Role-Based Access Control

Estimated reading time: 12 minutes

clariBI's role-based access control (RBAC) determines what each user can see and do. This guide explains the five built-in roles and how permissions work.

Plan Requirement

RBAC management (viewing roles, changing assignments) is available on Professional ($199/mo) and Enterprise ($999/mo) plans. On Trial and Starter plans, all users get the Member role by default.

The Five Built-In Roles

Owner (35 permissions)

Full access to everything. Only the account creator starts as Owner. Owners can:

  • Manage billing, subscriptions, and payments
  • Configure all security settings including MFA enforcement
  • Create, edit, and delete any content across the organization
  • Manage all users and roles
  • Access organization audit logs
  • Transfer ownership

Administrator (29 permissions)

Broad access for day-to-day management. Cannot access billing or some security settings. Administrators can:

  • Manage users (invite, remove, change roles except Owner)
  • Create, edit, and delete dashboards, reports, and data sources
  • Manage workspaces and sharing
  • View audit logs
  • Configure integrations

Analyst (14 permissions)

Focused on analytics and reporting. Cannot manage users or settings. Analysts can:

  • Create and edit their own dashboards and reports
  • Run AI analyses and conversational queries
  • Connect data sources
  • Manage goals
  • Share content with other users

Member (8 permissions)

Standard access. The default role for new users. Members can:

  • View dashboards and reports shared with them
  • Run basic AI queries
  • View goals
  • Participate in workspaces

Viewer (6 permissions)

Read-only access. Viewers can:

  • View dashboards and reports shared with them
  • View goals
  • View workspace content

Viewers cannot create, edit, or delete anything.

clariBI Settings Security tab showing MFA status and session timeout preferences

Permission Categories

Permissions are organized into 10 categories:

  1. User Management — invite, edit, remove users
  2. Data Management — connect, sync, manage data sources
  3. Analytics & Insights — run analyses, use AI
  4. Reports & Dashboards — create, edit, share, export
  5. Goals & Tracking — create and manage goals
  6. Billing & Subscriptions — manage plans and payments
  7. Organization Settings — configure org-level settings
  8. Security & Access — MFA, sessions, API keys
  9. Integrations — manage third-party connections
  10. System Administration — platform-level admin access

Changing a User's Role

  1. Go to Settings > Organization > Team Members
  2. Find the user and click their current role
  3. Select the new role from the dropdown
  4. Click Save

Only Owners and Administrators can change roles. No one can assign a role higher than their own (Admins cannot create Owners).

Permission Inheritance

Roles are hierarchical. Higher roles inherit all permissions of lower roles:

Viewer < Member < Analyst < Administrator < Owner

An Administrator has all permissions of an Analyst, plus additional management permissions.

Organization-Level Enforcement

RBAC is enforced at both the server level and the interface level. The interface hides features the user cannot access, and the server rejects unauthorized requests even if a user attempts to access a restricted endpoint directly.

Pro Tip

Start with the least-privilege approach. Give new users the Member or Viewer role and upgrade as needed. It is easier to grant more access than to remove it after someone has already seen sensitive data.

Related

Ready to try clariBI?

Start your free 14-day trial. No credit card required.

Start Free Trial View Pricing