| Admin | Builder | ReadOnly | Partner | |
|---|---|---|---|---|
| Intended for | Tenant administrators | Data modelers / developers | Internal read-only users | External partners / clients |
| Develop Mode (Ruthie) | Yes | Yes | No | No |
| Branch Access | PROD + DRAFT | PROD + DRAFT | PROD only | PROD only |
| Feature / Action | Admin | Builder | ReadOnly | Partner |
|---|---|---|---|---|
| Dashboards — View | CRUD | CRUD | Read | Read |
| Analyses — View & Create | CRUD | CRUD | CRUD | CRUD |
| Dimensions | CRUD | CRUD | Read | Read |
| Measures / Metrics | CRUD | CRUD | Read | Read |
| Pipeline Nodes | CRUD | CRUD | Read | Read |
| Pipeline Node Data (query results) | Yes | Yes | Yes | No |
| Sources | CRUD | CRUD | Read | No access |
| Source Record Types | CRUD | CRUD | Read | Read |
| Context Items | CRUD | CRUD | CRUD | No access |
| Unstructured Context | CRUD | CRUD | CRUD | No access |
| Data Loads | CRUD | CRUD | CRUD | No access |
| Files / File Parts | CRUD | CRUD | CRUD | No access |
| Agents | CRUD | CRUD | No access | No access |
| Date Dimension Custom Periods | CRUD | CRUD | No access | No access |
| Build Orchestrations — View | CRUD | CRUD | Read | Read |
| Build Orchestrations — Execute | Yes | Yes | No | No |
| SQL Execution | Yes | Yes | No | No |
| Import / Export | Yes | Yes | No | No |
| Dashboard Notifications | Yes | Yes | No | No |
| Audit Log | Read | No access | No access | No access |
| Billing | CRUD | No access | No access | No access |
| Tenant Config / User Mgmt | Yes | No | No | No |
| Danger Zone (resets) | Yes | No | No | No |
| Snowflake Auth Config | Yes | No | No | No |
These are configured by an Admin on individual user accounts and apply to all roles, though they are primarily designed for restricting ReadOnly and Partner users.
| Permission | Effect | Applicable To |
|---|---|---|
| Dimension Filters | Automatically applied to every analysis query. The user can only see data matching these filters (e.g., region = "US"). Filters with the same dimension ID override dashboard-level filters. |
All roles, but required for Partner — they are blocked from all data access until at least one dimension filter is configured. |
| Blacklisted Metric IDs | Hides specific metrics from the user. These metrics will not appear in query results. | All roles. Works as an additional restriction layer. |
Partner is unique in that it requires explicit configuration before any data access works:
This makes Partner a “default-deny” role — unlike the other three roles which work out of the box.
| Scenario | Behavior |
|---|---|
| Admin/Builder + dimension filters | Filters are auto-applied to all their analyses (restricts what data they see) |
| Admin/Builder + blacklisted metrics | Those metrics are hidden from their queries |
| ReadOnly + dimension filters | Same as above — filters always applied |
| Partner + no config | Blocked entirely from data access |
| Partner + dimension filters | Can access data, but only what filters allow |
| Partner + blacklisted metrics + dimension filters | Can access filtered data with certain metrics hidden |
Key principle: Roles set the ceiling (what features/actions are available), and user-level permissions narrow the scope (what data within those features is visible). Permissions can restrict any role, but can only “grant” access for Partner (by satisfying the mandatory config requirement).