RBAC: Owner, Administrator, Analyst, Member, Viewer

Overview

clariBI uses role-based access control (RBAC) to manage what each person in your organization can do. Every user is assigned one of five built-in roles, each with a specific set of permissions. This system ensures that people have access to what they need -- and nothing more.

RBAC is available on Professional ($199/month) and Enterprise ($999/month) plans. Organizations on Trial and Starter plans use a simplified permission model where all members have the same access level.

The Five Built-In Roles

Owner (35 Permissions)

The Owner is the highest-level role, assigned to the person who created the organization. There is exactly one Owner per organization.

Full access includes:

• All permissions available in clariBI
• Billing and subscription management
• Organization deletion
• Ownership transfer
• Security policy enforcement (MFA requirements, session settings)
• All Administrator, Analyst, Member, and Viewer permissions

Unique Owner-only actions: - Transfer organization ownership - Delete the organization - Manage billing and payment methods - Set organization-wide security policies - Access complete audit logs

The Owner role cannot be assigned to additional people. To change the Owner, the current Owner must transfer ownership.

Administrator (29 Permissions)

Administrators handle day-to-day management of the organization. You can have multiple Administrators.

Key permissions:

• Invite, remove, and manage organization members
• Assign and change roles (except Owner)
• Manage all data sources, dashboards, and reports
• Access audit logs
• Configure integrations
• Manage workspaces and workspace membership
• Reset MFA for other users
• View usage and billing information (read-only)

What Administrators cannot do:

• Change billing or payment methods
• Delete the organization
• Transfer ownership
• Modify organization-wide security policies (MFA enforcement, IP restrictions)

Analyst (14 Permissions)

Analysts are power users focused on data analysis and reporting. This role is designed for team members who create analytics content but do not need to manage people or settings.

Key permissions:

• Create, edit, and delete their own dashboards and reports
• Run AI conversational queries (uses AI credits)
• Create and manage data source connections
• Export data in all available formats
• Create and manage goals
• Share content to workspaces they belong to
• View all published dashboards and reports

What Analysts cannot do:

• Invite or remove organization members
• Assign or change roles
• Edit or delete content created by other users
• Access audit logs
• Manage integrations or organization settings

Member (8 Permissions)

Members have standard access for everyday use. This is the default role assigned to new users when they join an organization.

Key permissions:

• View all published dashboards and reports
• Run AI conversational queries (uses AI credits)
• Create their own dashboards (limited)
• Add comments on shared content
• View their own usage statistics
• Export data from items they can access

What Members cannot do:

• Create or manage data sources
• Generate reports
• Share content to workspaces
• Manage goals
• Access any administrative features

Viewer (6 Permissions)

Viewers have read-only access. This role is ideal for executives, clients, or external stakeholders who need to see data but should not modify anything.

Key permissions:

• View all published dashboards and reports
• View shared workspace content
• Add comments on items they can view
• View their own profile and settings
• Receive notifications for shared content

What Viewers cannot do:

• Create, edit, or delete any content
• Run AI queries
• Export data
• Access data sources
• Manage goals or any settings beyond their own profile

Permission Comparison Table

Assigning Roles

During Invitation

When inviting a new member:

1. Go to Settings > Team > Invite Member.
2. Enter the person's email address.
3. Select a role from the dropdown.
4. Click Send Invitation.

The invited person receives an email with a link to join. They are assigned the selected role upon acceptance.

Changing an Existing Member's Role

1. Go to Settings > Team.
2. Find the member in the list.
3. Click the role badge next to their name.
4. Select the new role from the dropdown.
5. Confirm the change.

Role changes take effect immediately. The user's interface updates to reflect their new permissions on the next page load.

Who can change roles: - Owner can change anyone's role. - Administrator can change anyone's role except the Owner's. - All other roles cannot change roles.

Transferring Ownership

1. Go to Settings > Organization > Transfer Ownership.
2. Select the new Owner from the list of current Administrators.
3. Enter your password to confirm.
4. The previous Owner is automatically assigned the Administrator role.

Only the current Owner can transfer ownership, and only to an existing Administrator.

Role Requirements by Plan

On Trial and Starter plans, all users have equivalent access (similar to the Analyst role). RBAC differentiation begins on Professional plans.

How RBAC Interacts with Workspace Roles

Organization-level RBAC roles and workspace roles work together:

• Organization role sets the ceiling -- a Viewer at the organization level cannot create content even if they are a workspace Admin.
• Workspace role narrows access within a workspace -- a Member workspace role cannot edit others' content in that workspace, even if they are an Administrator at the organization level.
• Organization Owner and Administrator can access all workspaces regardless of workspace-level role.

For workspace-specific role details, see Workspace Roles: Owner, Admin, Member, Viewer Permissions.

Viewing Your Current Role

To see your assigned role:

1. Click your profile avatar in the top-right corner.
2. Your role appears below your name in the dropdown.
3. For more detail, go to Settings > Profile where your role and permissions are listed.

Audit Trail for Role Changes

Every role assignment and change is logged in the organization's audit log:

• Who made the change
• What the previous role was
• What the new role is
• Timestamp

Access the audit log from Settings > Organization > Audit Log (Owner and Administrator only).

Best Practices

• Follow the principle of least privilege. Assign the minimum role needed for each person's job function. You can always promote someone later.
• Use Analyst for data teams. Analysts get full analytics capabilities without administrative overhead.
• Limit Administrators. Two or three Administrators per organization is usually sufficient.
• Audit role assignments quarterly. Review who has what access and remove or downgrade roles for people who have changed responsibilities.
• Use Viewer for external stakeholders. When sharing access with clients or consultants, Viewer provides visibility without risk.
• Consider Custom Roles for Enterprise. If the five built-in roles do not fit your organization's structure, Enterprise plans support custom roles. See Custom Roles: Defining Granular Permissions.

Related Articles

• Custom Roles: Defining Granular Permissions
• Workspace Roles: Owner, Admin, Member, Viewer Permissions
• API Keys: Create, Scope, Rotate, Revoke
• MFA Setup: TOTP Authenticator App and Backup Codes
• Session Settings: Timeouts, Notifications, Login History
• Team Seats: Adding, Removing, Cost Per Seat