Manage privileges and access

Manage what users and groups are allowed to do and see in Explore.

Groups and roles

Groups and roles are how users get privileges in Explore. A role is a collection of one or more privileges, though in Explore it's typically one privilege per role. Roles are assigned to groups. When you add users to a group, they automatically get the roles of that group.

Guidewire creates default groups with default roles. For more information on these groups, see Data Platform Administration Guide. You can:

Create, delete, and edit groups
Add and remove roles from groups
Add and remove users from groups

You can't:

Create new roles or edit their privileges

You can make small customizations to the default setup, or restructure it. For example, if you don't want users to download data, remove the Data Downloading role from the default Users group. Or, create a new group with the Data Downloading role and add only a select group of users.

Warning: Everyone must belong to the default Users and Guidewire Home Users groups. Do not delete these groups or remove users from them. If you want to completely restructure groups, you can remove all roles from the Users group and keep it just for app access.

Add new users to Explore

Before you begin

You must have access to manage your organization’s identity provider (IdP).
Find the default users and groups that Guidewire has set up for your Explore instance here: Data Platform Administration Guide.

Procedure

In your organization's IdP, add the user to:
- The default Users group.
- The default Guidewire Home Users group.
Optional: In your organization's IdP, add the user to the default Admins group.
Instruct the user to sign in to Explore.

Create and edit groups

Before you begin

You must have the Group Administration role.

Procedure

Create a group

In the top navigation bar, use the workspace selector to go to the Admin workspace, then select Groups > Add Group.
Give the group a Name, Display name, and Description. You don't need to use the same naming conventions as the default groups.
Under Sharing visibility, select NOT SHAREABLE if you don't want this group to appear as an option when users share Answers, Liveboards, and models.
This setting is useful if you create many groups just for managing roles, such as a group for Liveboard verifiers. Too many shareable groups can confuse users who aren't sure which one to select.
Select one or more Roles.
Select Users or Groups to add them to the new group.
Select Add.

Add or remove roles from a group

Select an existing group to open it, then select the check box next to a role.

Add or remove users from a group

For custom groups, select an existing group to open it, then select the check box next to a user.

Important: For the default groups created by Guidewire, add or remove users through your organization's identity provider (IdP). Doing this ensures that your IdP and Explore stay in sync. See Data Platform Administration Guide

All roles

Role	Explanation of privileges
Row-Level Security (RLS) Bypass	Create, edit, and delete RLS rules. Can choose to Bypass RLS on a model.
Connection Management	Edit or create connections.
Data Downloading	Download Answers and Liveboards.
Custom Calendar Management	Create, edit, or delete custom calendars.
Data Model Management	Create, edit, or delete models, views, or tables.
ThoughtSpot Sync	Use the Sync feature to set up pipelines to push data to external applications.
Liveboard Job Administration	Share Liveboards with others by email on a regular schedule.
Share With All	Share Answers and Liveboards. To share models, users must also have the Data Model Management role.
Liveboard Verification	Get verification request notifications and verify Liveboards.
SpotIQ Access	Use the SpotIQ feature.
Group Administration	Create, delete, and edit groups. Add and remove roles from groups. Add and remove users from groups.
Tag Administration	Create and delete tags. Then other people can use them to tag their Answers and Liveboards.
Spotter Access	See and use the Spotter search bar on the Insights home screen. To review user feedback and coach Spotter, users need additional permissions: To manage Spotter coaching for all models, users must also have the Data Model Management role. If you want users to manage Spotter coaching, but not edit models, give them Spotter coaching access for individual models.

Privileges for Liveboards and Answers

To share an Answer or Liveboard with specific users or groups within your organization, open the Answer or Liveboard and select Share . You can give them permission to View or Edit and add a message.

When you create and save an Answer, select Make this answer discoverable if you want other people in your organization to find it. It's discoverable by members of the same user group who have access to the Answer’s underlying data source.

Hiding data from specific groups or users

You can use the ts_groups and ts_username system variables to write formulas that hide data from specific groups or users. Use the variable to specify the group or user. For example, ts_groups = 'groupname'.

Note: For groups, use the Group name instead of the Display name.

To hide data, you have the following options:

Row-level security (RLS): Groups or users: Row-level security restricts user or group access to specific rows in a table. When the user views Answers, searches data, or works with data in any way, the restricted data doesn't display.; If you have the Row-Level Security (RLS) Bypass role, you can set up row-level security rules. In the top navigation bar, use the workspace selector to go to the Data workspace, then select Row Security. Use the ts_groups or ts_username system variables to specify groups or users. To learn how, see the ThoughtSpot documentation: How rules-based RLS works
Mask column values in an Answer or model: Groups: Masking hides the value of a column from certain groups. Anyone who can create an Answer or model can mask its data by adding a formula with the ts_groups system variable. To learn how, see the ThoughtSpot documentation: Data masking