Skip to main content

Enterprise permissions

Limited to Enterprise

This feature is limited to the dbt Cloud Enterprise plan. If you're interested in learning more about an Enterprise plan, contact us at sales@getdbt.com.

The dbt Cloud Enterprise plan supports a number of pre-built permission sets to help manage access controls within a dbt Cloud account. See the docs on access control for more information on Role-Based access control (RBAC).

Roles and permissions

The following roles and permission sets are available for assignment in dbt Cloud Enterprise accounts. They can be granted to dbt Cloud groups which are then in turn granted to users. A dbt Cloud group can be associated with more than one role and permission set. Roles with more access take precedence.

Licenses or Permission sets

The user's license type always overrides their assigned permission set. This means that even if a user belongs to a dbt Cloud group with 'Account Admin' permissions, having a 'Read-Only' license would still prevent them from performing administrative actions on the account.

Key:

  • (W)rite Create new or modify existing. Includes send, create, delete, allocate, modify, develop, and read.
  • (R)ead Can view but can not create or change any fields.

Permissions:

  • Account-level permissions Permissions related to the management of the dbt Cloud account. For example, billing and account settings.
  • Project-level permissions Permissions related to the projects in dbt Cloud. For example, repos and access to the IDE or dbt Cloud CLI.

Account roles

Account roles enable you to manage the dbt Cloud account and manage the account settings (for example, generating service tokens, inviting users, and configuring SSO). They also provide project-level permissions. The Account Admin role is the highest level of access you can assign.

Account permissions for account roles

Account-level permissionAccount AdminBilling adminManage
marketplace
apps
Project creatorSecurity adminViewer
Account settingsWRRR
Audit logsRRR
Auth providerWWR
BillingWWR
GroupsWRWR
InvitationsWWWR
IP restrictionsWWR
LicensesWWWR
Marketplace appW
MembersWWWR
Project (create)WW
Public modelsRRRRR
Service tokensWRR
WebhooksW

Project permissions for account roles

Project-level permissionAccount AdminBilling adminProject creatorSecurity adminViewer
ConnectionsWWR
CredentialsWWR
Custom env. variablesWWR
dbt adaptersWWR
Develop (IDE or dbt Cloud CLI)WW
EnvironmentsWWR
JobsWWR
MetadataRRR
PermissionsWWWR
ProfileWWR
ProjectsWWRR
RepositoriesWWR
RunsWWR
Semantic Layer ConfigWWR

Project role permissions

The project roles enable you to work within the projects in various capacities. They primarily provide access to project-level permissions such as repos and the IDE or dbt Cloud CLI, but may also provide some account-level permissions.

Account permissions for project roles

Account-level permissionAdminAnalystDatabase adminDeveloperGit AdminJob adminJob runnerJob viewerMetadata
(Discovery API only)
Semantic LayerStakeholderTeam adminWebhook
Account settingsRRRR
Auth provider
Billing
GroupsRRRRRR
InvitationsWRRRRRRRR
LicensesWRRRRRRR
MembersWRRRRR
Project (create)
Public modelsRRRRRRRRRRRR
Service tokens
WebhooksWWW

Project permissions for project roles

Project-level permissionAdminAnalystDatabase adminDeveloperGit AdminJob adminJob runnerJob viewerMetadata
(Discovery API only)
Semantic LayerStakeholderTeam adminWebhook
ConnectionsWRWRRRRR
CredentialsWWWWRWRR
Custom env. variablesWWWWWWRRW
dbt adaptersWWWWRWRR
Develop
(IDE or dbt Cloud CLI)
WWW
EnvironmentsWRRRRWRRR
JobsWRRWRWRRRR
MetadataRRRRRRRRRR
Permissions (Groups & Licenses)WRRRR
Profile (Credentials)WRRRRR
ProjectsWWWWWRRRW
RepositoriesWRRWRR
RunsWRRWRWWRRR
Semantic Layer ConfigWRWRRRWRR

How to set up RBAC Groups in dbt Cloud

Role-Based Access Control (RBAC) is helpful for automatically assigning permissions to dbt admins based on their SSO provider group associations. RBAC does not apply to model groups.

  1. Click the gear icon to the top right and select Account Settings. Click Groups & Licenses
Navigate to GroupsNavigate to Groups
  1. Select an existing group or create a new group to add RBAC. Name the group (this can be any name you like, but it's recommended to keep it consistent with the SSO groups). If you have configured SSO with SAML 2.0, you may have to use the GroupID instead of the name of the group.

  2. Configure the SSO provider groups you want to add RBAC by clicking Add in the SSO section. These fields are case-sensitive and must match the source group formatting.

  3. Configure the permissions for users within those groups by clicking Add in the Access section of the window.

    Configure SSO groups and Access permissionsConfigure SSO groups and Access permissions
  4. When you've completed your configurations, click Save. Users will begin to populate the group automatically once they have signed in to dbt Cloud with their SSO credentials.

0