Skip to main content

Enterprise permissions

Limited to Enterprise

This feature is limited to the dbt Cloud Enterprise plan. If you're interested in learning more about an Enterprise plan, contact us at sales@getdbt.com.

The dbt Cloud Enterprise plan supports a number of pre-built permission sets to help manage access controls within a dbt Cloud account. See the docs on access control for more information on Role-Based access control (RBAC).

Roles and permissions

The following roles and permission sets are available for assignment in dbt Cloud Enterprise accounts. They can be granted to dbt Cloud groups which are then in turn granted to users. A dbt Cloud group can be associated with more than one role and permission set. Roles with more access take precedence.

Licenses or Permission sets

The user's license type always overrides their assigned permission set. This means that even if a user belongs to a dbt Cloud group with 'Account Admin' permissions, having a 'Read-Only' license would still prevent them from performing administrative actions on the account.

Key:

  • (W)rite — Create new or modify existing. Includes send, create, delete, allocate, modify, develop, and read.
  • (R)ead — Can view but can not create or change any fields.

Permissions:

  • Account-level permissions — Permissions related to the management of the dbt Cloud account. For example, billing and account settings.
  • Project-level permissions — Permissions related to the projects in dbt Cloud. For example, repos and access to the dbt Cloud IDE or dbt Cloud CLI.

Account roles

Account roles enable you to manage the dbt Cloud account and manage the account settings (for example, generating service tokens, inviting users, and configuring SSO). They also provide project-level permissions. The Account Admin role is the highest level of access you can assign.

Account permissions for account roles

Account-level permissionAccount AdminBilling adminManage
marketplace
apps
Project creatorSecurity adminViewer
Account settingsWRRR
Audit logsRRR
Auth providerWWR
BillingWWR
ConnectionsWW
GroupsWRWR
InvitationsWWWR
IP restrictionsWWR
LicensesWWWR
Marketplace appW
MembersWWWR
Project (create)WW
Public modelsRRRRR
Service tokensWRR
WebhooksW

Project permissions for account roles

Project-level permissionAccount AdminBilling adminProject creatorSecurity adminViewer
Environment credentials (deployment)WWR
Custom env. variablesWWR
Data platform configurationsWWR
Develop (IDE or dbt Cloud CLI)WW
EnvironmentsWWR
JobsWWR
Metadata GraphQL API accessRRR
PermissionsWWWR
ProfileWWR
ProjectsWWRR
RepositoriesWWR
RunsWWR
Semantic Layer configWWR

Project role permissions

The project roles enable you to work within the projects in various capacities. They primarily provide access to project-level permissions such as repos and the IDE or dbt Cloud CLI, but may also provide some account-level permissions.

Account permissions for project roles

Account-level permissionAdminAnalystDatabase adminDeveloperGit AdminJob adminJob runnerJob viewerMetadata
(Discovery API only)
Semantic LayerStakeholderTeam adminWebhook
Account settingsRRRR
Auth provider
Billing
ConnectionsRRRRRRRR
GroupsRRRRRR
InvitationsWRRRRRRRR
LicensesWRRRRRRR
MembersWRRRRR
Project (create)
Public modelsRRRRRRRRRRRR
Service tokens
WebhooksWWW

Project permissions for project roles

Project-level permissionAdminAnalystDatabase adminDeveloperGit AdminJob adminJob runnerJob viewerMetadata
(Discovery API only)
Semantic LayerStakeholderTeam adminWebhook
Environment credentials (deployment)WWWWRWRR
Custom env. variablesWWWWWWRRW
Data platform configurationsWWWWRWRR
Develop
(IDE or dbt Cloud CLI)
WWW
EnvironmentsWRRRRWRRR
JobsWRRRRWRRRR
Metadata GraphQL API accessRRRRRRRRRR
Permissions (Groups & Licenses)WRRRR
Profile (Credentials)WRRRRR
ProjectsWWWWWRRRW
RepositoriesWRRWRR
RunsWRRRRWWRRR
Semantic Layer configWRWRRRWRR

Additional resources

0