Roles

Role Reference

A breakdown of every role with the defaults each one ships with. Admins can tighten or loosen further per-role per-teammate.

Admin roles

Super Admin

The owner of the organisation. Created automatically when you sign up.

Can do

  • Manage billing and the subscribed plan
  • Invite and remove other admins
  • Create, edit and delete every connection
  • Override per-org entitlements
  • See and edit anything in the workspace
Admin

Trusted operators. Full access except for super-admin-only actions.

Can do

  • Invite and manage employees
  • Create, edit and delete connections
  • Configure AI provider keys
  • Create reports, dashboards, datasets

Can't do

  • Change billing or remove other admins

Employee roles

Editor

A general-purpose builder. Suitable for analysts and developers.

Can do

  • Use the query editor against granted connections
  • Edit rows in the data editor
  • Create reports, datasets and dashboards
  • Use AI Chat and AI Dashboards
Viewer

Read-only access — perfect for stakeholders.

Can do

  • Open reports and dashboards they were granted
  • Browse the schema viewer
  • Use AI Chat in read-only mode

Can't do

  • Run write queries
  • Edit data
  • Create or delete reports
SQL Expert / SQL Senior / SQL Junior

Three seniority levels for SQL operators. Defaults differ by level.

Can do

  • Query and edit data on granted relational connections
  • Create reports and datasets
  • Run DDL / DML based on level (junior = read-only, expert = full)
NoSQL Expert / NoSQL Senior / NoSQL Junior

Same three levels, but for document/NoSQL engines.

Can do

  • Query and edit documents on granted NoSQL connections
  • Create reports built on NoSQL datasets

SQL action permissions

For employees you can also toggle individual SQL action classes:

  • DDLCREATE / ALTER / DROP. Off for read-only roles.
  • DMLINSERT / UPDATE / DELETE. Required for the data editor.
  • DQLSELECT. The most common permission.
  • DCLGRANT / REVOKE. Usually admin-only.
  • TCLCOMMIT / ROLLBACK. Off only blocks explicit transactions.
  • Export / Import — independent toggles.

Allowed lists

Beyond toggles, you can specify allowed connections, databases and tables. Leave a list empty and the employee gets access to all items of that kind in the org.

Tips for assigning roles

Common patterns

  • External contractor — Viewer + access to a single connection + access to one specific report.
  • New analyst — Editor + all connections except production + DDL off.
  • Engineer joining the data team — SQL Senior + all connections + DDL allowed only on development.