Permissions
Understand the role hierarchy, configure workspace and project-level access, manage API key scopes, and control how content is shared across your team.
Role Types
OpenAnalyst uses a role-based access control model with five built-in roles. Roles are assigned per workspace and determine what actions a member can take.
| Role | Description |
|---|---|
| Owner | Full access including billing, workspace deletion, and owner transfer. Only one Owner per workspace. |
| Admin | Full access except billing and workspace deletion. Can manage members, integrations, connectors, and all workspace settings. |
| Editor | Can create, edit, and delete dashboards, reports, and charts. Cannot manage members or connectors. |
| Viewer | Read-only access to all dashboards and reports. Cannot create or edit content. Can export and share within their permission scope. |
| Guest | Restricted access to only the specific dashboards or reports they have been explicitly invited to view. |
Permission Matrix
| Action | Owner | Admin | Editor | Viewer | Guest |
|---|---|---|---|---|---|
| View dashboards | Yes | Yes | Yes | Yes | Assigned only |
| Create / edit dashboards | Yes | Yes | Yes | No | No |
| Delete dashboards | Yes | Yes | Own only | No | No |
| Manage connectors | Yes | Yes | No | No | No |
| Manage members | Yes | Yes | No | No | No |
| Manage integrations | Yes | Yes | No | No | No |
| Access billing | Yes | No | No | No | No |
| Generate API keys | Yes | Yes | No | No | No |
| Export data | Yes | Yes | Yes | Yes | Assigned only |
Workspace-Level vs Project-Level Permissions
Workspace-level roles apply across the entire workspace. Project-level permissions allow you to grant a member elevated or restricted access to a specific project (a group of dashboards and reports) without changing their workspace-wide role.
For example, a Viewer at the workspace level can be granted Editor access on a specific project, allowing them to edit dashboards within that project while still only viewing all other workspace content.
Note: Project-level permissions are additive — they can grant more access than the workspace role but cannot restrict it below the workspace role level. To restrict a user to specific content only, assign them the Guest role at the workspace level and explicitly grant access to the required resources.
Sharing Permissions
When sharing a dashboard or report, the sharing dialog shows permission options:
- View only — Recipients can view but not edit.
- Can edit — Recipients can make changes (requires Editor role or higher).
- Public link — Anyone with the link can view, no sign-in required. Only available for dashboards explicitly enabled for public sharing by an Admin.
API Key Scopes
API keys are scoped to control what operations they can perform. When generating an API key, select the appropriate scopes:
read:dashboards— Read dashboard and panel data.write:dashboards— Create and modify dashboards.read:data— Query data from connected sources.write:data— Write data to connected sources (only for connectors with writes enabled).manage:agents— Create, configure, and run agents.admin— Full workspace access (grant sparingly).
Invite Management
Invite new members from Settings > Members > Invite. Invites are sent by email and expire after 72 hours. Pending invites are listed and can be revoked before they are accepted. You can also configure a domain allowlist so that anyone with a verified email at your company domain can join the workspace as a Viewer without requiring an explicit invite.