Understand RBAC and privileges

ThoughtSpot Role-Based Access Control (RBAC) helps an administrator manage roles and privileges that are assigned to users and groups in ThoughtSpot. A role is a collection of privileges. A privilege allows users to perform certain actions while preventing them from performing other actions. RBAC enhances the granularity of permissions that determine the access and capabilities of users and admins.

Roles can be assigned to groups. A group can have one or more roles assigned to it. When multiple roles are assigned to a group, the privileges available to users within that group are a union of the privileges in each role assigned to the group.

RBAC is disabled by default. To enable this feature, contact ThoughtSpot Support.

Once you enable RBAC it cannot be disabled.

Roles and privileges

A role is a collection of privileges. The role and its assigned privileges list the actions that can be performed, such as Can administer ThoughtSpot or Can upload user data. Roles can be high-level, like Super Admin, or specific based on your organization’s structure and requirements. Roles are configured and then assigned to groups. For more information about groups, see Understand groups and privileges.

ThoughtSpot delivers some standard roles to help you transition to RBAC. You can also create custom roles with custom privileges based on your organizational needs. The following are the standard roles delivered with ThoughtSpot.

The following table shows existing ThoughtSpot group privileges and the new more granular RBAC roles.

ThoughtSpot privilege ThoughtSpot RBAC roles

Can administer ThoughtSpot

Super Admin

Can manage Users

Can manage Groups

Can manage Roles

Can manage Orgs

Can manage Authentication

Can manage Application settings

Can view System activities

Can view Billing Information

Can manage data

Can create/edit connections

Can manage data models

Can manage custom calendars

Can upload user data

Previously, administrators were part of the administrator group, and data managers were part of the can manage data group. Members of the groups would have view and edit access to all data. In some organizations these functions are broken out in a more granular way between different users. Roles allow you to assign the specific roles and privileges required without including those that are not needed.

ThoughtSpot RBAC includes a Super Admin role that includes all of the privileges previously included in the Administrator group to help you migrate to RBAC. Users with this privilege can access all cluster data. This privilege should only be granted in exceptional circumstances.

RBAC roles

The following are descriptions of each of the RBAC roles.

Role Description

Super Admin

Can manage users and groups and has view and edit access to all data. Users with this privilege can access all cluster data. This privilege should only be granted in exceptional circumstances.

Can manage Users

Can create, view, update and delete users. This is an administrative privilege.

Can manage Groups

Can create, view, update and delete groups. This is an administrative privilege.

Can manage Roles

Can create, view, update and delete roles. This is an administrative privilege.

Can manage Orgs

Can create, view, update and delete Orgs in a multi-tenancy environment. This privilege is available only in Org enabled clusters. In an Org enabled cluster, this privilege is available only at the primary Org level and is not visible to any other Orgs.

Can manage Authentication

Can manage identity and access management.

Can manage Application settings

Can manage application settings.

Can view System activities

Can view all options under the System activities section.

Can view Billing Information

Can view all details under the Billing section.

Can create/edit connections

Can add new data connections or edit existing connections.

Can manage data models

Can create, edit, or delete data models.

Can manage custom calendars

Can create, edit, or delete custom calendars.

Can upload user data

Can upload user data.


Was this page helpful?