From ce9d71a5ce64614ccdd5c4abc3275e76b64a1691 Mon Sep 17 00:00:00 2001 From: Rani Gangwar Date: Thu, 25 Jun 2026 10:25:09 +0530 Subject: [PATCH 1/4] added granular RBAC privileges --- modules/ROOT/pages/data-report-v2-api.adoc | 5 +++++ modules/ROOT/pages/roles.adoc | 13 +++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/modules/ROOT/pages/data-report-v2-api.adoc b/modules/ROOT/pages/data-report-v2-api.adoc index 196c8361d..81b82eb3c 100644 --- a/modules/ROOT/pages/data-report-v2-api.adoc +++ b/modules/ROOT/pages/data-report-v2-api.adoc @@ -13,6 +13,8 @@ ThoughtSpot provides the following REST API v2 endpoints to fetch data: * xref:#_fetch_liveboard_api[`POST /api/rest/2.0/metadata/liveboard/data`] to get data from a Liveboard. * xref:#_fetch_answer_data_api[`POST /api/rest/2.0/metadata/answer/data`] to get data from a saved Answer. +If Role-Based Access Control (RBAC) is enabled, the `CAN_DOWNLOAD_DETAILED_DATA` (Can download detailed data) or `DATADOWNLOADING` (Can download Data) privilege is required to use these APIs. + === Search data API The `/api/rest/2.0/searchdata` endpoint requires you to specify the data source object ID and a query string for a successful API call. You can also define additional parameters such as `runtime_filter`, `runtime_sort`, and `runtime_param_override` to apply runtime overrides on the data set. @@ -231,6 +233,7 @@ To download a personalized view of the Liveboard, specify the view name in the ` * The downloadable file returned in API response file is extensionless. You need to rename the downloaded file by typing in the relevant extension. * If the Liveboard includes Note tiles, ensure that you do not pass the GUID of Note tiles as `visualization_identifiers` in the API request. Attempting to do so will lead to an error, and the API will return 400 error code in response. * Attempting to override existing filter values with runtime filters while exporting a Liveboard will result in an error. +* #If Role-Based Access Control (RBAC) is enabled, the `CAN_DOWNLOAD_DETAILED_DATA` (Can download detailed data) or `DATADOWNLOADING` (Can download Data) privilege is required to export in the XLSX or CSV formats, and `CAN_DOWNLOAD_VISUALS` (Can download visuals) or `DATADOWNLOADING` (Can download Data) for PDF or PNG exports.# ==== ==== File Formats @@ -460,6 +463,8 @@ To download Answer data via `/api/rest/2.0/report/answer` API, you need at least In the request body, specify the GUID or name of the Answer object as `metadata_identifier`. The API supports exporting saved Answers, pinned Answers from a Liveboard, and Spotter-generated Answers. You can download Answer data in `CSV`, `XLSX`, `PNG`, and `PDF` format. The default `file_format` is `CSV`. +#If Role-Based Access Control (RBAC) is enabled, the `CAN_DOWNLOAD_DETAILED_DATA` (Can download detailed data) or `DATADOWNLOADING` (Can download Data) privilege is required to export in the XLSX or CSV formats, and `CAN_DOWNLOAD_VISUALS` (Can download visuals) or `DATADOWNLOADING` (Can download Data) for PDF or PNG exports.# + ==== Example diff --git a/modules/ROOT/pages/roles.adoc b/modules/ROOT/pages/roles.adoc index 7ae0fc708..fb95f5e0d 100644 --- a/modules/ROOT/pages/roles.adoc +++ b/modules/ROOT/pages/roles.adoc @@ -183,12 +183,21 @@ The `DATADOWNLOADING` (**Can download Data**) Role privilege allows users to dow |Role type|Privilege|Description |Data download | API: `DATADOWNLOADING` + UI: **Can download Data**| Allows users to download data from objects such as Liveboards and Answers. -|Download visuals |API: `CAN_DOWNLOAD_VISUALS` + +|Download visuals [earlyAccess eaBackground]#Early Access# |API: `CAN_DOWNLOAD_VISUALS` + UI: *Can download visuals* |Allows users to download data in the PDF or PNG file format. This is an early access feature and is not enabled by default on ThoughtSpot instances. -|Data export |API: `CAN_DOWNLOAD_DETAILED_DATA` + +|Data export [earlyAccess eaBackground]#Early Access# |API: `CAN_DOWNLOAD_DETAILED_DATA` + UI: *Can download detailed data* | Allows users to export data in XLSX/CSV format. This is an early access feature and is not enabled by default on ThoughtSpot instances. |=== + +[IMPORTANT] +==== +* Contact ThoughtSpot support to enable the new `CAN_DOWNLOAD_VISUALS` and `CAN_DOWNLOAD_DETAILED_DATA` privileges. +* Any user can either have `DATADOWNLOADING` or either or both of `CAN_DOWNLOAD_VISUALS` and `CAN_DOWNLOAD_DETAILED_DATA`. +* Users who previously did not have `DATADOWNLOADING` privileges will not be automatically assigned the new download privileges. Administrators can assign them manually. +* Users who previously had `DATADOWNLOADING` privileges will automatically be assigned both new privileges - `CAN_DOWNLOAD_VISUALS` and `CAN_DOWNLOAD_DETAILED_DATA`. +==== + == How to create and assign Roles You can create and assign Roles to a group on the link:https://docs.thoughtspot.com/cloud/latest/rbac[Admin page of the UI, window=_blank] or by using the REST API v1 and v2 endpoints. From 2473acbbe3f88e15d25823a0fb03d21f298eecb3 Mon Sep 17 00:00:00 2001 From: Rani Gangwar Date: Thu, 25 Jun 2026 10:59:42 +0530 Subject: [PATCH 2/4] added granular RBAC privileges --- modules/ROOT/pages/data-report-v2-api.adoc | 6 +++--- modules/ROOT/pages/roles.adoc | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/ROOT/pages/data-report-v2-api.adoc b/modules/ROOT/pages/data-report-v2-api.adoc index 81b82eb3c..6f65e4327 100644 --- a/modules/ROOT/pages/data-report-v2-api.adoc +++ b/modules/ROOT/pages/data-report-v2-api.adoc @@ -13,7 +13,7 @@ ThoughtSpot provides the following REST API v2 endpoints to fetch data: * xref:#_fetch_liveboard_api[`POST /api/rest/2.0/metadata/liveboard/data`] to get data from a Liveboard. * xref:#_fetch_answer_data_api[`POST /api/rest/2.0/metadata/answer/data`] to get data from a saved Answer. -If Role-Based Access Control (RBAC) is enabled, the `CAN_DOWNLOAD_DETAILED_DATA` (Can download detailed data) or `DATADOWNLOADING` (Can download Data) privilege is required to use these APIs. +#If Role-Based Access Control (RBAC) is enabled, the `CAN_DOWNLOAD_DETAILED_DATA` (Can download detailed data) or `DATADOWNLOADING` (Can download Data) privilege is required to use these APIs.# === Search data API @@ -233,7 +233,7 @@ To download a personalized view of the Liveboard, specify the view name in the ` * The downloadable file returned in API response file is extensionless. You need to rename the downloaded file by typing in the relevant extension. * If the Liveboard includes Note tiles, ensure that you do not pass the GUID of Note tiles as `visualization_identifiers` in the API request. Attempting to do so will lead to an error, and the API will return 400 error code in response. * Attempting to override existing filter values with runtime filters while exporting a Liveboard will result in an error. -* #If Role-Based Access Control (RBAC) is enabled, the `CAN_DOWNLOAD_DETAILED_DATA` (Can download detailed data) or `DATADOWNLOADING` (Can download Data) privilege is required to export in the XLSX or CSV formats, and `CAN_DOWNLOAD_VISUALS` (Can download visuals) or `DATADOWNLOADING` (Can download Data) for PDF or PNG exports.# +* #If Role-Based Access Control (RBAC) is enabled, the `CAN_DOWNLOAD_DETAILED_DATA` (Can download detailed data) or `DATADOWNLOADING` (Can download Data) privilege is required to export in the XLSX or CSV formats. Meanwhile, `CAN_DOWNLOAD_VISUALS` (Can download visuals) or `DATADOWNLOADING` (Can download Data) privilege is required for PDF or PNG exports.# ==== ==== File Formats @@ -463,7 +463,7 @@ To download Answer data via `/api/rest/2.0/report/answer` API, you need at least In the request body, specify the GUID or name of the Answer object as `metadata_identifier`. The API supports exporting saved Answers, pinned Answers from a Liveboard, and Spotter-generated Answers. You can download Answer data in `CSV`, `XLSX`, `PNG`, and `PDF` format. The default `file_format` is `CSV`. -#If Role-Based Access Control (RBAC) is enabled, the `CAN_DOWNLOAD_DETAILED_DATA` (Can download detailed data) or `DATADOWNLOADING` (Can download Data) privilege is required to export in the XLSX or CSV formats, and `CAN_DOWNLOAD_VISUALS` (Can download visuals) or `DATADOWNLOADING` (Can download Data) for PDF or PNG exports.# +#If Role-Based Access Control (RBAC) is enabled, the `CAN_DOWNLOAD_DETAILED_DATA` (Can download detailed data) or `DATADOWNLOADING` (Can download Data) privilege is required to export in the XLSX or CSV formats. Meanwhile, `CAN_DOWNLOAD_VISUALS` (Can download visuals) or `DATADOWNLOADING` (Can download Data) privilege is required for PDF or PNG exports.# ==== Example diff --git a/modules/ROOT/pages/roles.adoc b/modules/ROOT/pages/roles.adoc index fb95f5e0d..386387bdf 100644 --- a/modules/ROOT/pages/roles.adoc +++ b/modules/ROOT/pages/roles.adoc @@ -189,11 +189,11 @@ UI: *Can download visuals* |Allows users to download data in the PDF or PNG fil UI: *Can download detailed data* | Allows users to export data in XLSX/CSV format. This is an early access feature and is not enabled by default on ThoughtSpot instances. |=== - +#For review# [IMPORTANT] ==== * Contact ThoughtSpot support to enable the new `CAN_DOWNLOAD_VISUALS` and `CAN_DOWNLOAD_DETAILED_DATA` privileges. -* Any user can either have `DATADOWNLOADING` or either or both of `CAN_DOWNLOAD_VISUALS` and `CAN_DOWNLOAD_DETAILED_DATA`. +* A user can either have `DATADOWNLOADING` or either or both of `CAN_DOWNLOAD_VISUALS` and `CAN_DOWNLOAD_DETAILED_DATA`. * Users who previously did not have `DATADOWNLOADING` privileges will not be automatically assigned the new download privileges. Administrators can assign them manually. * Users who previously had `DATADOWNLOADING` privileges will automatically be assigned both new privileges - `CAN_DOWNLOAD_VISUALS` and `CAN_DOWNLOAD_DETAILED_DATA`. ==== From 2f7c09d152a4dac1e901538c510943d25cf6f608 Mon Sep 17 00:00:00 2001 From: Rani Gangwar Date: Thu, 25 Jun 2026 13:31:09 +0530 Subject: [PATCH 3/4] feedback edits --- modules/ROOT/pages/data-report-v2-api.adoc | 11 ++++++++--- modules/ROOT/pages/roles.adoc | 2 +- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/modules/ROOT/pages/data-report-v2-api.adoc b/modules/ROOT/pages/data-report-v2-api.adoc index 6f65e4327..b7f758ed0 100644 --- a/modules/ROOT/pages/data-report-v2-api.adoc +++ b/modules/ROOT/pages/data-report-v2-api.adoc @@ -13,7 +13,7 @@ ThoughtSpot provides the following REST API v2 endpoints to fetch data: * xref:#_fetch_liveboard_api[`POST /api/rest/2.0/metadata/liveboard/data`] to get data from a Liveboard. * xref:#_fetch_answer_data_api[`POST /api/rest/2.0/metadata/answer/data`] to get data from a saved Answer. -#If Role-Based Access Control (RBAC) is enabled, the `CAN_DOWNLOAD_DETAILED_DATA` (Can download detailed data) or `DATADOWNLOADING` (Can download Data) privilege is required to use these APIs.# +#If Role-Based Access Control (RBAC) is enabled, the `DATADOWNLOADING` (Can download Data) privilege is required to use these APIs. Alternatively, if the granular data download RBAC privileges are enabled for your ThoughtSpot instance, the `CAN_DOWNLOAD_DETAILED_DATA` (Can download detailed data) is required.# === Search data API @@ -233,7 +233,8 @@ To download a personalized view of the Liveboard, specify the view name in the ` * The downloadable file returned in API response file is extensionless. You need to rename the downloaded file by typing in the relevant extension. * If the Liveboard includes Note tiles, ensure that you do not pass the GUID of Note tiles as `visualization_identifiers` in the API request. Attempting to do so will lead to an error, and the API will return 400 error code in response. * Attempting to override existing filter values with runtime filters while exporting a Liveboard will result in an error. -* #If Role-Based Access Control (RBAC) is enabled, the `CAN_DOWNLOAD_DETAILED_DATA` (Can download detailed data) or `DATADOWNLOADING` (Can download Data) privilege is required to export in the XLSX or CSV formats. Meanwhile, `CAN_DOWNLOAD_VISUALS` (Can download visuals) or `DATADOWNLOADING` (Can download Data) privilege is required for PDF or PNG exports.# +* #If Role-Based Access Control (RBAC) is enabled, `DATADOWNLOADING` (Can download Data) privilege is required for Liveboard exports.# +* #If the granular Role-Based Access Control (RBAC) is enabled, the `CAN_DOWNLOAD_DETAILED_DATA` (Can download detailed data) privilege is required to export in the XLSX or CSV formats, and the `CAN_DOWNLOAD_VISUALS` (Can download visuals) privilege is required for PDF or PNG exports. In this case the `DATADOWNLOADING` privilege ceases to exist# ==== ==== File Formats @@ -463,8 +464,12 @@ To download Answer data via `/api/rest/2.0/report/answer` API, you need at least In the request body, specify the GUID or name of the Answer object as `metadata_identifier`. The API supports exporting saved Answers, pinned Answers from a Liveboard, and Spotter-generated Answers. You can download Answer data in `CSV`, `XLSX`, `PNG`, and `PDF` format. The default `file_format` is `CSV`. -#If Role-Based Access Control (RBAC) is enabled, the `CAN_DOWNLOAD_DETAILED_DATA` (Can download detailed data) or `DATADOWNLOADING` (Can download Data) privilege is required to export in the XLSX or CSV formats. Meanwhile, `CAN_DOWNLOAD_VISUALS` (Can download visuals) or `DATADOWNLOADING` (Can download Data) privilege is required for PDF or PNG exports.# +[IMPORTANT] +==== +* #If Role-Based Access Control (RBAC) is enabled, `DATADOWNLOADING` (Can download Data) privilege is required for Answer exports.# +* #If the granular Role-Based Access Control (RBAC) is enabled, the `CAN_DOWNLOAD_DETAILED_DATA` (Can download detailed data) privilege is required to export in the XLSX or CSV formats, and the `CAN_DOWNLOAD_VISUALS` (Can download visuals) privilege is required for PDF or PNG exports. In this case the `DATADOWNLOADING` privilege ceases to exist# +==== ==== Example diff --git a/modules/ROOT/pages/roles.adoc b/modules/ROOT/pages/roles.adoc index 386387bdf..8b085bbeb 100644 --- a/modules/ROOT/pages/roles.adoc +++ b/modules/ROOT/pages/roles.adoc @@ -193,7 +193,7 @@ UI: *Can download detailed data* | Allows users to export data in XLSX/CSV forma [IMPORTANT] ==== * Contact ThoughtSpot support to enable the new `CAN_DOWNLOAD_VISUALS` and `CAN_DOWNLOAD_DETAILED_DATA` privileges. -* A user can either have `DATADOWNLOADING` or either or both of `CAN_DOWNLOAD_VISUALS` and `CAN_DOWNLOAD_DETAILED_DATA`. +* Once these granular privileges are enabled, the `DATADOWNLOADING` privilege will cease to exit. * Users who previously did not have `DATADOWNLOADING` privileges will not be automatically assigned the new download privileges. Administrators can assign them manually. * Users who previously had `DATADOWNLOADING` privileges will automatically be assigned both new privileges - `CAN_DOWNLOAD_VISUALS` and `CAN_DOWNLOAD_DETAILED_DATA`. ==== From 751cf958582b73692b7b36e6c4e723a27c61036d Mon Sep 17 00:00:00 2001 From: Rani Gangwar Date: Thu, 25 Jun 2026 14:07:24 +0530 Subject: [PATCH 4/4] feedback edits --- modules/ROOT/pages/data-report-v2-api.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/data-report-v2-api.adoc b/modules/ROOT/pages/data-report-v2-api.adoc index b7f758ed0..87d6797b7 100644 --- a/modules/ROOT/pages/data-report-v2-api.adoc +++ b/modules/ROOT/pages/data-report-v2-api.adoc @@ -468,7 +468,7 @@ The API supports exporting saved Answers, pinned Answers from a Liveboard, and S [IMPORTANT] ==== * #If Role-Based Access Control (RBAC) is enabled, `DATADOWNLOADING` (Can download Data) privilege is required for Answer exports.# -* #If the granular Role-Based Access Control (RBAC) is enabled, the `CAN_DOWNLOAD_DETAILED_DATA` (Can download detailed data) privilege is required to export in the XLSX or CSV formats, and the `CAN_DOWNLOAD_VISUALS` (Can download visuals) privilege is required for PDF or PNG exports. In this case the `DATADOWNLOADING` privilege ceases to exist# +* #If the granular Role-Based Access Control (RBAC) is enabled, the `CAN_DOWNLOAD_DETAILED_DATA` (Can download detailed data) privilege is required to export in the PDF, XLSX or CSV formats, and the `CAN_DOWNLOAD_VISUALS` (Can download visuals) privilege is required for PNG exports. In this case the `DATADOWNLOADING` privilege ceases to exist# ==== ==== Example