Skip to content

Commit

Permalink
Merge pull request #155 from dbt-labs/repo-sync
Browse files Browse the repository at this point in the history 
REPO SYNC - Public to Private
  • Loading branch information
@john-rock
john-rock committed Jul 27, 2023
2 parents 86f59c2 + 7c27af9 commit e584c07
Show file tree
Hide file tree
Showing 2 changed files with 95 additions and 192 deletions.
197 changes: 5 additions & 192 deletions website/docs/docs/cloud/manage-access/enterprise-permissions.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,10 @@
title: "Enterprise permissions"
id: "enterprise-permissions"
description: "Permission sets for Enterprise plans."
hide_table_of_contents: true #For the sake of the tables on this page
---

import Permissions from '/snippets/_enterprise-permissions-table.md';
import SetUpPages from '/snippets/_available-enterprise-only.md';

<SetUpPages features={'/snippets/_available-enterprise-only.md'}/>
Expand All @@ -13,200 +15,11 @@ help manage access controls within a dbt Cloud account. See the docs on [access
control](/docs/cloud/manage-access/about-user-access) for more information on Role-Based access
control (RBAC).

## Permission Sets
## Roles and permissions

The following permission sets are available for assignment in dbt Cloud Enterprise accounts. They
can be granted to dbt Cloud groups which are then in turn granted to users. A dbt Cloud group
can be associated with more than one permission set.
The following roles and permission sets are available for assignment in dbt Cloud Enterprise accounts. They can be granted to dbt Cloud groups which are then in turn granted to users. A dbt Cloud group can be associated with more than one role and permission set. Roles with more access take precedence.

### Account Admin

- **Has permissions on:** Authorized projects, account-level settings
- **License restrictions:** must have a developer license

Account Admins have unrestricted access to dbt Cloud accounts. Users with Account Admin permissions can:

- Create, delete, and modify all projects in an account
- Create, delete, and modify Connections
- Create, delete, and modify Environments
- Create, delete, and modify Groups
- Create, delete, and modify Group Memberships
- Create, delete, and modify Jobs
- Create, delete, and modify outbound webhook subscriptions
- Create, delete, and modify Repositories
- Manage Notification Settings
- Manage account-level [artifacts](/docs/deploy/artifacts)
- Run and cancel jobs
- Use the IDE
- View and modify Account Settings
- Generate [service tokens](/docs/dbt-cloud-apis/service-tokens), such as for [API usage](/docs/dbt-cloud-apis/overview)

### Security Admin

- **Has permissions on:** Account-level settings
- **License restrictions:** must have a Developer or an IT license

Security Admins have access to modify certain account-level settings. Users with Security Admin permissions can:

- View and modify Account Settings such as:
- View, invite, and modify account users
- Create, delete, and modify Groups
- Create, delete, and modify License Mappings
- Create and modify SSO Configurations
- View and export Audit Logs
- Create, delete, and modify IP Restrictions

### Billing Admin

- **Has permissions on:** Account-level settings
- **License restrictions:** must have a Developer or an IT license

Billing Admins have access to modify certain account-level settings related to billing. Users with Billing Admin permissions can:

- View and modify **Account Settings** such as:
- View billing information
- Modify billing information (accounts on the Team plan)
- This includes modifying Developer Seat counts for the Account

### Project Creator
- **Has permissions on:** Authorized projects, account-level settings
- **License restrictions:** must have a developer license

Project Creators can access, create, or modify projects and other settings in dbt Cloud. However, they don't have permission to modify SSO settings or account integrations.

Users with Project Creator permissions can:

- View Account Settings
- View and modify project users
- Create, delete, and modify all projects in an account
- Create, delete, and modify Connections
- Create, delete, and modify Environments
- Create, delete, and modify Jobs
- Create, delete, and modify Repositories
- Run and cancel jobs
- Use the IDE
- View Groups
- View Notification Settings

### Account Viewer

- **Has permissions on:** Authorized projects, account-level settings
- **License restrictions:** must have a developer license

Account Viewers have read-only access to dbt Cloud accounts. Users with Account Viewer permissions can:
- View all projects in an account
- View Account Settings
- View account-level artifacts
- View Connections
- View Environments
- View Groups
- View Group Memberships
- View Jobs
- View Notification Settings
- View Repositories

### Admin
- **Has permissions on:** Authorized projects
- **License restrictions:** must have a developer license

Admins have unrestricted access to _projects_ in dbt Cloud accounts which they are members of.
Admins can perform the following actions in projects they are assigned to:
- Create, delete, and modify Repositories
- Create, delete, and modify Connections
- Create, delete, and modify Environments
- Create, delete, and modify Group Memberships
- Create, delete, and modify Jobs
- Create, delete, and modify outbound webhook subscriptions
- Run and cancel jobs
- Use the IDE
- View project details

### Git Admin
- **Has permissions on:** Authorized projects
- **License restrictions:** must have a developer license

Git Admins can perform the following actions in projects they are assigned to:
- Create, delete, and modify Repositories
- View Connections
- View Environments
- View Jobs
- View project details

### Database Admin
- **Has permissions on:** Authorized projects
- **License restrictions:** must have a developer license

Database Admins can perform the following actions in projects they are assigned to:
- Create, delete, and modify Connections
- View Environments
- View Jobs
- View project details
- View Repositories

### Team Admin
- **Has permissions on:** Authorized projects
- **License restrictions:** must have a developer license

Team Admins can perform the following actions in projects they are assigned to:
- View Groups
- View Environments
- View Jobs
- View project details
- View Repositories

### Job Admin
- **Has permissions on:** Authorized projects
- **License restrictions:** must have a developer license

Job Admins can perform the following actions in projects they are assigned to:
- Create, delete, and modify Jobs
- Run and cancel jobs
- View connections
- View, edit, and create environments
- View historical runs

### Job Viewer
- **Has permissions on:** Authorized projects
- **License restrictions:** must have a developer license

Job Viewers can perform the following actions in projects they are assigned to:
- View environments
- View historical runs
- View job definitions

### Developer
- **Has permissions on:** Authorized projects
- **License restrictions:** must have a developer license

Developers can perform the following actions in projects they are assigned to:
- Configure personal developer credentials
- Create, delete, and modify Jobs
- Create, delete, and modify outbound webhook subscriptions
- Run and cancel jobs
- Use the IDE

### Analyst
- **Has permissions on:** Authorized projects
- **License restrictions:** must have a developer license

Analysts can perform the following actions in projects they are assigned to:
- Configure personal developer credentials
- Configure environmental variables
- View connections
- View environments
- View historical runs
- View job definitions
- Use the IDE


### Stakeholder
- **Has permissions on:** Authorized projects
- **License restrictions:** Intended for use with Read-Only licenses, but may be used with Developer licenses.

Stakeholders can perform the following actions in projects they are assigned to:
- View generated documentation
- View generated source freshness reports
- View the Read-Only dashboard
<Permissions feature={'/snippets/_enterprise-permissions-table.md'} />

## Diagram of the Permission Sets

Expand Down
90 changes: 90 additions & 0 deletions website/snippets/_enterprise-permissions-table.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@

Key:

* (W)rite &mdash; Create new or modify existing. Includes `send`, `create`, `delete`, `allocate`, `modify`, and `read`.
* (R)ead &mdash; Can view but can not create or change any fields.

Permissions:

* Account-level permissions &mdash; Permissions related to management of the dbt Cloud account. For example, billing and account settings.
* Project-level permissions &mdash; Permissions related to the projects in dbt Cloud. For example, repos and access to the IDE.

### Account roles
Account roles enable you to manage the dbt Cloud account and manage the account settings (for example, generating service tokens, inviting users, configuring SSO). They also provide project-level permissions. The **Account Admin** role is the highest level of access you can assign.

#### Account permissions for account roles

| Account-level permission| Account Admin | Billing admin | Project creator | Security admin | Viewer |
|:-------------------------|:-------------:|:-------------:|:---------------:|:--------------:|:------:|
| Account settings | W | | R | R | R |
| Audit logs | R | | | R | |
| Auth provider | W | | | W | R |
| Billing | W | W | | | R |
| Invitations | W | | W | W | R |
| IP restrictions | W | | | W | R |
| Members | W | | W | W | R |
| Project (create) | W | | W | | |
| Public models | R | R | R | R | R |
| Service tokens | W | | | R | |
| Webhooks | W | | | | |

#### Project permissions for account roles

|Project-level permission | Account Admin | Billing admin | Project creator | Security admin | Viewer |
|:-------------------------|:-------------:|:-------------:|:---------------:|:--------------:|:------:|
| Connections | W | | W | | R |
| Credentials | W | | W | | R |
| Custom env. variables | W | | W | | R |
| dbt adapters | W | | W | | R |
| Develop (IDE) | W | | W | | |
| Environments | W | | W | | R |
| Groups | W | | R | W | R |
| Jobs | W | | W | | R |
| Licenses | W | | W | W | R |
| Metadata | R | | R | | R |
| Permissions | W | | W | W | R |
| Profile | W | | W | | R |
| Projects | W | | W | R | R |
| Repositories | W | | W | | R |
| Runs | W | | W | | R |
| Semantic Layer Config | W | | W | | R |


### Project role permissions

The project roles enable you to work within the projects in various capacities. They primarily provide access to project-level permissions such as repos and the IDE, but may also provide some account-level permissions.

#### Account permissions for project roles

| Account-level permission | Admin | Analyst | Database admin | Developer | Git Admin | Job admin | Job viewer | Metadata | Semantic Layer | Stakeholder | Team admin | Webook |
|--------------------------|:-----:|:-------:|:--------------:|:---------:|:---------:|:---------:|:-----------:|:--------:|:--------------:|:-----------:|:----------:|:------:|
| Account settings | R | | R | | R | | | | | | R | |
| Auth provider | | | | | | | | | | | | |
| Billing | | | | | | | | | | | | |
| Invitations | W | R | R | R | R | R | R | | | R | R | |
| Members | W | | R | R | R | | | | | R | R | |
| Project (create) | | | | | | | | | | | | |
| Public models | R | R | R | R | R | R | R | R | R | R | R | R |
| Service tokens | | | | | | | | | | | | |
| Webhooks | W | | | W | | | | | | | | W |

#### Project permissions for project roles

|Project-level permission | Admin | Analyst | Database admin | Developer | Git Admin | Job admin | Job viewer | Metadata | Semantic Layer | Stakeholder | Team admin | Webook |
|--------------------------|:-----:|:-------:|:--------------:|:---------:|:---------:|:---------:|:-----------:|:--------:|:--------------:|:-----------:|:----------:|:------:|
| Connections | W | R | W | R | R | R | | | | R | R | |
| Credentials | W | W | W | W | R | W | | | | R | R | |
| Custom env. variables | W | W | W | W | W | W | R | | | R | W | |
| dbt adapters | W | W | W | W | R | W | | | | R | R | |
| Develop (IDE) | W | W | | W | | | | | | | | |
| Environments | W | R | R | R | R | W | R | | | R | R | |
| Groups | R | | R | R | R | | | | | R | R | |
| Jobs | W | R | R | W | R | W | R | | | R | R | |
| Licenses | W | R | R | R | R | R | R | | | | R | |
| Metadata | R | R | R | R | R | R | R | R | | R | R | |
| Permissions | W | | R | R | R | | | | | | W | |
| Profile | W | R | W | R | R | R | | | | R | R | |
| Projects | W | W | W | W | W | R | R | | | R | W | |
| Repositories | W | | R | R | W | | | | | R | R | |
| Runs | W | R | R | W | R | W | R | | | R | R | |
| Semantic Layer Config | W | R | W | R | R | R | | | W | R | R | |

0 comments on commit e584c07

Please sign in to comment.