Roles and Permission Matrix
Transform has a both primary and secondary roles in the product. Primary roles map to assignments that are given when a user is created in the interface, and secondary roles are roles that are assumed based on certain actions or assignments that come after a primary role designation.
Primary Roles#
Organization Administrator
Organization Administrators have elevated privileges and can take most actions across the Metrics Catalog. Currently, there are only administrative actions available in the Metrics Catalog.
Administrators can change metadata about a metric (without ownership), edit and remove team members, as well as view and update settings around DW credentials. Organization admins cannot edit Team specific objects and settings unless they are also administrators or members of a team.
User
Users can view and interact with most components of the interface but will not be able to take administrative actions, such as editing and managing users. Additionally, they will not be able to change anything about a metric in the UI unless they are explicitly an owner. A user is the default setting for an account that is not an administrator.
Service User (Transform)
The Service User in our system is used by the MQL server to make authenticated requests to our Backend API. It is also often used by customers in automated Github workflows for validating and committing changes to the Transform models. For this reason, the Service User role is only intended to make certain types of requests and doesn't have administrative access to many of the actions an admin can take in the UI.
Note: A service user has a limited set of privileges and is a role administrators don't need to assign, so we've left it out of the matrix below. Additionally, this user is not the same as the service user you create in your data warehouse to access Transform schemas; this is specific to the Transform permissions system.
Secondary Roles#
Team Administrator Team administrators can be either users or organization administrators. A person with an account in Transform can become a Team Admin by creating a team. Team Admins can take high-level actions around their team settings and on team pages.
Metric Owners Metric owners can be Teams (a set of users) or individual Users. These assignments must be designated through the Framework or User interface. Metric Owners can take high-level actions around the metric description, approval, and ownership of a given metric. Note: We've left metric owners out of the matrix and denoted where metric ownership matters by indicating how a user's permissions change based on ownership.
Permissions Matrix#
| Action | Organization Adminstrator | Users | Team Admins |
|---|---|---|---|
| Settings - Edit/Add Users to Transform | X | - | - |
| Settings - Edit/Add Users to Team | X | - | X |
| Settings - Create New Team | X | X | NA |
| Settings - Edit DW Credentials | X | - | - |
| Settings - Edit/Add/Remove MQL Server | X | - | - |
| Settings - Create API Keys for oneself | X | X | NA |
| Settings - View MQL Query Logs | X | X | NA |
| Metric Page - View Lineage, Edit Chart, Save Query, Annotate, Ask Question | X | X | NA |
| Metric Page - Edit Metric Description | X | If User Owns metric or is on Team that owns metric | If Team is Owner |
| Export CSV | X | X | NA |
| Share Metric | X | X | NA |
| Edit/Delete Annotation | X | If User authored Annotation | NA |
| Edit/Delete Question | If Admin authored | If User authored | NA |
| Edit/Delete Saved Query | If Admin authored | If User authored | NA |
| Metric Page - Approve Metric | X | If User Owns metric or is on Team that owns metric | If Team is Owner |
| Metric Page - Edit Owners | X | If User Owns metric or is on Team that owns metric | If Team is Owner |
| Collections - Create Collection | X | X | NA |
| Collections - Edit Collection | If Admin owns Collection is or on Team that owns Collection | If User owns Collection or is on a team that owns Collection | If Team is Owner of Collection |
| Collections - View All Collections | X | X | NA |
| Team Page - Edit Team | If Admin on Team | If User is on Team | X |
| Team Page - Add Metrics | If Admin on Team | If User is on Team | X |
| Team Page - Add Collections | If Admin on Team | If User is on Team | X |
| Team Page - Add Saved Queries | If Admin on Team | If User is on Team | X |
| CLI - Run MQL Query | X | X | NA |
| CLI - Commit Configs to Transform | X | X | NA |