Roles and permissions
Roles in your Lightdash instance
- Everybody in your organization will join as an
Organization Memberunless specified. For example, if I invite someone to a project as an editor, they will become an organization member witheditoraccess to that project. If I invite someone to the organization as aviewer, then they will be anorganization viewer(instead of anorganization member). - All organization members can create their own projects and will be the Project Admin for that project.
- Admins have access to all content (even content they haven't been explicitly invited to).
Project Roles
Project Admins can invite users to their project and assign users or groups to roles in that project. Note that projects may also be accessible by users with organization roles.
| Action | Project Admin | Project Developer | Project Editor | Project Interactive Viewer | Project Viewer |
|---|---|---|---|---|---|
| View charts and dashboards | ✅ | ✅ | ✅ | ✅ | ✅ |
| Export results visible in a chart to CSV | ✅ | ✅ | ✅ | ✅ | ✅ |
| Export results visible in a chart to Google Sheets | ✅ | ✅ | ✅ | ✅ | ✅ |
| Export results to CSV and override the limit | ✅ | ✅ | ✅ | ✅ | ❌ |
| Export results to Google Sheets and override the limit | ✅ | ✅ | ✅ | ✅ | ❌ |
| View comments | ✅ | ✅ | ✅ | ✅ | ✅ |
| Create comments | ✅ | ✅ | ✅ | ✅ | ❌ |
| Use the explorer | ✅ | ✅ | ✅ | ✅ | ❌ |
| View underlying data | ✅ | ✅ | ✅ | ✅ | ❌ |
| Create/edit scheduled deliveries | ✅ | ✅ | ✅ | ✅ | ❌ |
| Create/edit Syncs | ✅ | ✅ | ✅ | ❌ | ❌ |
| Create/edit charts and dashboards | ✅ | ✅ | ✅ | ❌ | ❌ |
| Use the SQL runner | ✅ | ✅ | ❌ | ❌ | ❌ |
| Manage project access and permissions | ✅ | ❌ | ❌ | ❌ | ❌ |
| Delete project | ✅ | ❌ | ❌ | ❌ | ❌ |
| Create project previews | ✅ | ❌ | ❌ | ❌ | ❌ |
Organization Roles
Organization Admins can assign roles to organization members, which gives access to all projects in the organization.
| Action | Organization Admin | Organization Developer | Organization Editor | Organization Interactive Viewer | Organization Viewer | Organization Member |
|---|---|---|---|---|---|---|
| Create Personal access tokens | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| View all projects | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Create new projects | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Create project previews | ✅ | ✅ * | ✅ * | ✅ * | ❌ | ❌ |
| Edit all projects | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Admin for all projects | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Invite users to organization | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Manage organization access and permissions | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
Space Roles
There are three space roles: Full Access, Can Edit, Can View
Users with Full Access to a space can restrict and increase a user’s inherited project permissions in a space (e.g. you can make project editors into can view in a space). Space permissions determine which users can edit space contents (charts and dashboards), view the contents in a space, and change a space's settings:
- A user needs to have at least the
Can viewaccess level to a space to see that the space exists and to see the charts and dashboards inside it. - A user needs to have the
Can editaccess level to a space to edit the content in the space (add/delete/rename charts and dashboards). - A user needs to have the
Full accessaccess level to a space to manage access to the space and to edit the space details (name, description, etc.).
Space permissions don't otherwise control what users can do, or which data they can use to build their own content.
This means:
- a project viewer who has
Can editspace permissions cannot get access to build or edit charts because Viewers don't have access to the Explore view - an interactive viewer who is given
Can editspace permissions can save content in that space but not in any other space (unless giveneditaccess to another space) - an editor who is given
Can viewspace permissions cannot edit the content in that space, but they can create/edit content in other parts of the project (unless they're givenCan viewaccess).
| Action | Full Access | Can Edit | Can View |
|---|---|---|---|
| View space content | ✅ | ✅ | ✅ |
| Manage space content | ✅ | ✅ | ❌ |
| Manage space access | ✅ | ❌ | ❌ |
| Manage space details | ✅ | ❌ | ❌ |
Allowed email domains to join organization automatically
Organization admins can add allowed email domains to their organization settings so that anyone with those email domains can automatically join their organization (without explicitly inviting them).
To update your organization's allowed email domains setting, just go to the general organization settings.
In the allowed email domains panel, enter the email domains you want to be able to automatically join your organization (e.g. here, we've added lightdash.com). Generic email domains like google.com or hotmail.com are not accepted.
You can then select the access that you want these users to have, by default. The organization admin can always update a user's permissions after they've joined the organization!
If you want to add default permissions that are different across each project, you can select the organization role of organization member, then set the project access for each project.
Once you've selected the default roles for your allowed email domains, make sure to click update to save your changes.
Now, when a user tries to join Lightdash, they will be prompted to join your workspace if they have one of your allowed email domains.
Setting a Default Project
In the organization settings you can set a default project. This is the project users will see when they log in for the first time or from a new device. If a user does not have access, they will see their next accessible project.