Self-service permissions
There are 3 roles available for self-service dbt Cloud accounts:
- Owner — Full access to account features.
- Member — Robust access to the account with restrictions on features that can alter billing or security.
- Read-only — Read-only access to features.
Key:
- (W)rite — Create new or modify existing. Includes
send,create,delete,allocate,modify, andread. - (R)ead — Can view but can not create or change any fields.
- No value — No access to the feature.
Permissions:
- Account-level permissions — Permissions related to management of the dbt Cloud account. For example, billing and account settings.
- Project-level permissions — Permissions related to the projects in dbt Cloud. For example, repos and access to the IDE or dbt Cloud CLI.
Account permissions for account roles
| Account-level permission | Owner | Member | Read-only |
|---|---|---|---|
| Account settings | W | W | |
| Audit logs | R | ||
| Auth provider | W | ||
| Billing | W | ||
| Groups | W | R | R |
| Invitations | W | W | R |
| Licenses | W | R | |
| Members | W | R | R |
| Project (create) | W | W | |
| Public models | R | R | R |
| Service tokens | W | ||
| Webhooks | W | W |
Project permissions for account roles
| Project-level permission | Owner | Member | Read-only |
|---|---|---|---|
| Adapters | W | W | R |
| Connections | W | W | R |
| Credentials | W | W | R |
| Custom env. variables | W | W | R |
| dbt adapters | W | W | |
| Develop (IDE or dbt Cloud CLI) | W | W | |
| Environments | W | W | R |
| Jobs | W | W | R |
| Metadata | R | R | R |
| Permissions | W | R | |
| Profile | W | W | R |
| Projects | W | W | R |
| Repositories | W | W | R |
| Runs | W | W | R |
| Semantic Layer Config | W | W | R |
Read-Only vs. Developer License Types
Users configured with Read-Only license types will experience a restricted set of permissions in dbt Cloud. If a user is associated with a Member permission set and a Read-Only seat license, then they will only have access to what a Read-Only seat allows. See Seats and Users for more information on the impact of licenses on these permissions.
Owner and Member Groups in dbt Cloud Enterprise
By default, new users are added to the Member and Owner groups when they onboard to a new dbt Cloud account. Member and Owner groups are included with every new dbt Cloud account because they provide access for administrators to add users and groups, and to apply permission sets.
You will need owner and member groups to help with account onboarding, but these groups can create confusion when initially setting up SSO and RBAC for dbt Cloud Enterprise accounts as described in the Enterprise Permissions guide. Owner and Member groups are account level groups, so their permissions override any project-level permissions you wish to apply.
After onboarding administrative users and configuring RBAC/SSO groups, we recommend the following steps for onboarding users to a dbt Cloud Enterprise account.
Prerequisites
You need to create an Account Admins group before removing any other groups.
- Create an Account Admins group.
- Assign at least one user to the Account Admins group. The assigned user can manage future group, SSO mapping, and user or group assignment.
Remove the Owner and Member groups
Follow these steps for both Owner and Member groups:
- Log into dbt Cloud.
- Click the gear icon at the top right and select Account settings.
- Select Groups then select OWNER or MEMBER** group.
- Click Edit.
- At the bottom of the Group page, click Delete.
The Account Admin can add additional SSO mapping groups, permission sets, and users as needed.