Configuring the Veza integration for ThoughtSpot
Last updated
Was this helpful?
ThoughtSpot is an AI-powered analytics platform enabling users to query data using natural language, with a user-friendly interface for analyzing data from various sources, including data warehouses.
The Veza integration for ThoughtSpot uses an API token to discover authorization metadata for users, groups, and roles within a ThoughtSpot organization, along with their permissions on the platform.
Requirements:
Administrator access to a ThoughtSpot account containing users, groups, and roles.
ThoughtSpot RBAC is currently in beta and disabled by default. To enable this feature on your cluster, contact ThoughtSpot Support. Note that once you enable RBAC, it cannot be disabled.
Log in to ThoughtSpot as an administrator to generate an access token and retrieve your organization ID:
Secret Key:
1.1. Go to ThoughtSpot Develop > Customizations > Security Settings. Toggle the Enable Trusted authentication option.
1.2. Copy the generated token. This token will be used later to enable the Veza integration.
Organization Id:
2.1. Login to your ThoughtSpot developer portal as an administrator.
2.2. Update the URL below to include your organization name and open https://{{OrganizationName}}.thoughtspot.cloud/#/develop/api/rest/playgroundV2_0?apiResourceId=http%2Fapi-endpoints%2Fauthentication%2Fget-current-user-info
2.3. Click on the Try It Out button to run the Get Current User operation:
2.4. The response will appear to the side. Use the id from current_org as the Organization Id to configure the Veza integration.
Log in to Veza as an administrator and open the Integrations page.
Click Add Integration and choose ThoughtSpot.
Configure the integration using the values retrieved in the previous section:
Organization Name: Name of the Organization. Same as the hostname in your organization's ThoughtSpot URL (i.e., https://orgName.thoughtspot.cloud/).
Organization Id: The organization ID from step 2.3.
Username: Your ThoughtSpot admin user name.
Secret Key: The trusted Authentication token generated in step 1.2.
Click Create Integration to save your changes.
The integration uses the Open Authorization API custom application template to model identities and role-based access controls in ThoughtSpot.
Organization > Custom Application
Users > Local User
Groups > Local Group
Roles > Local Role
Privileges > Permission
See the following sections for each attribute Veza collects. You can use filters to narrow the scope of access reviews, queries, and graph searches based on any attribute value.
id
Unique id of the user.
name
Name of the user.
display_name
Display name of the user.
Email of the user.
visibility
Visibility of the user. The SHARABLE property makes a user visible to other users and groups, who can share objects with the user. NON_SHARABLE and SHARABLE are the available options.
created_by
Unique identifier of the author of the user.
can_change_password
Defines whether the user can change their password.
created_at
Creation time of the user in milliseconds.
deleted
Indicates whether the user is deleted.
account_type
Status of the user account. LOCAL_USER, LDAP_USER, SAML_USER, OIDC_USER, and REMOTE_USER are the available options.
expiration_at
Expiration time of the user in milliseconds.
hidden
Indicates whether the user is hidden.
updated_at
Last modified time of the user in milliseconds.
updated_by
Unique identifier of the modifier of the user.
super_user
Indicates whether the user is a super user.
system_user
Indicates whether the user is a system user.
id
Unique id of the group.
name
Name of the group.
created_by
Unique identifier of the author of the group.
created_at
Creation time of the group in milliseconds.
deleted
Indicates whether the group is deleted.
description
Description of the group.
hidden
Indicates whether the group is hidden.
updated_at
Last modified time of the group in milliseconds.
updated_by
Unique identifier of the modifier of the group.
display_name
Display name of the group.
visibility
Visibility of the group. The SHARABLE property makes a group visible to other users and groups, who can share objects with the group. NON_SHARABLE and SHARABLE are the available options.
id
Unique id of the Role.
name
Name of the Role.
permission
Permission details of the Role. READ_ONLY, MODIFY, and NO_ACCESS are the available options.
created_by
Unique identifier of the author of the role.
created_at
Creation time of the role in milliseconds.
deleted
Indicates whether the role is deleted.
description
Description of the role.
hidden
Indicates whether the role is hidden.
updated_at
Last modified time of the role in milliseconds.
updated_by
Unique identifier of the modifier of the role.
