Skip to main content

Roles and permissions

Roles in your Lightdash instance

  • Everybody in your organization will join as an Organization Member unless specified. For example, if I invite someone to a project as an editor, they will become an organization member with editor access to that project. If I invite someone to the organization as a viewer, then they will be an organization viewer (instead of an organization member).
  • All organization members can create their own projects and will be the Project Admin for that project.
  • Admins have access to all content (even content they haven't been explicitly invited to).

Project Roles

Project Admins can invite users to their project and assign users or groups to roles in that project. Note that projects may also be accessible by users with organization roles.

ActionProject AdminProject DeveloperProject EditorProject Interactive ViewerProject Viewer
View charts and dashboards
Export results visible in a chart to CSV
Export results visible in a chart to Google Sheets
Export results to CSV and override the limit
Export results to Google Sheets and override the limit
Use the explorer
View underlying data
Create/edit scheduled deliveries
Create/edit Syncs
Create/edit charts and dashboards
Use the SQL runner
Manage project access and permissions
Delete project

Organization Roles

Organization Admins can assign roles to organization members, which gives access to all projects in the organization.

ActionOrganization AdminOrganization DeveloperOrganization EditorOrganization Interactive ViewerOrganization ViewerOrganization Member
Create Personal access tokens
View all projects
Create new projects
Edit all projects
Admin for all projects
Invite users to organization
Manage organization access and permissions

Space Roles

Space permissions are inherited from a user's project permissions. For example, if I'm a project viewer, I will get viewer access to a Space.

ActionSpaces AdminSpaces EditorSpaces Viewer
Edit a Space's access (from Full to Restricted)
Invite users to a Restricted Space they have access to
Remove users from a Restricted Space they have access to
Add/Remove content from the Space
Edit the Space details (name, description, etc.)

Allowed email domains to join organization automatically

Organization admins can add allowed email domains to their organization settings so that anyone with those email domains can automatically join their organization (without explicitly inviting them).

To update your organization's allowed email domains setting, just go to the general organization settings.

In the allowed email domains panel, enter the email domains you want to be able to automatically join your organization (e.g. here, we've added Generic email domains like or are not accepted.

You can then select the access that you want these users to have, by default. The organization admin can always update a user's permissions after they've joined the organization!

If you want to add default permissions that are different across each project, you can select the organization role of organization member, then set the project access for each project.

Once you've selected the default roles for your allowed email domains, make sure to click update to save your changes.

Now, when a user tries to join Lightdash, they will be prompted to join your workspace if they have one of your allowed email domains.

Setting a Default Project

In the organization settings you can set a default project. This is the project users will see when they log in for the first time or from a new device. If a user does not have access, they will see their next accessible project.