strativd - I have a question about using ABAC r...
I have a question about using ABAC rules in ThoughtSpot. We need to set
is_mandatory_filter: true for ABAC on one column that maps to customer locations. We use this column to lock down ALL of our tables because the data is customer-facing and we use one Liveboard for all customers (filtered by ABAC and RLS rules). By default, this option will hide all data unless the ABAC rule are satisfied. That's exactly what we want, except when we sign into ThoughtSpot for development. Is there a way to bypass the is_mandatory_filter when Admin users login to ThoughtSpot?Solution:Jump to solution
Hello @strativd : We can persist the filter_rules once for the user using the API and when the user logs back in the same will be honored.
4 Replies
Hello @strativd
The correct attribute name is_mandatory_token_filter instead of is_mandatory_filter.
For admin users, the filter_rules should be passed in the following format:
Explanation
• column_name: The name of the column to which the filter applies.
• operator: Set to "EQ" to specify an equality filter. // This can be any operator. EQ is just an example.
• values: Use ["TS_WILDCARD_ALL"] to indicate that the user should have access to all values in the specified column.
Using "TS_WILDCARD_ALL" ensures that the admin user is not restricted by any specific token values and can see all data in the column.
This setup works in combination with the is_mandatory_token_filter attribute to configure access control behavior correctly.
Thanks Sandeep. I know we can bypass the filter when requesting a token via the API, but I don't know how to add filters to a user session via the webapp.
How do we pass filter rules (like
TS_WILDCARD_ALL) when a user logs into ThoughtSpot directly?Solution
Hello @strativd : We can persist the filter_rules once for the user using the API and when the user logs back in the same will be honored.
Okay we'll look into a process for that. Thanks!