From 87e5538be241d0585b53fb6a9a937b7e76a8db78 Mon Sep 17 00:00:00 2001 From: Piyush Tayal Date: Tue, 9 Dec 2025 10:12:16 +0530 Subject: [PATCH] security settings playground --- api-spec/openapiSpecv3-2_0.json | 945 ++++++++++++++++++++++++++++++-- 1 file changed, 896 insertions(+), 49 deletions(-) diff --git a/api-spec/openapiSpecv3-2_0.json b/api-spec/openapiSpecv3-2_0.json index 42be582a..9151394d 100644 --- a/api-spec/openapiSpecv3-2_0.json +++ b/api-spec/openapiSpecv3-2_0.json @@ -85,6 +85,14 @@ ], "description": "Roles for version 9.9.0.cl" }, + { + "name": "26.2.0.cl", + "id": "26.2.0.cl", + "tags": [ + "26.2.0.cl" + ], + "description": "Roles for version 26.2.0.cl" + }, { "name": "9.6.0.cl", "id": "9.6.0.cl", @@ -332,10 +340,10 @@ "/api/rest/2.0/ai/data-source-suggestions": { "post": { "operationId": "getDataSourceSuggestions", - "description": "\nBeta Version: 10.13.0.cl or later\n\nProvides relevant data source recommendations for a user-submitted natural language query.\n\nTo use this API, the user must have at least view-level access to the underlying metadata entities referenced in the response.\n\n#### Usage guidelines\n\nThe request must include a `query` string via the request body.\n\nThe returned results include metadata such as:\n- `confidence`: a float indicating the model's confidence in the relevance of each recommendation\n- `details`: includes `data_source_identifier`, `data_source_name`, and `description` of each recommended data source\n- `reasoning`: rationale provided by the LLM to explain why each data source was recommended\n\nIf the API request is successful, ThoughtSpot returns a ranked list of data sources, each annotated with relevant reasoning.\n\n> ###### Note:\n> * This endpoint is currently in Beta. Breaking changes may be introduced before it is made Generally Available.\n> * This endpoint requires Spotter — please contact ThoughtSpot Support to enable Spotter on your cluster.\n\n\n\n\n#### Endpoint URL\n", + "description": "\nBeta Version: 10.15.0.cl or later\n\nProvides relevant data source recommendations for a user-submitted natural language query.\n\nTo use this API, the user must have at least view-level access to the underlying metadata entities referenced in the response.\n\n#### Usage guidelines\n\nThe request must include a `query` string via the request body.\n\nThe returned results include metadata such as:\n- `confidence`: a float indicating the model's confidence in the relevance of each recommendation\n- `details`: includes `data_source_identifier`, `data_source_name`, and `description` of each recommended data source\n- `reasoning`: rationale provided by the LLM to explain why each data source was recommended\n\nIf the API request is successful, ThoughtSpot returns a ranked list of data sources, each annotated with relevant reasoning.\n\n> ###### Note:\n> * This endpoint is currently in Beta. Breaking changes may be introduced before it is made Generally Available.\n> * This endpoint requires Spotter — please contact ThoughtSpot Support to enable Spotter on your cluster.\n\n\n\n\n#### Endpoint URL\n", "tags": [ "AI", - "10.13.0.cl" + "10.15.0.cl" ], "requestBody": { "content": { @@ -686,10 +694,10 @@ "/api/rest/2.0/ai/agent/{conversation_identifier}/converse": { "post": { "operationId": "sendAgentMessage", - "description": "\nBeta Version: 10.13.0.cl or later\n\nThis API allows users to initiate or continue an agent (Spotter) conversation by submitting one or more natural language messages. \nTo use this API, the user must have access to the relevant conversational session (via conversation_identifier) and submit at least one message.\n\n\n#### Usage guidelines\n\nTo initiate or continue a conversation, the request must include:\n- `conversation_identifier`: a unique session ID for continuity and message tracking\n- `messages`: an array of one or more text messages, each with a value and type\n\nThe API returns a array of object with a type, message, and metadata.\n- `type`: Type of the message — text, answer, or error.\n- `message`: Main content of the response.\n- `metadata`: Additional info depending on the message type.\n\n> ###### Note:\n> * This endpoint is currently in Beta. Breaking changes may be introduced before the endpoint is made Generally Available.\n> * This endpoint requires Spotter - please contact ThoughtSpot support to enable Spotter on your cluster.\n\n\n\n#### Endpoint URL\n", + "description": "\nBeta Version: 10.15.0.cl or later\n\nThis API allows users to initiate or continue an agent (Spotter) conversation by submitting one or more natural language messages. \nTo use this API, the user must have access to the relevant conversational session (via conversation_identifier) and submit at least one message.\n\n\n#### Usage guidelines\n\nTo initiate or continue a conversation, the request must include:\n- `conversation_identifier`: a unique session ID for continuity and message tracking\n- `messages`: an array of one or more text messages, each with a value and type\n\nThe API returns a array of object with a type, message, and metadata.\n- `type`: Type of the message — text, answer, or error.\n- `message`: Main content of the response.\n- `metadata`: Additional info depending on the message type.\n\n> ###### Note:\n> * This endpoint is currently in Beta. Breaking changes may be introduced before the endpoint is made Generally Available.\n> * This endpoint requires Spotter - please contact ThoughtSpot support to enable Spotter on your cluster.\n\n\n\n#### Endpoint URL\n", "tags": [ "AI", - "10.13.0.cl" + "10.15.0.cl" ], "requestBody": { "content": { @@ -2055,7 +2063,7 @@ "/api/rest/2.0/connection-configurations/create": { "post": { "operationId": "createConnectionConfiguration", - "description": "\n Version: 10.12.0.cl or later\n\nCreates an additional configuration to an existing connection to a data warehouse. \n\nRequires `DATAMANAGEMENT` (**Can manage data**) or `ADMINISTRATION` (**Can administer ThoughtSpot**) privilege.\n\nIf [Role-Based Access Control (RBAC)](https://developers.thoughtspot.com/docs/rbac) is enabled on your instance, the `CAN_CREATE_OR_EDIT_CONNECTIONS` (**Can create/edit Connections**) privilege is required.\n\n#### Usage guidelines\n\n * A JSON map of configuration attributes in `configuration`. The following example shows the configuration attributes:\n ```\n {\n \"user\":\"DEV_USER\",\n \"password\":\"TestConn123\",\n \"role\":\"DEV\",\n \"warehouse\":\"DEV_WH\"\n }\n ```\n\n* If the `policy_type` is `PRINCIPALS`, then `policy_principals` is a required field.\n* If the `policy_type` is `PROCESSES`, then `policy_processes` is a required field.\n* If the `policy_type` is `NO_POLICY`, then `policy_principals` and `policy_processes` are not required fields.\n\n\n\n\n#### Endpoint URL\n", + "description": "\n Version: 10.12.0.cl or later\n\nCreates an additional configuration to an existing connection to a data warehouse. \n\nRequires `DATAMANAGEMENT` (**Can manage data**) or `ADMINISTRATION` (**Can administer ThoughtSpot**) privilege.\n\nIf [Role-Based Access Control (RBAC)](https://developers.thoughtspot.com/docs/rbac) is enabled on your instance, the `CAN_CREATE_OR_EDIT_CONNECTIONS` (**Can create/edit Connections**) privilege is required.\n\n#### Usage guidelines\n\n * A JSON map of configuration attributes in `configuration`. The following example shows the configuration attributes:\n ```\n {\n \"user\":\"DEV_USER\",\n \"password\":\"TestConn123\",\n \"role\":\"DEV\",\n \"warehouse\":\"DEV_WH\"\n }\n ```\n\n* If the `policy_type` is `PRINCIPALS`, then `policy_principals` is a required field.\n* If the `policy_type` is `PROCESSES`, then `policy_processes` is a required field.\n* If the `policy_type` is `NO_POLICY`, then `policy_principals` and `policy_processes` are not required fields.\n\n#### Parameterized Connection Support\nFor parameterized connections that use OAuth authentication, only the same_as_parent and policy_process_options attributes are allowed in the API request. These attributes are not applicable to connections that are not parameterized.\n\n\n\n\n\n#### Endpoint URL\n", "tags": [ "Connection Configurations", "10.12.0.cl" @@ -2078,6 +2086,20 @@ "description": "Unique ID or name of the connection.", "type": "string" }, + "same_as_parent": { + "description": "Specifies whether the connection configuration should inherit all properties and authentication\ntype from its parent connection. This attribute is only applicable to parameterized connections.\nWhen set to true, the configuration uses only the connection properties and authentication type\ninherited from the parent.
Version: 26.2.0.cl or later", + "default": false, + "type": "boolean", + "nullable": true + }, + "policy_process_options": { + "description": "This attribute is only applicable to parameterized connections. Ensure that the policy is\nset to Processes to allow the configuration to be used exclusively for system processes.
Version: 26.2.0.cl or later", + "allOf": [ + { + "$ref": "#/components/schemas/PolicyProcessOptionsInput" + } + ] + }, "authentication_type": { "description": "Type of authentication used for the connection.", "default": "SERVICE_ACCOUNT", @@ -2271,7 +2293,7 @@ "/api/rest/2.0/connection-configurations/{configuration_identifier}/update": { "post": { "operationId": "updateConnectionConfiguration", - "description": "\n Version: 10.12.0.cl or later\n\nUpdates a connection configuration object.\n\nRequires `DATAMANAGEMENT` (**Can manage data**) and edit permissions to the connection object, or `ADMINISTRATION` (**Can administer ThoughtSpot**) privilege.\n\nIf [Role-Based Access Control (RBAC)](https://developers.thoughtspot.com/docs/rbac) is enabled on your instance, the `CAN_CREATE_OR_EDIT_CONNECTIONS` (**Can create/edit Connections**) privilege is required.\n\n#### Supported operations\nThis API endpoint lets you perform the following operations in a single API request:\n\n * Edit the name or description of the configuration\n * Edit the configuration properties\n * Edit the `policy_type`\n * Edit the type of authentication\n * Enable or disable a configuration\n\n **NOTE**: When updating a configuration where `disabled` is `true`, you must reset `disabled` to `true` in your update request payload. If not explicitly set again, the API will default `disabled` to `false`.\n \n\n\n\n#### Endpoint URL\n", + "description": "\n Version: 10.12.0.cl or later\n\nUpdates a connection configuration object.\n\nRequires `DATAMANAGEMENT` (**Can manage data**) and edit permissions to the connection object, or `ADMINISTRATION` (**Can administer ThoughtSpot**) privilege.\n\nIf [Role-Based Access Control (RBAC)](https://developers.thoughtspot.com/docs/rbac) is enabled on your instance, the `CAN_CREATE_OR_EDIT_CONNECTIONS` (**Can create/edit Connections**) privilege is required.\n\n#### Supported operations\nThis API endpoint lets you perform the following operations in a single API request:\n\n * Edit the name or description of the configuration\n * Edit the configuration properties\n * Edit the `policy_type`\n * Edit the type of authentication\n * Enable or disable a configuration\n\n#### Parameterized Connection Support\nFor parameterized oauth based connections, only the `same_as_parent` and `policy_process_options` attributes are allowed. These attributes are not applicable to connections that are not parameterized.\n\n **NOTE**: When updating a configuration where `disabled` is `true`, you must reset `disabled` to `true` in your update request payload. If not explicitly set again, the API will default `disabled` to `false`.\n\n\n\n\n#### Endpoint URL\n", "tags": [ "Connection Configurations", "10.12.0.cl" @@ -2294,6 +2316,20 @@ "description": "Description of the configuration.", "type": "string" }, + "same_as_parent": { + "description": "Specifies whether the connection configuration should inherit all properties and authentication\ntype from its parent connection. This attribute is only applicable to parameterized connections.\nWhen set to true, the configuration uses only the connection properties and authentication type\ninherited from the parent.
Version: 26.2.0.cl or later", + "default": false, + "type": "boolean", + "nullable": true + }, + "policy_process_options": { + "description": "This attribute is only applicable to parameterized connections. Ensure that the policy is\nset to Processes to allow the configuration to be used exclusively for system processes.
Version: 26.2.0.cl or later", + "allOf": [ + { + "$ref": "#/components/schemas/PolicyProcessOptionsInput" + } + ] + }, "authentication_type": { "description": "Type of authentication.", "type": "string", @@ -2834,6 +2870,132 @@ } } }, + "/api/rest/2.0/connections/{connection_identifier}/revoke-refresh-tokens": { + "post": { + "operationId": "revokeRefreshTokens", + "description": "\n Version: 26.2.0.cl or later\n\nRevokes OAuth refresh tokens for users who no longer require access to a data warehouse connection.\nWhen a token is revoked, the affected user's session for that connection is terminated, and they must re-authenticate to regain access.\n\nRequires `ADMINISTRATION` (**Can administer ThoughtSpot**) or `DATAMANAGEMENT` (**Can manage data**) privileges.\nIf [Role-Based Access Control (RBAC)](https://developers.thoughtspot.com/docs/rbac) is enabled on the ThoughtSpot instance, users with `CAN_CREATE_OR_EDIT_CONNECTIONS` (**Can create/edit Connections**) privilege can also make API requests to revoke tokens for connection users.\n\n#### Usage guidelines\n\nYou can specify different combinations of identifiers to control which refresh tokens are revoked.\n\n- **connection_identifier**: Revokes refresh tokens for all users of the connection, except the connection author.\n- **connection_identifier** and **user_identifiers**: Revokes refresh tokens only for the users specified in the request. If the name or ID of the connection author is included in the request, their token will also be revoked.\n- **connection_identifier** and **configuration_identifiers**: Revokes refresh tokens for all users on the specified configurations, except the configuration author.\n- **connection_identifier**, **configuration_identifiers**, and **user_identifiers**: Revokes refresh tokens for the specified users on the specified configurations.\n- **connection_identifier** and **org_identifiers**: Revokes refresh tokens for the specified Orgs. Applicable only for published connections.\n- **connection_identifier**, **org_identifiers**, and **user_identifiers**: Revokes refresh tokens for the specified users in the specified Orgs. Applicable only for published connections.\n\n**NOTE**: The `org_identifiers` parameter is only applicable for published connections. Using this parameter for unpublished connections will result in an error. Ensure that the connections are published before making the API request.\n\n\n\n\n#### Endpoint URL\n", + "tags": [ + "Connections", + "26.2.0.cl" + ], + "requestBody": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "configuration_identifiers": { + "description": "Unique ID or name of the configuration. When provided, the refresh tokens of the users associated with the connection configuration will be revoked.", + "type": "array", + "items": { + "type": "string" + } + }, + "user_identifiers": { + "description": "Unique ID or name of the users. When provided, the refresh tokens of the specified users will be revoked. If the request includes the user ID or name of the connection author, their token will also be revoked.", + "type": "array", + "items": { + "type": "string" + } + }, + "org_identifiers": { + "description": "Unique ID or name of the Org. When provided, the refresh tokens of all users associated with the published connection in the Org will be revoked. This parameter is valid only for published connections. Using it with unpublished connections will result in an error.", + "type": "array", + "items": { + "type": "string" + } + } + } + } + } + }, + "required": true + }, + "parameters": [ + { + "in": "path", + "name": "connection_identifier", + "required": true, + "schema": { + "type": "string" + }, + "description": "Unique ID or name of the connection whose refresh tokens need to be revoked. All the users associated with the connection will have their refresh tokens revoked except the author." + } + ], + "responses": { + "200": { + "description": "Token(s) successfully revoked.", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/RevokeRefreshTokensResponse" + } + } + } + }, + "400": { + "description": "Invalid request.", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ErrorResponse" + } + } + } + }, + "401": { + "description": "Unauthorized access.", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ErrorResponse" + } + } + } + }, + "403": { + "description": "Forbidden access.", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ErrorResponse" + } + } + } + }, + "404": { + "description": "Object not found", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ErrorResponse" + } + } + } + }, + "409": { + "description": "Conflict", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ErrorResponse" + } + } + } + }, + "500": { + "description": "Unexpected error", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ErrorResponse" + } + } + } + } + } + } + }, "/api/rest/2.0/connection/search": { "post": { "operationId": "searchConnection", @@ -8745,7 +8907,7 @@ "/api/rest/2.0/report/liveboard": { "post": { "operationId": "exportLiveboardReport", - "description": "\n Version: 9.0.0.cl or later\n\nExports a Liveboard and its visualizations in PDF or PNG file format.\n\nRequires at least view access to the Liveboard.\n\n#### Usage guidelines\n\nIn the request body, specify the GUID or name of the Liveboard. To generate a Liveboard report with specific visualizations, add GUIDs or names of the visualizations.\n\nThe default `file_format` is PDF. For PDF downloads, you can specify additional parameters to customize the page orientation and include or exclude the cover page, logo, footer text, and page numbers. Similar customization options are also available for PNG output.\n\n**NOTE**: The downloadable file returned in API response file is extensionless. Please rename the downloaded file by typing in the relevant extension.\n\nOptionally, you can define [runtime overrides](https://developers.thoughtspot.com/docs/fetch-data-and-report-apis#_runtime_overrides) to apply to the Answer data.\n\nTo include unsaved changes in the report, pass the `transient_pinboard_content` script generated from the `getExportRequestForCurrentPinboard` method in the Visual Embed SDK. Upon successful execution, the API returns the report with unsaved changes, including ad hoc changes to visualizations. For more information, see [Liveboard Report API](https://developers.thoughtspot.com/docs/fetch-data-and-report-apis#_liveboard_report_api). \n\n**NOTE**: Starting with ThoughtSpot Cloud 10.9.0.cl release, the Liveboard can be exported in the PNG format in the resolution of your choice. To enable this on your instance, contact ThoughtSpot support. When this feature is enabled, the options `include_cover_page`,`include_filter_page` within the `png_options` will not be available for PNG exports.\n\n\n\n#### Endpoint URL\n", + "description": "\n Version: 9.0.0.cl or later\n\nExports a Liveboard and its visualizations in PDF, PNG, CSV, or XLSX file format.\n\nRequires at least view access to the Liveboard.\n\n#### Usage guidelines\n\nIn the request body, specify the GUID or name of the Liveboard. To generate a Liveboard report with specific visualizations, add GUIDs or names of the visualizations.\n\nThe default `file_format` is CSV. For PDF exports, you can specify additional parameters to customize the page orientation and include or exclude the cover page, logo, footer text, and page numbers. Similar customization options are available for PNG exports. CSV and XLSX exports do not support customization options.\n\n**NOTE**: The downloadable file returned in API response file is extensionless. Please rename the downloaded file by typing in the relevant extension.\n\nOptionally, you can define [runtime overrides](https://developers.thoughtspot.com/docs/fetch-data-and-report-apis#_runtime_overrides) to apply to the Answer data.\n\nTo include unsaved changes in the report, pass the `transient_pinboard_content` script generated from the `getExportRequestForCurrentPinboard` method in the Visual Embed SDK. Upon successful execution, the API returns the report with unsaved changes, including ad hoc changes to visualizations. For more information, see [Liveboard Report API](https://developers.thoughtspot.com/docs/fetch-data-and-report-apis#_liveboard_report_api). \n\n**NOTE**: Starting with ThoughtSpot Cloud 10.9.0.cl release, the Liveboard can be exported in the PNG format in the resolution of your choice. To enable this on your instance, contact ThoughtSpot support. When this feature is enabled, the options `include_cover_page`,`include_filter_page` within the `png_options` will not be available for PNG exports.\n\n**NOTE**: Starting with the ThoughtSpot Cloud 26.2.0.cl release, Liveboards can be exported in CSV format. All visualizations in the Liveboard can be exported as individual CSV files. If multiple visualizations are selected or if the entire Liveboard is exported, the output is returned as a .zip file containing the CSV files for each visualization.\n\n**NOTE**: Starting with the ThoughtSpot Cloud 26.2.0.cl release, Liveboards can be exported in XLSX format. All selected visualizations are consolidated into a single Excel workbook (.xlsx), with each visualization placed in its own worksheet (tab). XLSX exports are limited to 255 worksheets (tabs) per workbook.\n\n\n\n\n#### Endpoint URL\n", "tags": [ "Reports", "9.0.0.cl" @@ -8788,7 +8950,9 @@ "type": "string", "enum": [ "PDF", - "PNG" + "PNG", + "CSV", + "XLSX" ] }, "runtime_filter": { @@ -12182,6 +12346,89 @@ } } }, + "/api/rest/2.0/system/security-settings/configure": { + "post": { + "operationId": "configureSecuritySettings", + "description": "\nBeta Version: 26.2.0.cl or later\n\nConfigure security settings for your ThoughtSpot application instance.\n- Use `cluster_preferences` to update cluster-level security settings including CORS whitelisted URLs, CSP settings, SAML redirect URLs, partitioned cookies, and non-embed access configuration.\n- Use `org_preferences` to configure Org-specific security settings. If your instance has [Orgs](https://docs.thoughtspot.com/cloud/latest/orgs-overview), this allows configuring CORS and non-embed access settings specific to the Org.\n\nRequires `ADMINISTRATION` (**Can administer ThoughtSpot**) or `DEVELOPER` (**Has developer privilege**) privilege. Cluster-level SAML and script-src settings require `ADMINISTRATION` privilege.\nSee [Security Settings](https://developers.thoughtspot.com/docs/security-settings) for more details.\n\n\n\n#### Endpoint URL\n", + "tags": [ + "System", + "26.2.0.cl" + ], + "requestBody": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "cluster_preferences": { + "description": "Cluster-level security preferences.", + "allOf": [ + { + "$ref": "#/components/schemas/SecuritySettingsClusterPreferencesInput" + } + ] + }, + "org_preferences": { + "description": "Org-level security preferences for the current org.", + "type": "array", + "items": { + "$ref": "#/components/schemas/SecuritySettingsOrgPreferencesInput" + } + } + } + } + } + }, + "required": true + }, + "parameters": [], + "responses": { + "204": { + "description": "Successfully configured the security settings." + }, + "400": { + "description": "Invalid request.", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ErrorResponse" + } + } + } + }, + "401": { + "description": "Unauthorized access.", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ErrorResponse" + } + } + } + }, + "403": { + "description": "Forbidden access.", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ErrorResponse" + } + } + } + }, + "500": { + "description": "Unexpected error", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ErrorResponse" + } + } + } + } + } + } + }, "/api/rest/2.0/system/config": { "get": { "operationId": "getSystemConfig", @@ -12531,13 +12778,13 @@ } } }, - "/api/rest/2.0/system/config-update": { + "/api/rest/2.0/system/security-settings/search": { "post": { - "operationId": "updateSystemConfig", - "description": "\n Version: 9.2.0.cl or later\n\nUpdates the current configuration of the cluster. You must send the configuration data in JSON format.\n\nRequires `ADMINISTRATION` (**Can administer ThoughtSpot**) privileges.\nIf [Role-Based Access Control (RBAC)](https://developers.thoughtspot.com/docs/rbac) is enabled on your instance, the `APPLICATION_ADMINISTRATION` (**Can manage application settings**) privilege is required.\n\n\n\n\n#### Endpoint URL\n", + "operationId": "searchSecuritySettings", + "description": "\nBeta Version: 26.2.0.cl or later\n\nFetch security settings for your ThoughtSpot application instance.\n- Use `scope: CLUSTER` to retrieve cluster-level security settings, including CORS and CSP allowlists, SAML redirect URLs, and settings that control access to non-embedded pages.\n- Use `scope: ORG` to retrieve Org-level security settings. If your instance has [Orgs](https://docs.thoughtspot.com/cloud/latest/orgs-overview), this returns CORS and non-embed access settings specific to the Org.\n- If `scope` is not specified, returns both cluster and Org-specific settings based on user privileges.\n\nRequires `ADMINISTRATION` (**Can administer ThoughtSpot**) or `DEVELOPER` (**Has developer privilege**) privilege.\nSee [Security Settings](https://developers.thoughtspot.com/docs/security-settings) for more details.\n\n\n\n#### Endpoint URL\n", "tags": [ "System", - "9.2.0.cl" + "26.2.0.cl" ], "requestBody": { "content": { @@ -12545,14 +12792,15 @@ "schema": { "type": "object", "properties": { - "configuration": { - "description": "Configuration JSON with the key-value pair of configuration attributes to be updated.", - "type": "object" + "scope": { + "description": "Scope of security settings to retrieve. CLUSTER returns cluster-level settings,\nORG returns org-level settings for the current org.\nIf not specified, returns both cluster and org settings based on user privileges.", + "type": "string", + "enum": [ + "CLUSTER", + "ORG" + ] } - }, - "required": [ - "configuration" - ] + } } } }, @@ -12560,33 +12808,179 @@ }, "parameters": [], "responses": { - "204": { - "description": "Configuration successfully updated." - }, - "400": { - "description": "Invalid request.", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/ErrorResponse" - } - } - } - }, - "401": { - "description": "Unauthorized access.", + "200": { + "description": "Successfully retrieved the list of security settings.", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/ErrorResponse" - } - } - } - }, - "403": { - "description": "Forbidden access.", - "content": { - "application/json": { + "$ref": "#/components/schemas/SecuritySettingsResponse" + }, + "examples": { + "example_1": { + "value": { + "cluster_preferences": { + "enable_partitioned_cookies": false, + "cors_whitelisted_urls": [ + "example.com" + ], + "csp_settings": { + "connect_src_urls": [ + "https://connect.example.com" + ], + "font_src_urls": [ + "https://font.example.com" + ], + "visual_embed_hosts": [ + "https://embed.example.com" + ], + "iframe_src_urls": [ + "https://embed.example.com" + ], + "img_src_urls": [ + "https://img.example.com" + ], + "script_src_urls": { + "enabled": true, + "urls": [ + "https://script.example.com" + ] + }, + "style_src_urls": [ + "https://style.example.com" + ] + }, + "saml_redirect_urls": [ + "https://saml.example.com" + ], + "non_embed_access": { + "block_full_app_access": true + } + }, + "org_preferences": [ + { + "org": { + "id": 0, + "name": "Primary" + }, + "cors_whitelisted_urls": [ + "https://cors.example.com" + ], + "non_embed_access": { + "block_full_app_access": true, + "groups_with_access": [ + { + "id": "1234567890", + "name": "Group Name" + } + ] + } + } + ] + } + } + } + } + } + }, + "400": { + "description": "Invalid request.", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ErrorResponse" + } + } + } + }, + "401": { + "description": "Unauthorized access.", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ErrorResponse" + } + } + } + }, + "403": { + "description": "Forbidden access.", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ErrorResponse" + } + } + } + }, + "500": { + "description": "Unexpected error", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ErrorResponse" + } + } + } + } + } + } + }, + "/api/rest/2.0/system/config-update": { + "post": { + "operationId": "updateSystemConfig", + "description": "\n Version: 9.2.0.cl or later\n\nUpdates the current configuration of the cluster. You must send the configuration data in JSON format.\n\nRequires `ADMINISTRATION` (**Can administer ThoughtSpot**) privileges.\nIf [Role-Based Access Control (RBAC)](https://developers.thoughtspot.com/docs/rbac) is enabled on your instance, the `APPLICATION_ADMINISTRATION` (**Can manage application settings**) privilege is required.\n\n\n\n\n#### Endpoint URL\n", + "tags": [ + "System", + "9.2.0.cl" + ], + "requestBody": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "configuration": { + "description": "Configuration JSON with the key-value pair of configuration attributes to be updated.", + "type": "object" + } + }, + "required": [ + "configuration" + ] + } + } + }, + "required": true + }, + "parameters": [], + "responses": { + "204": { + "description": "Configuration successfully updated." + }, + "400": { + "description": "Invalid request.", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ErrorResponse" + } + } + } + }, + "401": { + "description": "Unauthorized access.", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ErrorResponse" + } + } + } + }, + "403": { + "description": "Forbidden access.", + "content": { + "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } @@ -13476,7 +13870,8 @@ "en-AU", "zh-Hant", "ko-KR", - "en-DE" + "en-DE", + "USE_BROWSER_LANGUAGE" ] }, "extended_properties": { @@ -14358,7 +14753,8 @@ "en-AU", "zh-Hant", "ko-KR", - "en-DE" + "en-DE", + "USE_BROWSER_LANGUAGE" ] }, "extended_properties": { @@ -14468,7 +14864,7 @@ "nullable": true }, "data_type": { - "description": "Variable Data Type", + "description": "Variable Data Type, only for formula_variable type, leave empty for others
Version: 10.15.0.cl or later", "type": "string", "enum": [ "VARCHAR", @@ -17065,6 +17461,14 @@ "onboarding_content_url": { "type": "string", "nullable": true + }, + "saml_enabled": { + "type": "boolean", + "nullable": true + }, + "okta_enabled": { + "type": "boolean", + "nullable": true } } }, @@ -17185,6 +17589,227 @@ } } }, + "SecuritySettingsResponse": { + "type": "object", + "properties": { + "cluster_preferences": { + "$ref": "#/components/schemas/SecuritySettingsClusterPreferences", + "description": "Cluster-level security preferences.", + "nullable": true + }, + "org_preferences": { + "type": "array", + "items": { + "$ref": "#/components/schemas/SecuritySettingsOrgPreferences" + }, + "description": "Org-level security preferences.", + "nullable": true + } + }, + "description": "Response type for security settings search." + }, + "SecuritySettingsClusterPreferences": { + "type": "object", + "properties": { + "enable_partitioned_cookies": { + "type": "boolean", + "description": "Support embedded access when third-party cookies are blocked.", + "nullable": true + }, + "cors_whitelisted_urls": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed origins for CORS.", + "nullable": true + }, + "csp_settings": { + "$ref": "#/components/schemas/CspSettings", + "description": "CSP (Content Security Policy) settings.", + "nullable": true + }, + "saml_redirect_urls": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed redirect hosts for SAML login.", + "nullable": true + }, + "non_embed_access": { + "$ref": "#/components/schemas/ClusterNonEmbedAccess", + "description": "Non-embed access configuration at cluster level.", + "nullable": true + } + }, + "description": "Cluster-level security preferences." + }, + "CspSettings": { + "type": "object", + "properties": { + "connect_src_urls": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed URLs for connect-src directive.", + "nullable": true + }, + "font_src_urls": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed URLs for font-src directive.", + "nullable": true + }, + "visual_embed_hosts": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed hosts for visual embed (frame-ancestors directive).", + "nullable": true + }, + "iframe_src_urls": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed URLs for frame-src directive.", + "nullable": true + }, + "img_src_urls": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed URLs for img-src directive.", + "nullable": true + }, + "script_src_urls": { + "$ref": "#/components/schemas/ScriptSrcUrls", + "description": "Script-src settings including URLs and enabled flag.", + "nullable": true + }, + "style_src_urls": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed URLs for style-src directive.", + "nullable": true + } + }, + "description": "CSP (Content Security Policy) settings." + }, + "ScriptSrcUrls": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whether script-src customization is enabled.", + "nullable": true + }, + "urls": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed URLs for script-src directive. Can only be set if enabled is true.", + "nullable": true + } + }, + "description": "Script-src CSP settings." + }, + "ClusterNonEmbedAccess": { + "type": "object", + "properties": { + "block_full_app_access": { + "type": "boolean", + "description": "Block full application access for non-embedded usage.", + "nullable": true + } + }, + "description": "Cluster-level non-embed access configuration." + }, + "SecuritySettingsOrgPreferences": { + "type": "object", + "properties": { + "org": { + "$ref": "#/components/schemas/SecuritySettingsOrgDetails", + "description": "Org details (id and name).", + "nullable": true + }, + "cors_whitelisted_urls": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed origins for CORS for this org.", + "nullable": true + }, + "non_embed_access": { + "$ref": "#/components/schemas/OrgNonEmbedAccess", + "description": "Non-embed access configuration for this org.", + "nullable": true + } + }, + "description": "Org-level security preferences." + }, + "SecuritySettingsOrgDetails": { + "type": "object", + "properties": { + "id": { + "type": "integer", + "format": "int32", + "description": "Unique identifier of the org.", + "nullable": true + }, + "name": { + "type": "string", + "description": "Name of the org.", + "nullable": true + } + }, + "description": "Org details for security settings." + }, + "OrgNonEmbedAccess": { + "type": "object", + "properties": { + "block_full_app_access": { + "type": "boolean", + "description": "Block full application access for non-embedded usage.", + "nullable": true + }, + "groups_with_access": { + "type": "array", + "items": { + "$ref": "#/components/schemas/GroupInfo" + }, + "description": "Groups that have non-embed full app access.", + "nullable": true + } + }, + "description": "Org-level non-embed access configuration." + }, + "GroupInfo": { + "type": "object", + "properties": { + "id": { + "type": "string", + "description": "Unique identifier of the group.", + "nullable": true + }, + "name": { + "type": "string", + "description": "Name of the group.", + "nullable": true + } + }, + "description": "Group information for non-embed access." + }, "OrgResponse": { "type": "object", "properties": { @@ -18271,7 +18896,8 @@ "en-AU", "zh-Hant", "ko-KR", - "en-DE" + "en-DE", + "USE_BROWSER_LANGUAGE" ] }, "number_format_locale": { @@ -18305,7 +18931,8 @@ "en-AU", "zh-Hant", "ko-KR", - "en-DE" + "en-DE", + "USE_BROWSER_LANGUAGE" ] }, "date_format_locale": { @@ -18339,7 +18966,8 @@ "en-AU", "zh-Hant", "ko-KR", - "en-DE" + "en-DE", + "USE_BROWSER_LANGUAGE" ] } } @@ -20115,6 +20743,14 @@ "PROCESSES" ], "nullable": true + }, + "same_as_parent": { + "type": "boolean", + "nullable": true + }, + "policy_process_options": { + "$ref": "#/components/schemas/PolicyProcessOptions", + "nullable": true } } }, @@ -20135,6 +20771,15 @@ } } }, + "PolicyProcessOptions": { + "type": "object", + "properties": { + "impersonate_user": { + "type": "string", + "nullable": true + } + } + }, "WebhookSortOptionsInput": { "type": "object", "properties": { @@ -21276,6 +21921,177 @@ } } }, + "SecuritySettingsClusterPreferencesInput": { + "type": "object", + "properties": { + "enable_partitioned_cookies": { + "type": "boolean", + "description": "Support embedded access when third-party cookies are blocked.", + "nullable": true + }, + "cors_whitelisted_urls": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed origins for CORS.", + "nullable": true + }, + "csp_settings": { + "$ref": "#/components/schemas/CspSettingsInput", + "description": "CSP (Content Security Policy) settings.", + "nullable": true + }, + "saml_redirect_urls": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed redirect hosts for SAML login.", + "nullable": true + }, + "non_embed_access": { + "$ref": "#/components/schemas/ClusterNonEmbedAccessInput", + "description": "Non-embed access configuration at cluster level.", + "nullable": true + } + }, + "description": "Input for cluster-level security preferences configuration." + }, + "CspSettingsInput": { + "type": "object", + "properties": { + "connect_src_urls": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed URLs for connect-src directive.", + "nullable": true + }, + "font_src_urls": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed URLs for font-src directive.", + "nullable": true + }, + "visual_embed_hosts": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed hosts for visual embed (frame-ancestors directive).", + "nullable": true + }, + "iframe_src_urls": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed URLs for frame-src directive.", + "nullable": true + }, + "img_src_urls": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed URLs for img-src directive.", + "nullable": true + }, + "script_src_urls": { + "$ref": "#/components/schemas/ScriptSrcUrlsInput", + "description": "Script-src settings including URLs and enabled flag.", + "nullable": true + }, + "style_src_urls": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed URLs for style-src directive.", + "nullable": true + } + }, + "description": "Input for CSP (Content Security Policy) settings." + }, + "ScriptSrcUrlsInput": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whether script-src customization is enabled.", + "nullable": true + }, + "urls": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed URLs for script-src directive. Can only be set if enabled is true.", + "nullable": true + } + }, + "description": "Input for script-src CSP settings." + }, + "ClusterNonEmbedAccessInput": { + "type": "object", + "properties": { + "block_full_app_access": { + "type": "boolean", + "description": "Block full application access for non-embedded usage.", + "nullable": true + } + }, + "description": "Input for cluster-level non-embed access configuration." + }, + "SecuritySettingsOrgPreferencesInput": { + "type": "object", + "required": [ + "org_identifier" + ], + "properties": { + "org_identifier": { + "type": "string", + "description": "Unique identifier or name of the org" + }, + "cors_whitelisted_urls": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed origins for CORS for this org.", + "nullable": true + }, + "non_embed_access": { + "$ref": "#/components/schemas/OrgNonEmbedAccessInput", + "description": "Non-embed access configuration for this org.", + "nullable": true + } + }, + "description": "Input for org-level security preferences configuration.\nNote: cross-org operations are not supported currently." + }, + "OrgNonEmbedAccessInput": { + "type": "object", + "properties": { + "block_full_app_access": { + "type": "boolean", + "description": "Block full application access for non-embedded usage.", + "nullable": true + }, + "groups_identifiers_with_access": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Group identifiers that are allowed non-embed full app access. Can only be set if block_full_app_access is true.", + "nullable": true + } + }, + "description": "Input for org-level non-embed access configuration." + }, "TagMetadataTypeInput": { "type": "object", "required": [ @@ -22271,6 +23087,18 @@ } } }, + "RevokeRefreshTokensResponse": { + "type": "object", + "required": [ + "data" + ], + "properties": { + "data": { + "type": "string", + "description": "Result message describing the outcome of the refresh token revocation operation." + } + } + }, "RoleResponse": { "type": "object", "required": [ @@ -23778,6 +24606,16 @@ "type": "string", "description": "Company website URL (HTTP/HTTPS only)", "nullable": true + }, + "contact_support_url": { + "type": "string", + "description": "Contact support url (HTTP/HTTPS only).", + "nullable": true + }, + "hide_contact_support_url": { + "type": "boolean", + "description": "Whether to hide contact support url.", + "nullable": true } }, "description": "Email customization configuration properties" @@ -23811,6 +24649,15 @@ } } }, + "PolicyProcessOptionsInput": { + "type": "object", + "properties": { + "impersonate_user": { + "type": "string", + "nullable": true + } + } + }, "WebhookAuthenticationInput": { "type": "object", "properties": {