Understand groups and privileges
Creating groups and assigning users to them makes privilege management easier. Before a user can log in and use ThoughtSpot, you must create a username, a password, and a membership in one or more groups for them.
You have an option to manage users through LDAP or SAML. |
For information on configuring SAML authentication, see Configure SAML.
Privileges and groups
Privileges determine what kinds of actions users are allowed to do. You assign privileges to groups. Then, you create users and assign them to groups. This is how you grant users access to different capabilities in ThoughtSpot.
Each group includes a set of privileges for its users. The privileges a group has determine the actions that its members are allowed to do. If a user belongs to more than one group, they will have the highest level of the privileges from all the groups they belong to. Plan your groups so that you can use them to assign a common set of privileges to multiple users. Good planning will pay off in ease of administration and a better search experience.
There is a default group called All, which includes every user in ThoughtSpot. When you create a new user, they will be added to the All group automatically. You cannot delete the All group or remove members from it.
You can also have a hierarchy of groups. That is, groups can belong to (that is, be children of) other groups. When using group hierarchies, permissions are inherited from the parent group. So if you’re a member of a sub-group, you would automatically have the privileges of the parent group.
List of privileges
Here are the different privileges, and the capabilities they enable:
- Can administer ThoughtSpot
-
Can manage Users and Groups and has view and edit access to all data. Users with this privilege can also download a saved Answer.
- Can upload user data
-
Can upload their own data from the application’s Data page using
.
- Can download data
-
Can download data from search results and pinboards.
- Can manage data
-
Can create worksheets and views. Can create Embrace connections.
To edit a worksheet or a view created by another user, you must have the Edit permission on that object, and it must be shared with you.
- Can use experimental features
-
Can access trial and experimental features that ThoughtSpot makes available to early adopters.
- Can invoke Custom R Analysis Deprecated 7.1.1
-
Can access R scripts to further explore search answers. Includes options to invoke R scripts on visualizations, create and share custom scripts, and share the results of R analysis as answers and pinboards.
- Can schedule pinboards
-
Can create and edit Pinboard schedules for other users and groups. Without this privilege, users can only create Pinboard schedules for themselves.
- Has SpotIQ privilege
-
Can use the SpotIQ feature.
If this privilege is not enabled for the user, but Insights are enabled on the cluster (this is off by default), they can still see "Did you know" SpotIQ insights on the ThoughtSpot home page.
- Can administer and bypass RLS
-
Users in groups with this privilege (directly or through group inheritance):
-
Are exempt from row-level security (RLS) rules.
-
Can add/edit/delete existing RLS rules.
-
Can check or uncheck Bypass RLS on a worksheet.
Your installation configuration may enable or disable the availability of this privilege. By default, it is enabled. Administrators or groups with the privilege Can administer ThoughtSpot can grant this privilege.
-
- Cannot create or update Pinboards
-
Users are limited to viewing and exploring curated Pinboards (and Answers). They cannot copy, edit, download, or share them.
This privilege is designed to support embedded implementations, and it is behind a flag.
See Granular access to Pinboards for a deeper discussion of this privilege, and an implementation example.
Typically, the ALL group has a common set of privileges applies such as the Can upload user data and/or Can download data privileges.
Privileges are additive, meaning that if a user belongs to more than one group, they will have the highest level of privileges from among the groups they are a member of. They are also inherited from the parent, so that a sub-group gets all the same privileges of its parent, all the way up the group hierarchy.
If you add the privilege Has administration privileges to a group, note that all users in that group will be able to see all the data in ThoughtSpot. Administrators can see all data sources, and Row level security does not apply to them.
Permissions to see and edit tables, worksheets, and pinboards are set when you share them with users and groups, as described in Data security.
The following table shows the intersection of user privilege and ability:
|
Create/Edit WS
|
Create View
|
Create Embrace Connection
|
Modify Col. Props.1
|
Upload Data
|
Download Data
|
Share within Group
|
Share with all users
|
Manage RLS rules
|
CrUD Relationships
|
Read Relationships
|
See Hidden Cols
|
Join with Upload Data
|
Schema Viewer
|
Use Scheduler
|
Use Auto-Analyze
|
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Can administer ThoughtSpot | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y2 | Y | Y | Y | Y | Y | Y |
Can upload user data
|
N | N | N | N | Y | N | Y | N | N |
Y3
|
Y4
|
N | N | N | N | N |
Can download data
|
N | N | N | N | N | Y | Y | N | N | N |
Y4
|
N | N | N | N | N |
Can manage data
|
Y | Y | Y | Y | Y | N | Y | N | N |
Y4
|
Y4
|
Y5
|
Y | N | N | N |
Can share with all users
|
N | N | N | N | N | N | Y | Y | N | N |
Y4
|
N | N | N | N | N |
Has SpotIQ privilege
|
N | N | N | N | N | N | N | N | N | N |
Y4
|
N | N | N | N | Y |
Can Administer and Bypass RLS
|
N | N | N | N | N | N | N | N | N | Y | N | N | N | N | N | N |
None | N | N | N | N | N | N | Y | N | N | N |
Y4
|
N | N | N | N | N |
Table notes:
|
Related information