Summary and recommendation
ThoughtSpot user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
ThoughtSpot user management runs through Admin Console > User Management > Users, where administrators create, edit, deactivate, or delete accounts.
Privileges flow primarily through group membership rather than per-user settings, so getting group structure right before onboarding users is the highest-leverage step.
Roles - named collections of privileges - can be assigned directly to users or inherited via groups, and object-level share permissions (View/Edit) layer on top of that for individual Liveboards and answers.
Quick facts
| Admin console path | Admin Console > User Management > Users |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Administrator | Full system access: manage users, groups, roles, data connections, security settings, and all content. | Administrator role grants unrestricted access to all data and settings; assign with care. | |||
| Developer | Can create and manage SpotApps, embed ThoughtSpot content, access REST APIs, and manage developer-specific settings. | Cannot manage system-level admin settings unless also assigned Administrator role. | Developer privilege is a system privilege assigned via groups or roles, not a standalone user type. | ||
| Analyst (Can Manage Data) | Can upload data, create worksheets, tables, views, and manage data objects they own. | Cannot manage other users or system settings. | Privilege is granted via group membership; users without this privilege cannot upload or model data. | ||
| Business User (Viewer/Consumer) | Can view and interact with shared Liveboards and answers. Can ask questions against shared data sources if granted access. | Cannot create worksheets, upload data, or manage any system settings. | Access to specific data is controlled by row-level security (RLS) and column-level security in addition to role privileges. |
Permission model
- Model type: hybrid
- Description: ThoughtSpot uses a hybrid model combining system-level privileges (assigned via groups) and Roles (a named collection of privileges assignable to users or groups). Roles can be built-in or custom. Object-level sharing (Liveboards, answers, data objects) is managed separately via share permissions (View or Edit). Row-level security is enforced via RLS rules on worksheets.
- Custom roles: Yes
- Custom roles plan: Not documented
- Granularity: System privileges (e.g., Can Manage Data, Can Use Experimental Features), object-level share permissions (View/Edit per object), and row-level security rules on data sources.
How to add users
- Log in as an Administrator.
- Navigate to Admin Console > User Management > Users.
- Click 'Add User'.
- Enter the required fields: username, display name, email, and password (for local auth).
- Optionally assign the user to one or more groups.
- Optionally assign one or more Roles directly to the user.
- Click 'Save' to create the user.
Required fields: Username, Display name, Email address, Password (for local authentication; not required if SSO-only)
Watch out for:
- Usernames must be unique across the instance and cannot be changed after creation.
- If SAML/SSO is enforced, the password field may be ignored but is still required in the form for local account creation.
- Users created manually will not be automatically linked to IdP-provisioned accounts unless usernames match exactly.
- Group membership determines inherited privileges; a user with no group assignments has minimal system access.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Yes | Admin Console > User Management > Users > Import Users (CSV upload) |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise (SCIM provisioning requires Enterprise tier per official SCIM documentation) |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: ThoughtSpot Cloud supports both deleting and deactivating users. Deleting a user permanently removes the account. Deactivating (setting status to 'Inactive') prevents login without removing the account or its associated content. Official docs describe both options in the Users management UI.
- Navigate to Admin Console > User Management > Users.
- Locate the user by searching or browsing the list.
- Click the user's name to open their profile.
- Change the user's status to 'Inactive'.
- Save the changes.
| Data impact | Behavior |
|---|---|
| Owned records | Content (Liveboards, answers, worksheets) owned by a deleted user is not automatically reassigned; it may become inaccessible or orphaned. Official docs recommend reassigning ownership before deletion. |
| Shared content | Content shared with other users remains accessible to those users after the owner is deactivated or deleted. |
| Integrations | Any scheduled reports or alerts owned by the deleted/deactivated user will stop functioning. |
| License freed | Deactivating or deleting a user frees the seat for reassignment, but billing impact depends on contract terms with ThoughtSpot. |
Watch out for:
- Deleting a user is irreversible; the account cannot be restored.
- Owned content (Liveboards, answers) should be transferred or documented before deletion to avoid data loss.
- Scheduled Liveboards and alerts owned by the user will cease to run after deactivation or deletion.
- SCIM-provisioned users deprovisioned via IdP are typically deactivated (not deleted) by default per SCIM spec behavior.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Essentials | Up to 50 users, 25M row limit, core analytics features | $25/user/month (annual billing) |
| Pro | Up to 500M rows, expanded analytics and embedding features | $50/user/month (annual billing) |
| Enterprise | Unlimited rows, SCIM provisioning, advanced security, custom SLA | Custom pricing (not publicly listed) |
- Where to check usage: Admin Console > User Management > Users (view total active user count); detailed usage reporting may be available under Admin Console > Usage Statistics depending on instance configuration.
- How to identify unused seats: ThoughtSpot does not expose a native 'last login date' filter in the standard Users list UI as of available documentation. Admins can use the ThoughtSpot REST API (GET /api/rest/2.0/users/search) to retrieve user metadata including last login timestamps to identify inactive accounts.
- Billing notes: Seats are billed annually based on contracted user count. Deactivating users mid-contract does not automatically reduce billing; seat reductions typically apply at renewal. Enterprise contracts are negotiated directly and may include minimum seat commitments.
The cost of manual management
ThoughtSpot is an enterprise-tier product with typical annual spend ranging from $100,000 to $500,000 or more depending on user count and data volume. SCIM provisioning is gated to the Enterprise plan, which carries custom pricing negotiated directly. Seats are billed annually on contracted count - deactivating users mid-contract does not reduce billing until renewal.
Implementation professional services are described as expensive and mandatory in available data, adding $50,000–$200,000 to initial deployment cost.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
Manual provisioning is viable for small, stable teams where every app in the stack is managed individually and IdP-based automation is not yet in place.
For any organization with regular onboarding and offboarding volume, the lack of a native last-login UI filter and the risk of orphaned content on deletion make manual-only management operationally expensive at scale.
SCIM on Enterprise eliminates the provisioning overhead but requires SSO to be fully configured first - that prerequisite should be confirmed before planning a SCIM rollout.
Bottom line
ThoughtSpot's manual user management is functional but requires deliberate process design: group membership drives both UI privileges and row-level security, so incorrect assignments have data-exposure consequences, not just access consequences.
The Admin Console covers day-to-day tasks, but auditing inactive users and safely offboarding employees both require API work or strict pre-deletion checklists. Organizations on Enterprise with SSO already in place should prioritize SCIM to reduce the manual surface area;
those on Essentials or Pro should build compensating controls around the gaps the community has documented.
Automate ThoughtSpot workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
