveboard.

View status of and sign the ThoughtSpot user agreement

You sign the ThoughtSpot user agreement for the entire cluster. You do not need to sign it for each Org. You can sign the revised user agreement or view the currently signed user agreement for your cluster from the All Orgs > Terms section of the Admin Console.

For more information about the ThoughtSpot user agreement, refer to ThoughtSpot Cloud Subscription Agreement.