Roles and permissions
Roles in your Lightdash instance
- Everybody in your organization will join as an
Organization Memberunless specified. For example, if I invite someone to a project as an editor, they will become an organization member witheditoraccess to that project. If I invite someone to the organization as aviewer, then they will be anorganization viewer(instead of anorganization member). - All organization members can create their own projects and will be the Project Admin for that project.
- Admins have access to all content (even content they haven't been explicitly invited to).
Project Roles
Project Admins can invite users to their project and assign the following roles. Note that projects may also be accessible by users with organization roles.
| Action | Project Admin | Project Developer | Project Editor | Project Interactive Viewer | Project Viewer |
|---|---|---|---|---|---|
| View charts and dashboards | ✅ | ✅ | ✅ | ✅ | ✅ |
| Use the explorer | ✅ | ✅ | ✅ | ✅ | ❌ |
| Export CSVs | ✅ | ✅ | ✅ | ✅ | ❌ |
| View underlying data | ✅ | ✅ | ✅ | ✅ | ❌ |
| Create/edit scheduled deliveries | ✅ | ✅ | ✅ | ❌ | ❌ |
| Create/edit charts and dashboards | ✅ | ✅ | ✅ | ❌ | ❌ |
| Use the SQL runner | ✅ | ✅ | ❌ | ❌ | ❌ |
| Manage project access and permissions | ✅ | ❌ | ❌ | ❌ | ❌ |
| Delete project | ✅ | ❌ | ❌ | ❌ | ❌ |
Organization Roles
Organization Admins can assign roles to organization members, which gives access to all projects in the organization.
| Action | Organization Admin | Organization Developer | Organization Editor | Organization Interactive Viewer | Organization Viewer | Organization Member |
|---|---|---|---|---|---|---|
| Create Personal access tokens | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| View all projects | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Create new projects | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Edit all projects | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Admin for all projects | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Invite users to organization | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Manage organization access and permissions | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
Space Roles
Space permissions are inherited from a user's project permissions. For example, if I'm a project viewer, I will get viewer access to a Space.
| Action | Spaces Admin | Spaces Editor | Spaces Viewer |
|---|---|---|---|
| Edit a Space's access (from Full to Restricted) | ✅ | ✅ | ❌ |
| Invite users to a Restricted Space they have access to | ✅ | ✅ | ❌ |
| Remove users from a Restricted Space they have access to | ✅ | ✅ | ❌ |
| Add/Remove content from the Space | ✅ | ✅ | ❌ |
| Edit the Space details (name, description, etc.) | ✅ | ✅ | ❌ |
Allowed email domains to join organization automatically
Organization admins can add allowed email domains to their organization settings so that anyone with those email domains can automatically join their organization (without explicitly inviting them).
To update your organization's allowed email domains setting, just go to the general organization settings.
In the allowed email domains panel, enter the email domains you want to be able to automatically join your organization (e.g. here, we've added lightdash.com). Generic email domains like google.com or hotmail.com are not accepted.
You can then select the access that you want these users to have, by default. The organization admin can always update a user's permissions after they've joined the organization!
You have the option to select:
- Organization Viewer: users that join as an organization viewer will automatically have
vieweraccess to all projects in the organization. If a new project is added to the organization after they join, they will also get access to this new project as a viewer, by default. - Organization Member: Users that join as an organization member will only have
vieweraccess to the projects that you select.
Once you've selected the default roles for your allowed email domains, make sure to click update to save your changes.
Now, when a user tries to join Lightdash, they will be prompted to join your workspace if they have one of your allowed email domains.
