Granular role-based access control for serious teams
Most BI tools have "viewer / editor / admin" and that's it. clariBI ships with 5 standard roles, 35+ permissions, and custom role creation that matches your actual org structure.
| Permission | Own | Adm | Ana | Mem | Vie |
|---|---|---|---|---|---|
| View Dashboards | ✓ | ✓ | ✓ | ✓ | ✓ |
| Edit Dashboards | ✓ | ✓ | ✓ | × | × |
| Manage Data Sources | ✓ | ✓ | × | × | × |
| Invite Members | ✓ | ✓ | × | × | × |
| Manage Billing | ✓ | × | × | × | × |
| Security Settings | ✓ | × | × | × | × |
| Export Reports | ✓ | ✓ | ✓ | ✓ | × |
Three-role permissions are for hobby projects
The moment your team has more than one contractor, more than one department, or anything resembling a compliance review, the "viewer / editor / admin" model falls apart.
You end up creating fake users, sharing credentials, or just giving everyone admin because it's the only way to get work done. All three outcomes are bad.
Contractors with admin access
Because there's no "contractor" role, you promote the freelancer to admin for the two weeks they're working with you — then forget to downgrade them.
Shared logins "because it's easier"
Half the finance team logs in as the CFO. Audit logs are useless. Offboarding means rotating one password and praying.
InfoSec review blocked
Separation of duties is a checkbox on every InfoSec questionnaire. A three-role system literally can't satisfy it.
No "read-only for one workspace"
The finance lead should see everything in the Finance workspace but only high-level KPIs in Marketing. Global roles can't express that.
How RBAC works in clariBI
Five standard roles cover 90% of cases. Custom roles and scopes cover the rest.
5 standard roles out of the box
Assign a new hire to a role in two clicks. The five standard roles are modelled on what actual companies use, not what a product manager brainstormed in a whiteboard session.
- Owner — 35 permissions. Full access including billing and security settings.
- Administrator — 29 permissions. Broad access but no billing or security changes.
- Analyst — 14 permissions. Build dashboards, create reports, run AI queries.
- Member — 8 permissions. Default role. View and comment on shared resources.
- Viewer — 6 permissions. Read-only. No editing, no exporting.
35+ granular permissions
Every action in clariBI maps to a specific permission, bucketed by category: Data Sources, Dashboards, Reports, Goals, Billing, Security, Members, and more.
Mix and match exactly what a role can do — no more "I need to let Sally edit dashboards but not touch the Stripe connection" workarounds.
- ✓ Organized by feature category
- ✓ Searchable in the role editor
- ✓ Each permission maps to a specific API action
Custom role creation
Build a "Marketing Lead" or "Finance Reviewer" role from any combination of the 35+ permissions. Inherit from a standard role as a starting point to avoid listing every permission from scratch.
Custom roles live alongside the standard ones and can be assigned to any number of users. Rename, clone, or archive them as your org evolves.
- ✓ Inherit from a standard role
- ✓ Duplicate a role as a template
- ✓ Only Owners can create or edit custom roles
Scope-based access & audit trail
Permissions can be scoped to the whole organization, a single workspace, or just the user. The same person can be an Analyst in the Marketing workspace and a Viewer in Finance — with no extra accounts.
Every permission grant, role change, and denied access attempt is logged automatically. Search the audit trail when someone asks "who could see this?" without having to guess.
- ✓ Organization, workspace, or user scope
- ✓ Every role change logged with timestamp and actor
- ✓ Searchable from the audit log viewer
Built for teams with real access requirements
Not generic personas. Actual situations.
Compliance with separation of duties
Finance reviewers can approve a report but can't create the underlying data source. Dashboard builders can create but can't publish to an executive workspace. The four-eyes principle expressed in actual permissions, not a policy document.
Pass your InfoSec questionnaire without writing a compensating control essay.
Agencies with multiple clients
Each client gets its own workspace. The account team working on Client A has full Analyst access there and zero visibility into Client B. Principals see everything. No data leakage between clients, no "oops wrong dashboard" incidents.
One clariBI subscription, cleanly partitioned.
Companies with contractor access
Build a "Contractor" custom role that inherits from Viewer and adds only the specific permissions the engagement needs. When the contract ends, flip one setting and access is gone. Audit log shows exactly what they touched.
No more "please remove Jane from all systems" emails.
Mixed full-time and part-time teams
Part-timers get workspace-scoped Analyst access for only the hours they contribute to. Full-timers get organization-wide access. Same clariBI org, different scopes, no awkward second account.
The model stretches from a 3-person startup to a 500-person operation.
RBAC is the spine of clariBI security
Every feature, every API endpoint, every dashboard checks the same permission model. No backdoors, no special cases.
Audit & Security
Every RBAC change is logged. MFA, SSO, and session management layer on top.
Team Collaboration
Workspaces use RBAC to partition team access cleanly.
REST API
Every API key respects the role of the user who created it.
Granular RBAC is available on Professional ($199/mo) and Enterprise ($999/mo) plans.
More RBAC capabilities
Features that matter once your team grows past "everyone has admin."
Per-resource access control
Override workspace-level roles for a specific dashboard or report when you need a narrower scope. Useful for "everyone can see this one dashboard" situations.
Role cloning & templates
Duplicate an existing role as a starting point for a new one. Faster than clicking 35 permission checkboxes from scratch.
Bulk role assignment
Select multiple users from the Members page and change their role in one action. Essential when onboarding a new cohort of contractors or promoting a team.
Permission explanations
Hover any permission to see exactly which UI actions and API endpoints it controls. No guessing what "Manage Data Sources" actually unlocks.
Role usage analytics
See how many users hold each role. Spot custom roles nobody actually uses. Identify when everyone accidentally got promoted to Admin.
Access request workflow
Members can request elevated access from a workspace they don't currently belong to. Owners approve or deny; every decision is logged.
Under the hood
Every API endpoint in clariBI checks the caller's effective permissions before doing anything. The check happens in the Django request pipeline, not in the view code, so new endpoints can't accidentally skip it.
Permissions are resolved through three layers: the user's base role, any workspace-scoped overrides, and any resource-specific grants. The most specific match wins. Denied actions return a 403 with a clear error message and are logged in the audit trail.
Custom roles are just rows in a database table with a JSONB permission set, so they're fast to read and cheap to cache. Role changes propagate across the organization within seconds.
Permission resolution
Three-layer lookup: user base role → workspace override → resource grant. Most specific wins.
Enforcement point
Permission check runs in the Django middleware layer. New endpoints inherit the check automatically — no "we forgot to add @require_permission" bugs.
Audit integration
Every denied request is logged with the caller, endpoint, and reason. Use the audit log to investigate "who could have seen this?" questions definitively.
Give the right people the right access.
Stop sharing logins. Stop promoting contractors to admin. Configure RBAC properly in 15 minutes.
Getting started with RBAC
From "everyone's an admin" to "everyone has the right access" in under an hour.
Audit who has what today
Open the Members page and see everyone's current role. Most orgs will find a surprising number of Administrators and Owners. Make a list of who actually needs elevated access.
Takes about 5 minutes for a team of 20.
Map roles to people
For most teams, the five standard roles cover 90% of cases. Assign each team member the lowest-privilege role that still lets them do their job. Start restrictive; upgrade as needed.
Use bulk assignment to move 10 people at once.
Create custom roles for edge cases
Contractor who needs to edit exactly one dashboard? External auditor who should see everything but touch nothing? Finance reviewer with approve-but-not-create rights? Build a custom role by cloning a standard one and adjusting permissions.
Most custom roles take 2 minutes to configure.
Review the audit trail quarterly
Once a quarter, scan the audit log for role changes, permission grants, and denied requests. Look for patterns: who's hitting access-denied errors a lot? That's a signal to re-check their role.
Set a 30-minute calendar block; you'll rarely use all of it.
How we think about access control
The principles behind the clariBI RBAC design.
Least privilege by default
New users land in the Member role, which has just 8 permissions — enough to be productive, not enough to break anything. Elevation is a deliberate act by an Administrator or Owner, not an accident.
Explicit beats implicit
Every permission maps to a specific action. We don't have "power user" or "super admin" flags that secretly grant broad access. If a role can do something, that something is a named permission checkbox in the role editor.
Defaults that match real orgs
The five standard roles were designed by looking at what actual companies use, not what a theoretical org chart looks like. Owner, Administrator, Analyst, Member, Viewer maps cleanly onto the way most teams actually divide responsibility.
Auditability is not optional
Every permission grant, role change, and denied access attempt is in the audit trail. You can always answer "who had access to this, and when?" without guessing.
RBAC across plans
What's available on each tier.
| Capability | Starter | Professional | Enterprise |
|---|---|---|---|
| 5 standard roles | Yes | Yes | Yes |
| 35+ granular permissions | No | Yes | Yes |
| Custom role creation | No | Yes | Yes |
| Workspace-scoped access | No | Yes | Yes |
| Per-resource grants | No | Yes | Yes |
| Audit trail integration | No | Yes | Yes |
| IdP group-based mapping | No | No | Yes |
| Access request workflow | No | No | Yes |
See pricing for full plan details.
RBAC FAQ
Common questions about roles and permissions.
What's included in each standard role?
Owner has all 35 permissions including billing and security. Administrator has 29 (no billing or security settings). Analyst has 14 (dashboards, reports, AI queries). Member has 8 (view and comment). Viewer has 6 (read-only, no export). The complete breakdown is in the in-app role editor.
Can I create custom permissions, not just custom roles?
Permissions themselves are defined by the platform (since they map to specific API actions) but you can combine them into any custom role you want. If there's a permission you need that doesn't exist, file a feature request.
How do I revoke a user's access fast?
From the Members page, click a user and either change their role to Viewer, remove them from the workspace, or deactivate their account entirely. Session tokens are invalidated immediately and active sessions are killed.
Does this work with SSO?
Yes. RBAC roles are assigned within clariBI regardless of how the user logs in. SSO handles authentication; RBAC handles authorization. See the Audit & Security page for SSO details.
What's the difference between this and Workspaces?
Workspaces are containers for dashboards, reports, and data sources. RBAC is the permission model that controls who can do what inside those workspaces. Most teams use both: workspaces to organize, RBAC to restrict.
Is there an approval workflow for role changes?
Only Owners can create or modify custom roles. Administrators can assign users to existing roles. Every change is logged in the audit trail so reviewers can verify after the fact. A dedicated approval workflow is on the Enterprise roadmap.