Skip to main content

Enterprise permissions

Limited to Enterprise

This feature is limited to the dbt Cloud Enterprise plan. If you're interested in learning more about an Enterprise plan, contact us at sales@getdbt.com.

The dbt Cloud Enterprise plan supports a number of pre-built permission sets to help manage access controls within a dbt Cloud account. See the docs on access control for more information on Role-Based access control (RBAC).

Roles and permissions

The following roles and permission sets are available for assignment in dbt Cloud Enterprise accounts. They can be granted to dbt Cloud groups which are then in turn granted to users. A dbt Cloud group can be associated with more than one role and permission set. Roles with more access take precedence.

Licenses or Permission sets

The user's license type always overrides their assigned permission set. This means that even if a user belongs to a dbt Cloud group with 'Account Admin' permissions, having a 'Read-Only' license would still prevent them from performing administrative actions on the account.

Permissions:

  • Account-level permissions — Permissions related to the management of the dbt Cloud account. For example, billing and account settings.
  • Project-level permissions — Permissions related to the projects in dbt Cloud. For example, repos and access to the dbt Cloud IDE or dbt Cloud CLI.

Account roles

Account roles enable you to manage the dbt Cloud account and manage the account settings (for example, generating service tokens, inviting users, and configuring SSO). They also provide project-level permissions. The Account Admin role is the highest level of access you can assign.

Key:

  • (W)rite — Create new or modify existing. Includes send, create, delete, allocate, modify, and develop.
  • (R)ead — Can view but can not create or change any fields.

Account permissions for account roles

Account-level permission
Account Admin
Billing admin
Manage <br></br> marketplace <br></br> apps
Project creator
Security admin
Viewer
Account settingsW--RRR
Audit logsR---RR
Auth providerW---WR
BillingWW---R
ConnectionsW--W--
GroupsW--RWR
InvitationsW--WWR
IP restrictionsW---WR
LicensesW--WWR
Marketplace app--W---
MembersW--WWR
Project (create)W--W--
Public modelsRR-RRR
Service tokensW---RR
WebhooksW-----

Project permissions for account roles

Project-level permission
Account Admin
Billing admin
Project creator
Security admin
Viewer
Environment credentialsW-W-R
Custom env. variablesW-W-R
Data platform configurationsW-W-R
Develop (IDE or CLI)W-W--
EnvironmentsW-W-R
JobsW-W-R
Metadata GraphQL API accessR-R-R
PermissionsW-WWR
ProjectsW-WRR
RepositoriesW-W-R
RunsW-W-R
Semantic Layer configW-WvR

Project role permissions

The project roles enable you to work within the projects in various capacities. They primarily provide access to project-level permissions such as repos and the IDE or dbt Cloud CLI, but may also provide some account-level permissions.

Key:

  • (W)rite — Create new or modify existing. Includes send, create, delete, allocate, modify, and develop.
  • (R)ead — Can view but can not create or change any fields.

Account permissions for project roles

Account-level permission
Admin
Analyst
Database admin
Developer
Git Admin
Job admin
Job runner
Job viewer
Metadata <br></br>(Discovery API only)
Semantic Layer
Stakeholder
Team admin
Webhook
Account settingsR-R-R------R-
Auth provider-------------
Billing-------------
ConnectionsRRRRRR----RR-
GroupsR-RRR-----RR-
InvitationsWRRRRR-R--RR-
LicensesWRRRRR-R---R-
MembersW-RRR-----RR-
Project (create)-------------
Public modelsRRRRRR-RRRRRR
Service tokens-------------
WebhooksW--W--------W

Project permissions for project roles

Project-level permission
Admin
Analyst
Database admin
Developer
Git Admin
Job admin
Job runner
Job viewer
Metadata <br></br> (Discovery API only)
Semantic Layer
Stakeholder
Team admin
Webhook
Environment credentialsWWWWRW----RR-
Custom env. variablesWWWWWW-R--RW-
Data platform configsWWWWRW----RR-
Develop (IDE or CLI)WW-W---------
EnvironmentsWR*R*R*R*W-R--RR*-
JobsWR*R*R*R*WRR--RR*-
Metadata GraphQL API accessRRRRRR-RR-RR-
PermissionsW-RRR------R-
ProjectsWWWWWR-R--RW-
RepositoriesW-RRW-----RR-
RunsWR*R*R*R*WWR--RR*-
Semantic Layer configWRWRRR---WRR-

* These permissions are Read-only by default, but may be changed to Write with environment permissions.

Additional resources

0