Roles & Permissions
Roles define what users can do. Each role has specific permissions controlling access to features and actions.
Available roles
Section titled “Available roles”Highest permission level with full system access.
Capabilities:
- All Staff capabilities
- Manage users and roles
- Configure integrations
- Access billing and subscription
- Manage company settings
- Create and manage share links
- Access audit logs
Best for: Business owners, IT managers, system administrators
Elevated access for power users who manage data and dashboards.
Capabilities:
- All Member capabilities
- Create and delete dashboards
- Create and manage widgets
- Configure data sources
- Create Modified and Joined Datasets
- Manage dashboard templates
- Create share links
Best for: Analysts, department leads, power users
Member
Section titled “Member”Standard access for regular team members.
Capabilities:
- View assigned dashboards
- Interact with filters and dashboard controls
- Export data from widgets
- Manage personal settings
- Read-only access to most features unless explicitly overridden
Best for: General employees, team members
ShareLinks (external access, not a user role)
Section titled “ShareLinks (external access, not a user role)”ShareLinks are public or restricted dashboard links for people outside your account. They are not assignable user roles.
Use this for: Clients, external stakeholders, and read-only sharing without creating a user account
Permission matrix
Section titled “Permission matrix”Dashboard permissions
Section titled “Dashboard permissions”| Action | Admin | Staff | Member |
|---|---|---|---|
| View dashboards | Yes | Yes | Yes |
| Create dashboards | Yes | Yes | - |
| Edit dashboards | Yes | Yes | - |
| Delete dashboards | Yes | Yes | - |
| Share dashboards | Yes | Yes | - |
Widget permissions
Section titled “Widget permissions”| Action | Admin | Staff | Member |
|---|---|---|---|
| View widgets | Yes | Yes | Yes |
| Create widgets | Yes | Yes | - |
| Edit widgets | Yes | Yes | - |
| Delete widgets | Yes | Yes | - |
Data permissions
Section titled “Data permissions”| Action | Admin | Staff | Member |
|---|---|---|---|
| View datasets | Yes | Yes | - |
| Create Modified Datasets | Yes | Yes | - |
| Create Joined Datasets | Yes | Yes | - |
| Manage integrations | Yes | Yes | - |
| Access Data Lineage | Yes | Yes | - |
Administration permissions
Section titled “Administration permissions”| Action | Admin | Staff | Member |
|---|---|---|---|
| Manage users | Yes | Yes | - |
| Assign roles | Yes | Yes | - |
| Manage dashboard groups | Yes | Yes | - |
| Access billing | Yes | - | - |
| Company settings | Yes | - | - |
| Audit logs | Yes | - | - |
Role assignment
Section titled “Role assignment”When adding users
Section titled “When adding users”- Create the new user
- Select their role from the dropdown
- Role applies immediately
Changing roles
Section titled “Changing roles”- Go to User Management
- Edit the user
- Change the role
- Save changes
- New permissions apply immediately
Role considerations
Section titled “Role considerations”Promoting a user:
- They gain immediate access to new capabilities
- Review their dashboard group assignments
Demoting a user:
- They lose privileged features immediately
- Items they created remain
- Consider handoff for administrative responsibilities
Best practices
Section titled “Best practices”Role selection
Section titled “Role selection”- Start restrictive: Begin with lower roles, upgrade as needed
- Least privilege: Give only necessary access
- Regular review: Audit roles periodically
Admin role
Section titled “Admin role”- Limit the number of Admins
- Ensure at least two Admins for coverage
- Use strong passwords and 2FA
Staff role
Section titled “Staff role”- Assign to users who actively manage data
- Don’t use for view-only users
- Consider the workload impact
Member role and external sharing
Section titled “Member role and external sharing”- Member is the default role for most internal users
- Use ShareLinks for external stakeholders who should not get a user account
- Keep members focused on viewing and interacting, not managing configuration
Special cases
Section titled “Special cases”Company owner
Section titled “Company owner”The initial account creator is always Admin and can’t be demoted or removed without transferring ownership.
Last Admin
Section titled “Last Admin”You can’t remove or demote the last Admin. Ensure another Admin exists first.
Self-demotion
Section titled “Self-demotion”Admins can demote themselves, but only if another Admin exists.
Dataset-level permissions (Professional+)
Section titled “Dataset-level permissions (Professional+)”Admins can restrict which datasets each user can access and what they can do with them. This is available on Professional, Business, and Starship tiers.
Access modes
Section titled “Access modes”- Full access - User sees all datasets (default)
- Blacklist - User sees all datasets EXCEPT those explicitly excluded
- Whitelist - User sees ONLY datasets explicitly included
Permission levels
Section titled “Permission levels”- Read & Write - User can view and use the dataset (widgets, modified datasets, joined datasets) and also edit the dataset
- Read Only - User can view and use the dataset (widgets, modified datasets, joined datasets) but cannot edit the dataset
How it works
Section titled “How it works”In the edit-user page, dataset permissions are controlled with:
- Access Mode
- Default Permission Level
- Allowed / Blocked Datasets
- Per-Dataset Permission Overrides in whitelist mode for non-members
Dataset permissions filter what appears in:
- Data Management → Datasets list
- Dataset selector when creating widgets
- Data Studio and Modified Dataset editor
- Data Lineage view
Role-specific behavior:
- Admin users always bypass these restrictions and keep full read/write access.
- Staff users can use the full dataset permission UI.
- Member users use dataset permissions only inside AI Chat. They still cannot open the raw Datasets or Modified Datasets pages directly, and their dataset access remains Read Only.
Feature-level permissions (Professional+)
Section titled “Feature-level permissions (Professional+)”Admins can control feature access and write actions per user from the toggle list on the edit-user page. By default, staff can write to most features and members stay limited, but these defaults can be overridden. Use Reset to Role Defaults in the UI to restore the standard role behavior.
Features that can be restricted
Section titled “Features that can be restricted”- Dashboards & Widgets
- Integrations
- Modified Datasets
- Dynamic Filter Variables
- Share Links
- Resplendent API
- Custom Integrations
- Templates
- Reports
- Widget Snapshots
- Soundboard
- Tags
- AI Chat Access
- AI Context Updates
Permission behavior
Section titled “Permission behavior”| Toggle | What it controls |
|---|---|
| Dashboards & Widgets | Dashboard and widget editing actions |
| Integrations | Adding, editing, and reconnecting standard integrations |
| Modified Datasets | Creating and editing Modified Datasets |
| Dynamic Filter Variables | Creating, editing, and deleting filter variables |
| Share Links | Creating and managing share links |
| Resplendent API | Managing API credentials |
| Custom Integrations | Creating and editing custom integrations |
| Templates | Managing dashboard and widget templates |
| Reports | Report blueprint and report-related editing actions |
| Widget Snapshots | Widget snapshot creation and deletion actions |
| Soundboard | Threshold alert sound management |
| Tags | Tag management |
| AI Chat Access | Access to Eric / AI Chat |
| AI Context Updates | Submitting AI context updates from supported dataset prompts |
Important behavior:
- Turning a toggle off usually makes that feature read-only or disables its management actions.
- Some pages may still be visible while their edit controls are disabled.
- Tier limits and role requirements can still restrict separate actions even if the toggle is on.
- AI Chat Access defaults on for Admins and Giga Admins in beta companies, but not for Staff or Members.
- AI Context Updates defaults on for Staff and above in beta companies.
- Members only get the AI Chat Access toggle.
- AI Chat Access and AI Context Updates only appear for beta companies (or Giga Admins).
Read-only users still see disabled buttons and actions. They can continue to view data, export from widgets, and use filters where their role allows it.
Role inheritance
Section titled “Role inheritance”Roles work with Dashboard Groups and permissions:
- Role defines what you can do by default
- Dashboard Groups define what dashboards you can see
- Dataset permissions define what data you can access
- Feature permissions define which features you can modify
- All layers must allow an action for it to be permitted
Example:
- A Member in the “Sales” group can view Sales dashboards
- A Member with dataset whitelist can only see whitelisted datasets in widgets
- A Member with read-only dashboard permission can view but not edit any dashboard
Troubleshooting
Section titled “Troubleshooting”User can’t perform action
Section titled “User can’t perform action”- Check their role in User Management
- Verify the role has that permission
- Check dashboard group assignments
- Check feature permissions (Professional+)
- Review any specific restrictions
User can’t see a dataset
Section titled “User can’t see a dataset”- Check if dataset permissions are configured (Professional+)
- Verify the user is not in whitelist mode without that dataset included
- Check if the dataset is blacklisted for this user
- Confirm the user has at least read access to the parent table
Role change not taking effect
Section titled “Role change not taking effect”- Ensure changes were saved
- User may need to refresh their browser
- Log out and back in to reset session
Unexpected access
Section titled “Unexpected access”- Review role assignment
- Check dashboard group memberships
- Audit recent role changes
- Review dataset and feature permission overrides
Read-only UI elements
Section titled “Read-only UI elements”If buttons or actions appear disabled:
- Check the user’s role and assigned permissions
- Verify feature permissions are not set to read-only
- For dataset operations, check dataset-level permissions
- Remember that members are read-only by default for most features