ThoughtSpot

Configuring the Veza integration for ThoughtSpot

Overview

ThoughtSpot is an AI-powered analytics platform enabling users to query data using natural language, with a user-friendly interface for analyzing data from various sources, including data warehouses.

The Veza integration for ThoughtSpot uses an API token to discover authorization metadata for users, groups, and roles within a ThoughtSpot organization, along with their permissions on the platform.

Requirements:

Administrator access to a ThoughtSpot account containing users, groups, and roles.
ThoughtSpot RBAC is currently in beta and disabled by default. To enable this feature on your cluster, contact ThoughtSpot Support. Note that once you enable RBAC, it cannot be disabled.

ThoughtSpot Setup Instructions

Secret Key:
1.1. Go to ThoughtSpot Develop > Customizations > Security Settings. Toggle the Enable Trusted authentication option.
1.2. Copy the generated token. This token will be used later to enable the Veza integration.
Organization Id:
2.1. Login to your ThoughtSpot developer portal as an administrator.
2.2. Update the URL below to include your organization name and open https://{{OrganizationName}}.thoughtspot.cloud/#/develop/api/rest/playgroundV2_0?apiResourceId=http%2Fapi-endpoints%2Fauthentication%2Fget-current-user-info
2.3. Click on the Try It Out button to run the Get Current User operation:
2.4. The response will appear to the side. Use the id from current_org as the Organization Id to configure the Veza integration.

Veza Setup

Log in to Veza as an administrator and open the Integrations page.
Click Add Integration and choose ThoughtSpot.
Configure the integration using the values retrieved in the previous section:
- Organization Name: Name of the Organization. Same as the hostname in your organization's ThoughtSpot URL (i.e., https://orgName.thoughtspot.cloud/).
- Organization Id: The organization ID from step 2.3.
- Username: Your ThoughtSpot admin user name.
- Secret Key: The trusted Authentication token generated in step 1.2.
Click Create Integration to save your changes.

Notes and Supported Entities

The integration uses the Open Authorization API custom application template to model identities and role-based access controls in ThoughtSpot.

Organization > Custom Application
Users > Local User
Groups > Local Group
Roles > Local Role
Privileges > Permission

See the following sections for each attribute Veza collects. You can use filters to narrow the scope of access reviews, queries, and graph searches based on any attribute value.

User Properties

Name Description

Name	Description
id	Unique id of the user.
name	Name of the user.
display_name	Display name of the user.
email	Email of the user.
visibility	Visibility of the user. The `SHARABLE` property makes a user visible to other users and groups, who can share objects with the user. `NON_SHARABLE` and `SHARABLE` are the available options.
created_by	Unique identifier of the author of the user.
can_change_password	Defines whether the user can change their password.
created_at	Creation time of the user in milliseconds.
deleted	Indicates whether the user is deleted.
account_type	Status of the user account. `LOCAL_USER`, `LDAP_USER`, `SAML_USER`, `OIDC_USER`, and `REMOTE_USER` are the available options.
expiration_at	Expiration time of the user in milliseconds.
hidden	Indicates whether the user is hidden.
updated_at	Last modified time of the user in milliseconds.
updated_by	Unique identifier of the modifier of the user.
super_user	Indicates whether the user is a super user.
system_user	Indicates whether the user is a system user.

Unique id of the user.

name

Name of the user.

display_name

Display name of the user.

Email of the user.

visibility

Visibility of the user. The SHARABLE property makes a user visible to other users and groups, who can share objects with the user. NON_SHARABLE and SHARABLE are the available options.

created_by

Unique identifier of the author of the user.

can_change_password

Defines whether the user can change their password.

created_at

Creation time of the user in milliseconds.

deleted

Indicates whether the user is deleted.

account_type

Status of the user account. LOCAL_USER, LDAP_USER, SAML_USER, OIDC_USER, and REMOTE_USER are the available options.

expiration_at

Expiration time of the user in milliseconds.

hidden

Indicates whether the user is hidden.

updated_at

Last modified time of the user in milliseconds.

updated_by

Unique identifier of the modifier of the user.

super_user

Indicates whether the user is a super user.

system_user

Indicates whether the user is a system user.

Group Properties

Name Description

Name	Description
id	Unique id of the group.
name	Name of the group.
created_by	Unique identifier of the author of the group.
created_at	Creation time of the group in milliseconds.
deleted	Indicates whether the group is deleted.
description	Description of the group.
hidden	Indicates whether the group is hidden.
updated_at	Last modified time of the group in milliseconds.
updated_by	Unique identifier of the modifier of the group.
display_name	Display name of the group.
visibility	Visibility of the group. The `SHARABLE` property makes a group visible to other users and groups, who can share objects with the group. `NON_SHARABLE` and `SHARABLE` are the available options.

Unique id of the group.

name

Name of the group.

created_by

Unique identifier of the author of the group.

created_at

Creation time of the group in milliseconds.

deleted

Indicates whether the group is deleted.

description

Description of the group.

hidden

Indicates whether the group is hidden.

updated_at

Last modified time of the group in milliseconds.

updated_by

Unique identifier of the modifier of the group.

display_name

Display name of the group.

visibility

Visibility of the group. The SHARABLE property makes a group visible to other users and groups, who can share objects with the group. NON_SHARABLE and SHARABLE are the available options.

Role Properties

Name Description

Name	Description
id	Unique id of the Role.
name	Name of the Role.
permission	Permission details of the Role. `READ_ONLY`, `MODIFY`, and `NO_ACCESS` are the available options.
created_by	Unique identifier of the author of the role.
created_at	Creation time of the role in milliseconds.
deleted	Indicates whether the role is deleted.
description	Description of the role.
hidden	Indicates whether the role is hidden.
updated_at	Last modified time of the role in milliseconds.
updated_by	Unique identifier of the modifier of the role.

Unique id of the Role.

name

Name of the Role.

permission

Permission details of the Role. READ_ONLY, MODIFY, and NO_ACCESS are the available options.

created_by

Unique identifier of the author of the role.

created_at

Creation time of the role in milliseconds.

deleted

Indicates whether the role is deleted.

description

Description of the role.

hidden

Indicates whether the role is hidden.

updated_at

Last modified time of the role in milliseconds.

updated_by

Unique identifier of the modifier of the role.

PreviousTerraform NextTrino (PrestoSQL)

Last updated 9 days ago