Overview
This article is the complete reference for Datarails' permissions model. It covers the five system roles, how element-level access works, detailed capability tables by role, permissions for each product module, and how group permissions behave.
This article replaces User Management in Datarails and Managing Data & User Access Rights.
System Roles
Datarails has five system roles. Each role is designed for a specific type of user and defines the ceiling of what they can do across the product.
[Screenshot placeholder: role selector — new member invite screen]
Role |
Best for |
Capabilities summary |
|---|---|---|
Viewer |
Executives, read-only stakeholders |
View and download elements they have been shared on. No creation or management capabilities. |
Collaborator |
Budget submitters, department contributors |
Upload data, submit inputs, view and edit fileboxes and report spaces they are shared on. Cannot create tables or manage org settings. |
Manager |
FP&A analysts, data owners |
Create and manage tables, dashboards, reports, and storyboards. Handle data mapping and integrations. Manage permissions for elements they own or are shared on. |
Admin |
Finance leads, department heads, Accounting team |
Manage users, org settings, and integrations. Full access to elements they create or are shared on. Does not auto-share on all elements. |
Super Admin |
IT administrators, system owners |
Full access to all elements, settings, users, and data across the organization. Automatically shared on all elements and cannot be removed from any element. |
Functional Capabilities by Role — Core Actions
The table below shows which actions each system role can perform across the product.
Capability |
Viewer |
Collaborator |
Manager |
Admin |
Super Admin |
|---|---|---|---|---|---|
View data |
✓ |
✓ |
✓ |
✓ |
✓ |
Download Files |
✓ |
✓ |
✓ |
✓ |
✓ |
Upload / Submit data |
✗ |
✓ |
✓ |
✓ |
✓ |
Create and grant access to tables |
✗ |
✗ |
✓ |
✓ |
✓ |
Share elements (inputs / outputs) |
✗ |
✗ |
✓ |
✓ |
✓ |
Manage and map data (add, edit, delete) |
✗ |
✗ |
✓ |
✓ |
✓ |
Manage permissions on elements |
✗ |
✗ |
✓ |
✓ |
✓ |
Create & manage workflows |
✗ |
✗ |
✓ |
✓ |
✓ |
Sync integrations |
✗ |
✗ |
✓ |
✓ |
✓ |
Create dashboards & storyboards |
✗ |
✗ |
✓ |
✓ |
✓ |
Create reports & report spaces |
✗ |
✗ |
✓ |
✓ |
✓ |
Manage data sources & integrations |
✗ |
✗ |
✓ |
✓ |
✓ |
Manage org settings |
✗ |
✗ |
✗ |
✓ |
✓ |
Manage users |
✗ |
✗ |
✗ |
✓ |
✓ |
Manage Groups |
✗ |
✗ |
✗ |
✗ |
✓ |
Auto-share on all elements |
✗ |
✗ |
✗ |
✗ |
✓ |
Permission Levels
When an element is shared with a user, it can be granted at one of up to three access levels:
Access Level |
What it means |
|---|---|
Viewer |
Read-only: view and download only |
Editor |
Modify and manage content, but cannot delete or share the element |
Owner |
Full control: edit, delete, share, and manage the element |
Role |
Viewer |
Editor |
Owner |
|---|---|---|---|
Viewer |
✓ |
✗ |
✗ |
Collaborator |
✓ |
✓ |
✗ |
Manager |
✓ |
✓ |
✓ |
Admin |
✓ |
✓ |
✓ |
Super Admin |
✓ |
✓ |
✓ |
How Permissions Work
Role sets the ceiling. A user's system role determines the maximum element-level access they can be granted. A Viewer, for example, cannot be made an Owner or Editor of any element.
Highest access wins. When a user has both individual and group permissions on the same element, the higher access level applies — in both directions.
Super Admins are auto-shared. Super Admins have implicit access to all elements in the organization and cannot be removed from any element.
💡 Tip: Open a user's Profile screen (Members & Groups → click any user) to see every element they have access to and at what level — a fast way to audit access before onboarding or offboarding a team member.
Element-Level Permissions by Role
What each access level means per element:
Tables
Viewer: View table data only
Owner: Create, modify, and delete tables; manage table permissions; grant access to others
Data Sources
Sync: Trigger syncs on connected Fileboxes (requires Editor or Owner access on those Fileboxes)
Owner: Edit integration settings, manage sync schedules, share the data source with others
Fileboxes, Folders & Collections
Viewer: View documents and data only
Editor: Upload and manage document versions; view and edit content
Owner: Approve workflows, assign versions, edit metadata, manage collaboration, delete, lock, upload, and view/edit content
Report Spaces
Viewer: View reports only
Editor: Manage and view reports
Owner: Manage and rename reports; full control over the report space
Workflows
Editor: Edit the workflow, clone instances, assign members, lock tasks and mark them complete
Owner: Create, configure, activate/deactivate, archive, delete, and share workflows; manage members
Dashboards
Viewer: View dashboards only
Editor: Modify filters and widgets; view dashboards
Owner: Modify dashboards, filters, and widgets; share and manage access
Storyboards
Viewer: View stories
Editor: Add and change stories
Owner: Add, change, delete, and share stories
Product Permissions (Coming Soon)
Each Datarails product module has its own permission model. Access to a product module must be explicitly shared with a user — with the exception of Super Admins, who have access to all modules by default. Granting access to each requires access to its dedicated tables — when sharing the product the system will prompt you to grant table access as well.
Month End Close (MEC)
MEC has three access levels:
Viewer: View the Summary and Reconciliation screens. Data visibility is determined by the user's access to the Trial Balance (TB) table.
Editor: All Viewer capabilities, plus: participate in shared workflows and tasks, perform reconciliation actions.
Owner: All Editor capabilities, plus: access MEC Settings and full reconciliation management.
Only Admin and Super Admin can be assigned as MEC Owner.
Cash
Cash has two access levels:
Viewer: View all Cash pages (transactions and balances). Data visibility is determined by the user's access to the Bank_Transactions and Bank_Balances tables.
Owner: All Viewer capabilities, plus: manage rules, edit transaction categories, and share the Cash module with others.
Group Permissions
Groups allow you to share elements with multiple users at once. Permissions assigned to a group follow the same role-based rules as individual permissions.
How group permissions work
Highest access wins. If a user has both individual and group permissions on the same element, the higher access level applies — in both directions.
Groups cannot lower individual permissions. If a user already holds Owner access individually, adding them to a group with Viewer access will not downgrade their access.
Lower-role members are flagged. If a group contains members whose system role prevents them from receiving the assigned access level, the system displays a modal alert listing the affected users and asking how to proceed.
Role changes and group membership: When a group member's system role is changed to a lower role (for example, from Admin to Viewer) or a viewer is added to a group of admins, only that member's effective access within the group is adjusted to match their new role ceiling. The group's access level on shared elements is not affected, and other group members are unaffected. The member remains in the group.
How group permissions are displayed
A user shared via a group will show an ℹ icon next to their access level, indicating the permission comes from a group rather than a direct individual share.
If a user belongs to multiple groups with different access levels on the same element, the highest level applies.
Hovering over a group name shows a pop-up listing all members in that group.
What Changed from the Previous Model
Roles: The previous model had three roles — Admin, Contributor, and Viewer. This has expanded to five to provide more precise control. Contributor was split into Manager (power users who build, map, and manage content) and Collaborator (users who upload and submit data), ensuring no one has more system-level access than their role requires. Admin was split into Super Admin (auto-shared on all elements) and Admin to enable data segregation between different parts of the business.
Filebox permissions for linked Fileboxes: When a Filebox is mapped to a data table, the actions available to a user are now determined by the combination of their table access level and their Filebox access level. Users who have direct Filebox access but no access to the linked table can still upload and view content, but cannot perform actions such as deleting or archiving the Filebox.
© Datarails Ltd. All rights reserved.
Updated
Comments
0 comments
Article is closed for comments.