{
"type": "FORMULA_VARIABLE",
"name": "country_var",
"is_sensitive": false,
"data_type": "VARCHAR"
}ABAC via RLS with variables
Table of Contents
Attribute-Based Access Control (ABAC) is an access control model in which security entitlements are assigned to a ThoughtSpot user directly as a set of attributes with lists of values, rather than relying on a JOINed entitlements table within the data model.
ThoughtSpot allows assigning attribute values to a user at session creation time by adding the values to the userβs access token request.
RLS rules are defined on table objects, which bind dynamically generated WHERE clauses to any generated query. Within RLS rules, attributes are referenced by their variable names using the ts_var() function to dynamically filter data and enable user-specific security policies.
Overviewπ
RLS rules have a defined set of system variables such as ts_username or ts_groups. Once ABAC via RLS is enabled, the ts_var() formula is available within the RLS rule editor to refer to any defined Formula variable within ThoughtSpot.
Formula variables are custom variables defined within ThoughtSpot that enable dynamic and context-aware logic in RLS rules. They are assigned at the user level during session creation for the ABAC pattern, although they can be set at Org and data model levels as well.
Implementation stepsπ
|
Note
|
Formula variables are available on ThoughtSpot starting from 10.15.0.cl. If this feature is not enabled on your instance, contact ThoughtSpot Support. |
The ABAC implementation with formula variables and RLS rules includes the following steps:
-
Creating formula variables
To generate tokens with variable attributes, the variables must be available in ThoughtSpot. To create variables, use the Variable REST API. -
Adding RLS rules with formula variables
When defining an RLS rule with variables, use thets_varfunction. These RLS rules will apply to the Models, Liveboards, and other objects derived from that Table. A formula variable must be defined before it can be used in an RLS rule. -
Creating a token request with variable attributes
Attribute values are assigned to users by requesting a token using the/api/rest/2.0/auth/token/customREST API endpoint. -
Verifying entitlements
To ensure data security rules are applied, check user entitlements and verify that they are translated accurately during query generation. Variables and their assigned values are visible to administrators using the/api/rest/2.0/template/variables/searchendpoint with theresponse_contentparameter set toMETADATA_AND_VALUES.
Indexingπ
Several features within ThoughtSpot, such as autocompletion in Search on values within columns, use ThoughtSpot indexing. Due to the runtime nature of ABAC tokens, ThoughtSpot indexing will not be restricted by the values supplied in a token. This means the indexed columns may expose values in search suggestions or autocompletion that a user should not see, even if ABAC filters would block access to the underlying data. To prevent this, you can do one of the following:
-
Disable indexing for columns and fields that must be restricted by ABAC. You may also want to disable indexing on all sensitive columns.
-
Define an RLS rule on those fields, since RLS is enforced at the indexing layer and will secure suggestions and sample values.
Create formula variablesπ
Formula variables must be defined in ThoughtSpot before they can be used in any RLS rule via the ts_var() formula.
To view the variables available on your instance, use the POST /api/rest/2.0/template/variables/search API call.
To create a new variable, use the /api/rest/2.0/template/variables/create API endpoint.
To configure formula variables for all Orgs on your instance or the Primary Org, cluster administration privileges are required. Org administrators can configure formula variables for their respective Orgs. Users with the CAN_MANAGE_VARIABLES (Can manage variables) role privilege can also create and manage variables for their Org context.
The /api/rest/2.0/template/variables/create API endpoint allows creating formula variables for the following data types:
-
VARCHAR -
INT32 -
INT64 -
DOUBLE -
DATE -
DATE_TIME
During variable creation, specify the data_type.
Formula variables for BOOLEAN and TIME data types are not supported.
The variable update API (/api/rest/2.0/template/variables/{identifier}/update) allows updating the variable name and other attributes of the variable definition, but not the values assigned to users or other principals.
Variable values are set either by generating a token using the /api/rest/2.0/auth/token/custom API endpoint or via the Update Variable Values REST API.
Add or update RLS rules with variable referencesπ
RLS rules are defined on Table objects:
-
Navigate to the Data workspace and click the Table for which to define RLS rules.
-
Click Row security and then click + Add row security.
-
In the Row Security Editor, define the rules. To reference the formula variable in the rule, use the
ts_var(varName)function, with no quotes around the formula variable name. For example, to limit a column calledregionto the values set in a formula variable calledregion_var, set the RLS rule to:region = ts_var(region_var).
|
Note
|
Variable values are set through the token request. The RLS rule specifies how the values will be used in the generated RLS WHERE clauses in the SQL. |
RLS rule examplesπ
RLS rules must always evaluate logically to SQL boolean TRUE or FALSE.
If a user has no variable values for a given formula variable, this results in FALSE.
There is a special wildcard value ['TS_WILDCARD_ALL'] that a formula variable can be set to represent "Allow all".
In this example, customer represents the customer column in the table, and customer_var represents a variable. If the value of customer_var is set to TS_WILDCARD_ALL, the user can access all customers in the column.
customer = ts_var(customer_var)
RLS rule with a single variable referenceπ
In this formula example, country refers to the "country" column in the data table, and country_var is the variable.
country = ts_var(country_var)
If country_var is assigned a single value, the user is permitted to view only rows where the country column matches that value.
If country_var is assigned multiple values, the formula translates to country IN ('value1', 'value2', β¦β). The query engine interprets = as the IN clause in this case and returns rows that match these values; for example, WHERE country IN ('Australia', 'Germany').
RLS rules with multiple variablesπ
The RLS rules support the AND operator, which means that you can combine multiple conditions in a single RLS rule, so that a row is accessible only if all the specified conditions are met.
The following rule restricts data access to rows if the country column in the data table matches the value assigned to country_var and the Department column matches the value assigned to department_var for that user.
country = ts_var(country_var) AND Department = ts_var(department_var)
The rule in this example restricts data access to rows where the region column in the table matches the value assigned to region_var and the product column matches the value assigned to product_var.
region = ts_var(region_var) AND product = ts_var(product_var)
Group override rule with variable-based checkπ
In any security formula you build, you may want a clause that gives access to all data to certain groups. In the rule definition, you can include system variables, such as ts_groups, to build your preferred logic:
In this example, users can access data if they are in the "data developers" group, or if the Department column matches the value assigned to their department_var variable.
'data developers' in ts_groups OR Department = ts_var(department_var)
Variables with numeric and Date data typesπ
The following rule enforces a numeric threshold and restricts access to rows where the Revenue value is less than or equal to the value provided by the revenue_cap_var variable.
Revenue <= to_double(ts_var(revenue_cap_var))
The following rule restricts access to rows where the date_column is within the range defined by the start_date_var and end_date_var variables. Only rows with dates greater than or equal to the start date and less than or equal to the end date specified for these variables will be visible for the user.
(date_column >= ts_var(start_date_var)) AND (date_column <= ts_var(end_date_var))
Create an ABAC token request with variable attributesπ
To set or update variable values for a user, use the POST /api/rest/2.0/auth/token/custom endpoint when logging in the user.
You can also use the /api/rest/2.0/template/variables/update-values endpoint for bulk operations or targeted resets.
The variable attributes defined in the token request take effect only if they are referenced in an RLS rule. If the variables are not used in any formula or RLS rule, they have no impact on data access. Before generating the request with variable attributes, ensure that the variables are added to the RLS rules for the table.
In the token request, include the following properties along with the username, secret_key:
-
variable_values -
persist_option
Optionally, you can specify the objects and org_identifier to set the scope of access control.
Variable valuesπ
The variable_values array requires the following parameters:
-
name
String. Name of the formula variable. The formula variable referenced on the token request must be available in ThoughtSpot and included in the RLS rule. -
values
Array of strings or numeric values. When assigning values, ensure the data format of the values matches the data type set for that variable. If you are adding a variable to filter by country with theVARCHARdata type, specify string values as shown in this example:
"variable_values": [
{
"name": "country_var",
"values": [
"Japan",
"Singapore",
"Australia"
]
}
]All values are passed into the token as arrays of strings, even if the column is a numeric or date type in ThoughtSpot and the database. The column data type will be respected in the query issued to the database.
Allow all wildcard valueπ
To allow all values for a given field, set the formula variable value to an array using the wildcard: ["TS_WILDCARD_ALL"].
In this example, the user is allowed all access for one variable, while for the other, specific values are set.
"variable_values": [
{
"name": "product_var",
"values": ["TS_WILDCARD_ALL"]
},
{
"name": "country_var",
"values": [
"Japan",
"Singapore",
"Australia"
]
}
]If TS_WILDCARD_ALL is set for variable attributes, ensure that the RLS rules are defined clearly on the Table to avoid unintended data exposure.
Deny all by defaultπ
For every variable included in the token request, you can assign one or more values. All variables referenced in RLS rules are required. If a variable is not assigned any value, query generation fails with the following error:
Error in loading data
No values are assigned to some or all Formula Variables
Due to this error, no data is returned, effectively denying all data access for the user.
Persist options and session-based rulesπ
Variable attributes must be persisted for them to apply.
To append or replace attribute values for a user, use one of the following persist_option values in the token request:
-
REPLACE
Replaces the full set of existing variable assignments with the new values from the token request. -
APPEND
Adds the attribute values defined in the API request to the existing attribute values for the user.
If you donβt want to append or replace any attribute values, do not pass any details about the variable in the token update request.
|
Note
|
|
Resetting a user or a variableπ
Passing an empty array along with a formula variable name in the token request does not reset the attribute values for that formula variable for that user.
To change formula variable attributes of a user, especially to set entitlements to an empty set, use the /api/rest/2.0/template/variables/update-values API endpoint.
|
Warning
|
The |
A formula variable exists across all Orgs in ThoughtSpot, but the values are recorded on a per Org and per Principal basis. To use the Update Variable Values REST API, youβll need to provide the org_identifier as well as the username as principal_identifier and set principal_type to USER as seen below:
{
"variable_assignment": [
{
"variable_identifier": "country_var",
"variable_values": [],
"operation": "REPLACE"
}
],
"variable_value_scope": [
{
"org_identifier": "Prod",
"principal_type": "USER",
"principal_identifier": "jane.smith@company.com"
}
]
}The above command results in jane.smith@company.com being denied any access when country_var is used in an RLS rule.
|
Note
|
Do not use the |
Session-based ABAC and one-time usersπ
The ability to set variable values only for the current session, previously achieved by setting persist_option: NONE, is not supported with RLS via ABAC.
For session-based rules, create dedicated one-time user accounts for your application users and apply persisted rules. Unless specifically stated in your contract, there is no limit to the number of users that can be created and provisioned in ThoughtSpot.
This approach ensures that Liveboard schedule attachments enforce security rules and deliver only secured output to your end users. When combined with cookieless authentication, this configuration addresses all use cases that previously relied on session-based JWT.
You can simplify user provisioning and programmatically manage user creation and deletion workflows using ThoughtSpotβs REST APIs.
Variable scopeπ
To restrict the scope of variable attributes and rules to a specific Org context and object, define org_identifier and objects.
Apply to specific objectsπ
To apply variable entitlements to a specific object, specify the object IDs in the objects array as shown in this example:
"objects": [
{
// example of the format
"type": "{OBJECT_TYPE}",
"identifier": "{id or name of the object}"
},
{
"type": "LOGICAL_TABLE",
"identifier": "9b751df2-d344-4850-9756-18535797378c"
}
]The API supports only the LOGICAL_TABLE object type.
If the object ID is not specified in the API request, the variable values will be applied to all formulas and rules that use those variables, across all objects in the Org for that user.
The following example shows the request body for generating a token with formula variable attributes scoped to a particular Model object:
{
"username": "UserA",
"validity_time_in_sec": 300,
"persist_option": "APPEND",
"auto_create": true,
"secret_key": "f8aa445b-5ff1-4a35-a58f-e324133320d5",
"variable_values": [
{
"name": "product_var",
"values": [
"TS_WILDCARD_ALL"
]
},
{
"name": "country_var",
"values": [
"Japan",
"Singapore",
"Australia"
]
}
],
"objects": [
{
"type": "LOGICAL_TABLE",
"identifier": "35aa85fe-fbb4-4862-a335-f69679ebb6e0"
}
]
}Apply to Org contextπ
The org_identifier attribute in the token request specifies the Org context for the user session and entitlements.
If the org_identifier parameter is not defined in the token request, the token is issued for the userβs last logged-in Org. For new users, the token will be assigned to the default Org on their instance.
To apply variable entitlements to a user session, you must ensure that the RLS rules with variables and relevant objects are available in the Org context specified in the token request.
|
Note
|
ThoughtSpot access tokens are JWTs that are compressed by default to handle large payloads. It is recommended to keep the compression enabled to ensure all tokens can get properly interpreted by the application regardless of their size, and to obfuscate the values passed in the payload. If you want to disable it, contact ThoughtSpot Support. |
Verify the entitlementsπ
You can also use the POST /api/rest/2.0/template/variables/search API call to get the list of variables assigned to a specific user, Org, and Model.
Set the response_content parameter to METADATA_AND_VALUES to see the values that have been set for each user per Org:
{
"record_offset": 0,
"record_size": -1,
"response_content": "METADATA_AND_VALUES"
}This results in the following response:
[
{ "id":"d3abc655-b706-4f91-90ea-cc26bc966d46",
"name":"country_var",
"variable_type":"FORMULA_VARIABLE",
"sensitive":false,
"values":[
{
"value": null,
"value_list": ["CustomerC","CustomerD"],
"org_identifier": "Prod",
"principal_type": "USER",
"principal_identifier": "ron.smith@company.com",
"model_identifier": null,
"priority": null
},{
"value": null,
"value_list": null,
"org_identifier": "Prod",
"principal_type": "USER",
"principal_identifier": "jane.smith@company.com",
"model_identifier": null,
"priority": null
}
]
}
]To verify the entitlements:
-
Log in to your app with a user account that does not have the Can administer and bypass RLS privilege, and initiate the user session with the ABAC token.
-
Access a Liveboard, Saved Answer, or start a new search query.
-
Inspect the generated SQL for your query or visualization.
-
Verify the rules and check whether only the permitted rows are displayed.
-
Verify whether data is displayed when no variable values are defined.
-
Repeat the steps for different variable assignments to confirm the RLS rule is enforced as expected for all scenarios.
Additional resourcesπ
-
For information about variables and variable APIs, see Variables and Variable APIs.
-
For information about RLS rules, see RLS rules and ThoughtSpot product documentation.