Data-level permissions are only available on Growth or Custom plans. On Starter, all members have Manager-level access to all data.
Permission levels
For Members, access to a layer, table, or volume is one of:| Level | Meaning |
|---|---|
| Viewer | Can see the resource and use it in read-only ways. Cannot change it or grant access to others. |
| Editor | Can change the resource and create dependent resources (e.g. new tables in the layer). Cannot delete the resource or manage who else has access. |
| Manager | Full control: can change, delete, and grant Viewer or Editor permission on that resource to other members. |
- Layer
- Table
- Volume
What each level can do
| Module | Viewer | Editor | Manager |
|---|---|---|---|
| See layers (with access) | ✓ | ✓ | ✓ |
| See tables (with access) | ✓ | ✓ | ✓ |
| Change layer/table/field descriptions | ✓ | ✓ | |
| Manage users (add, remove, change Viewer/Editor) | ✓ | ||
| Manage users (change Viewer/Editor/Manager)* | |||
| Create layers* | |||
| See all layers* | |||
| See sources, queries, notebooks, histories, destinations, integrations | ✓ | ✓ | ✓ |
| Add sources, destinations, queries, notebooks, histories | ✓ | ✓ | |
| Edit sources, destinations, queries, notebooks, histories | ✓ | ✓ | |
| Activate or deactivate sources, destinations, queries, notebooks, histories | ✓ | ✓ | |
| Manually trigger sources, destinations, queries, notebooks, histories | ✓ | ✓ | |
| Delete sources, destinations, queries, notebooks, histories | ✓ | ||
| See runs | ✓ | ✓ | ✓ |
| Execute queries | ✓ | ✓ | ✓ |
| Edit queries | ✓ | ✓ | ✓ |
| Save queries individually | ✓ | ✓ | ✓ |
| Delete saved queries | ✓ | ✓ | |
| See settings* | |||
| Manage users and roles* | |||
| Create groups* | |||
| Add users* | |||
| Manage billing** |
** Only owners. All other feature access follows from the tables (and layers/volumes) the member can access.
Permission propagation
- From layer down: Granting a Member access to a layer gives them the same level of access to all tables and volumes in that layer.
- From table/volume up: Granting a Member access to a table or volume gives them at least Viewer access to that resource’s layer. They do not get higher access to the layer unless you grant it separately.
Permission groups
You can assign permissions to a Group instead of (or in addition to) individual users. Members get the highest permission they have from any group or direct assignment. The default All group can be used to grant or revoke access for all members at once.API tokens
API tokens inherit the permissions of the user who created them. If that user’s permissions change (e.g. new or revoked access, added or removed from a group, or role change), the token’s access changes the same way.Examples
- Members cannot create new layers, regardless of their permission level.
- If a Member has no Viewer access to a layer, they cannot see that layer or any sources, queries, notebooks, histories, destinations, or integrations that use only tables in that layer.
- To create a new source, a Member needs Editor (or higher) access to the output layer, because the source creates tables there.
- A Member with Editor access to a layer can edit sources that write to that layer and add new streams to those sources.
- A Member can edit a source if they have Editor access to all of that source’s output tables, even without Editor access to the layer. Disabled streams and their tables are not considered for this check.