ContextQMD
Back to Airbyte

Role-based access control (RBAC)

docs/platform/access-management/rbac.md

2.0.04.8 KB
Original Source

Role-based access control (RBAC)

Role Based Access Control allows a user with Administrative access to apply roles to users, granting different levels of permission within an organization or workspace.

:::info Self-Managed Enterprise instances have an Instance Admin role in addition to the other roles outlined in this document. Airbyte assigns this role to the first user who logs on to Airbyte in a Self-Managed Enterprise instance. This user has all permissions listed below for all workspaces and all organizations associated with their Enterprise account. To update this assignment, enterprise customers should contact Airbyte support. :::

Organization roles

When you assign an organization role, Airbyte scopes permissions to the entire organization, which includes all workspaces in that organization.

PermissionsMemberReaderRunnerEditorAdmin
Read Organization
<ul><li>Read individual organizations</li></ul> | X | X | X | X | X | | **Create Workspace** <ul><li>Create new workspace within a specified organization</li><li>Delete a workspace</li></ul> | | | | X | X | | **Update Organization** <ul><li>Modify organization settings, including billing, PbA, SSO</li><li>Modify user roles within the organization</li></ul> | | | | | X |

Workspace roles

In a workspace role, Airbyte scopes permissions to that specific workspace. You can override an organization role by assigning someone a higher role in a workspace. However, you can't assign a role that's more restricted than the role that person holds in the organization. For example, an organization admin must also be a workspace admin. However, an organization reader can be a workspace reader, editor, or admin.

PermissionsReaderRunnerEditorAdmin
Read Workspace
<ul><li>List the connections in a workspace</li><li>Read individual connections</li><li>Read workspace settings (data residency, users, connector versions, notification settings)</li></ul> | X | X | X | X | | **Sync Connection** <ul><li>Start/cancel syncs and refreshes</li></ul> | | X | X | X | | **Modify Connector Settings** <ul><li>Create, modify, delete sources and destinations in a workspace</li></ul> | | | X | X | | **Update Connection** <ul><li>Modify a connection, including name, replication settings, normalization, DBT</li><li>Clear connection data</li><li>Create/Delete a connection</li><li> Create/Update/Delete connector builder connectors</li></ul> | | | X | X | | **Update Workspace** <ul><li> Update workspace settings (data residency, users, connector versions, notification settings)</li><li> Modify workspace connector versions</li></ul> | | | | X |

Best practices for assigning roles

  • At the organization level, assign the lowest level of permission necessary.
  • At the workspace level, assign higher roles for individual workspaces as needed to override organization role within that workspace.
  • Don't assign admin roles frivolously. Once someone is an admin, you can't demote them.

Setting roles

  1. In the navigation bar, click Workspace settings or Organization settings > Members.

  2. In the table, under Workspace role, click the current role and then select a new role.