mad1 - Hi Team, I want to onboard user from my ...
Hi Team, I want to onboard user from my embedded application directly when accessing the TS Dashboard, if being first time user. Is there any way other than TS JIT provision to implement this ?
9 Replies
Hi @R19 : JIT seems to be the right approach for your use case. Is there any specific reason you’re looking to avoid the JIT workflow? Please let us know so we can assist you better.
If it's onboarding of many users.. you can use bulk-import API via POST /api/rest/2.0/users/import API.
If it's just automatic on-boarding as user log-in to your embed application then you can use JIT which @sandeep suggested.
More custom solution is to use POST /api/rest/2.0/users/create API along with POST /api/rest/2.0/security/metadata/share API to manage access to Liveboard/Dashboard.
The reason being Compliance, as our internal support team want to keep a record and have process App access to link Authentication and onboarding through SSO, Okta
We have lot of users all being internal, and raising TS access Tickets for each won't be feasible, hence we need to find solution accordingly.
You can get one token i.e. full access token API for admin or equivalent user and perform import (or relevant) API operations using the full access token. You can also do the same with secret_key for org or cluster level.
POST /api/rest/2.0/auth/token/full
It would help if you can outline the workflow of your use-case as in when these user's will need to be synced with TS and who needs to perform these operations. Is it going be one time or regular on-boarding of new users?
Hi @RT , The use case is, We have an application where we have embedded TS Dashboards, currently we have implemented Token based auth using a generic id and password, so the user are not required to have access to TS to view the Dashboard, authentication is done by generic id which has access to TS, in the back-end. Now the users have request to save their own personalized view or implementation of RLS for which it is must to track the user id's and onboard them to TS as per my knowledge, So we are trying to find solution for the same.
Hi @RT and @sandeep , It would be of great help if anyone of you could help me conclude the solution , as we have POC going on and have to streamline things asap.
If i understand your use-case correctly...
You want each user's (say John) in your application who want to store their own personalised view in TS. However since you are using generic-id/username at the Backend, you are unable to achieve storing of personalised view as user John for example.
Solution is:
1. In the BE, you need to get token for user "John using cluster/org secret_key. API: POST /api/rest/2.0/auth/token/full
2. And then use the each user token to do any API call (operations such as store personalised view) so that operation is done on behalf of each user!
If this still doesn't help you, then pls provide steps in your application for use John as example.
Hi @RT , Currently what is happening is if "John" is login into our Application he is getting authenticated via SSO and after login, while accessing the TS dashboard the access is authenticated via "xyz" (generic id) doing a Token Based authentication Full access using secret key. Now as the TS embedded Dashboard is accessed using "xyz" and not "John". Due to which if "John" wants to save the view he can't and for he's personal login, as the Dashboard is getting accessed generically.
Implementation of solution 1 would need "John" to have access/onboarded to ThoughtSpot, right?
Yes!
Then user "John" should be present in TS system using JIT API or User/Create API if user doesn't exist in TS system yet and we can make John to be part of Group say APP_Users for example.
All the liveboards/dashboards can be then shared with Users in App_Users group with certain set of permision such as READ.
Now User gets to view the dashboard all my himself using his own credentials (in BE you can use obtain the token for user John using secret_key). They can then have their personalised view of Liveboard/Dashboard.
Okay, Thanks @RT