Understand RBAC and privileges

ThoughtSpot Role-Based Access Control (RBAC) helps an administrator manage roles and privileges that are assigned to users and groups in ThoughtSpot. A role is a collection of privileges. A privilege allows users to perform certain actions while preventing them from performing other actions. RBAC enhances the granularity of permissions that determine the access and capabilities of users and admins.

Roles can be assigned to groups. A group can have one or more roles assigned to it. When multiple roles are assigned to a group, the privileges available to users within that group are a union of the privileges in each role assigned to the group.

RBAC is disabled by default. To enable this feature, contact ThoughtSpot Support.

Once you enable RBAC it cannot be disabled.

Roles and privileges

A role is a collection of privileges. The role and its assigned privileges list the actions that can be performed, such as Can administer ThoughtSpot or Can upload user data. Roles can be high-level, like Super Admin, or specific based on your organization’s structure and requirements. Roles are configured and then assigned to groups. For more information about groups, see Understand groups and privileges.

ThoughtSpot delivers some standard roles to help you transition to RBAC. You can also create custom roles with custom privileges based on your organizational needs.

Previously, administrators were part of the administrator group, and data mangers were part of the can manage data group. Members of the groups would have view and edit access to all data. In some organizations these functions are broken out in a more granular way between different users. Roles allow you to assign the specific roles and privileges required without including those that are not needed.

ThoughtSpot RBAC includes a Super Admin role that includes all of the privileges previously included in the Administrator group to help you migrate to RBAC. Users with this privilege can access all cluster data. This privilege should only be granted in exceptional circumstances.

RBAC roles

The following are descriptions of each of the RBAC roles.

Administrative roles

Role Description

Super Admin

Allows administrators to manage users and groups. Administrators with this role have view and edit access to all data. Users with this privilege can access all cluster data. This privilege should only be granted in exceptional circumstances.

Can manage Orgs

Applicable to ThoughtSpot instances with Orgs. User with Can manage Orgs can create and manage objects, groups and users in their respective Orgs.

Can manage Users

Allows administrators to create, view, update and delete users.

Can manage Groups

Allows administrators to create, view, update and delete groups.

Can manage Roles

Allows administrators to create, view, update and delete roles.

Can manage Authentication

Allows administrators to manage authentication and the authorization process for ThoughtSpot users.

Can manage Application settings

Allows administrators to manage cluster-wide application settings, activation and de-activation of feature on an instance.

Can view System activities

Allows administrators to mange system activities.

Can view Billing Information

Allows view access to billing information.

Can Enable or Disable Trusted Authentication

Allows users with Super Admin privilege to enable or disable trusted authentication for applications embedding ThoughtSpot content.

Can manage tags

Allows administrators to create and edit tags.

Object access control roles

Role Description

Can share with all users

Allows users to objects with all the users and groups in ThoughtSpot.

Data control roles

Role Description

Can create/edit connections

Allows administrators to add new data connections or edit existing connections to external data warehouses.

Can manage data models

Allows users to create, edit, delete and manage Worksheets, Models, Tables, and Views.

Can manage custom calendars

Allows users to create, edit, or delete custom calendars.

Can upload user data

Allows users to upload data to ThoughtSpot.

Can administer and bypass RLS

Allows access to the following operations:

  • Create, edit, or delete existing RLS rules

  • Enable or disable Bypass RLS on a worksheet.

For more information, see Row-level security.

Application control roles

Role Description

Has SpotIQ privilege

Allows access to the SpotIQ feature in ThoughtSpot.

Has developer privilege

Allows users to access the following features and workflows:

  • Access Develop page and Playground

  • Embed a ThoughtSpot application page, object, or full experience in an external application

  • Customize styles for embeded content

  • Add custom actions to the embeded objects such as Liveboards and visualizations

  • View and manage security settings for ThoughtSpot embedding

Can schedule for others

Allows users to schedule, edit, and delete Liveboard jobs.

Can Manage Sync settings

Allows for set up of secure pipelines to external business apps and syncing of data using ThoughtSpot Sync.

Can use Sage

Allows access to ThoughtSpot Sage features such as AI-assisted search and AI-generated answers.

Can manage catalog

Allows users to create, edit, and mange a data connection to Alation, and import metadata.

Can invoke Custom R Analysis

Allows invoking R scripts to explore search answers and share custom scripts.

Can verify Liveboard

Allows Liveboard users to verify Libeboard access requests and mark a Liveboard as verified.

Data download control roles

Role Description

Can download Data

Allows users to download data from objects such as Liveboards and Answers.

Migrating to RBAC

Existing ThoughtSpot customers can easily migrate to RBAC using the roles delivered with ThoughtSpot 9.5.0.cl. ThoughtSpot delivers roles corresponding to each privilege previously available as part of the existing groups and groups are retained. This allows you to assign those privileges individually to groups using roles.

Create, edit, or delete a role

ThoughtSpot has customizable RBAC management for assigning privileges to roles. Before adding users to groups, you can create custom roles if necessary and assign them to groups. Each role includes a set of privileges for its users.

Create a role

To create a role, follow these steps:

  1. Navigate to the Admin Console by selecting the Admin tab from the top navigation bar.

  2. Select Roles from the side navigation bar that appears.

  3. Select the Create role button on the right side of the screen.

  4. In the Create role modal, enter the details for the new role:

    Role name

    Enter a unique name for the role.

    Role description

    Optionally, enter a description.

    Privileges

    Check the privileges you want to grant to the role.

  5. Click Review selection to continue.

  6. Review your selections, and click Save to create the new role.

Edit a role

To edit a role, follow these steps:

  1. Navigate to the Admin Console by selecting the Admin tab from the top navigation bar.

  2. Select Roles from the side navigation bar that appears.

  3. Click on a role to edit the role.

  4. In the Edit role modal, make your desired changes.

  5. Click Review selection to continue.

  6. Review your changes, and click Save.

Delete a role

To delete a role, follow these steps:

  1. Navigate to the Admin Console by selecting the Admin tab from the top navigation bar.

  2. Select Roles from the side navigation bar that appears.

  3. Select the role you plan to delete by clicking the box next to the role name. If you don’t immediately see the name of the group, try searching for it.

  4. Select Delete.

Assign roles to groups

Once you have created roles, you can assign them to groups to manage privileges for your users. For more information about assigning roles to groups, see Understand groups and privileges Create, edit, or delete a group.

Was this page helpful?
×