Skip to main content

Permissions reference

Permissions determine the resources and operations a user can access in an organization. You grant permissions by adding a user to a group, which represents a collection of permissions.

This topic lists all of the available permissions, organized by access level.

Organization-level permissions

Organization-level permissions apply to all projects in an organization. These permissions are project-independent and cannot be scoped to a specific project.

  • AccessAuditLogs: View audit logs.
  • AccessMetrics: Export metrics for all projects in the organization using the Metrics export API.
  • AdministerApiKeys: View, create, modify, and delete all API keys for the organization.
  • AdministerBilling: Manage invoices and credit card information.
  • AdministerClients: View, create, and modify OAuth clients.
  • AdministerCustomizations: Customize the application name, logos, UI colors, and visualization colors for the organization.
  • AdministerNetworkPolicies: Create, modify, and delete all IP allowlists for the organization.
  • AdministerProjects: View, create, modify, and delete all projects irrespective of their sharing and access configuration.
  • AdministerUsers: View, create, modify, and delete users; assign and remove user permissions.

Project-level permissions

Project-level permissions, you must define their project scope. You can scope them to the entire organization, including all existing and future projects, or limit their scope to specific projects. Scoping permissions allows you to have more fine-grained control over who can access what project for your organization.

Project administration

  • AccessCollections: View the contents of the Collections tab.
  • AccessScaling: View performance pages in read-only mode.
  • AdministerScaling: Make selections that impact performancechange project size, view usage, and view Clarity metrics.
  • ManageApiKeys: View and create API keys for the organization; manage and delete your own API keys. The ManageApiKeys permission allows you to assign project-level permissions. To assign organization-level permissions, you need the AdministerApiKeys permission.
  • ManageCollections: Create, modify, and delete collections.
  • ManageNetworkPolicies: Create, modify, and delete IP allowlists on a project level.
  • ManageProjects: View and manage projects within the access granted by their individual configuration; set a project's maximum size. The ManageProjects permission doesn't enable you to create or delete projects. To do that, you must have the AdministerProjects permission.

Data management

  • AccessDownloadAsync: Download from a data cube using the async download feature.
  • AccessDownloadData: Download a limited number of rows for a data cube. The maximum row limit is 5000.
  • AccessDownloadLargeData: Download an unlimited number of rows for a data cube.
  • AccessMonitoring: View the contents of the User queries, Streaming, and Detailed metrics pages. For more information, see Use dashboards to monitor Polaris.
  • AccessMonitorQueries: Monitor database queries.
  • AccessQueries: Manage the queries within the access granted by their individual configuration. Note that users with SQL access can effectively perform arbitrary queries. Any user with the AccessQueries permission also has the ReadDataSources permission.
  • AccessQueryRawData: View the raw disaggregated data underlying the data cube. Users with the AccessQueryRawData permission can access the Raw data dialog by clicking Toggle options > View raw data. The Raw data dialog respects all the settings on the data cube except for the controls that can be changed by a user who doesn't have permission to edit the data cubefor example, the selected visualization, non-required filters, splits, and compares.
  • AdministerEmbedLinks: View and manage embedding links.
  • AdministerQueries: View, create, and manage all saved SQL queries.
  • AdministerReports: View and manage all scheduled reports irrespective of their access configuration.
  • CreateElevatedAlerts: Grants permission to override the minimum alert frequency and minimum alert timeframe settings on a data cube. See Manage data cubes and Set up alerts for more information.
  • ManageAlerts: Modify alerts within the access granted via the individual configuration.
  • ManageAlertsWebhooks: Configure alerts to send webhook notifications.
  • ManageConnections: Create and edit connections.
  • ManageFiles: Upload and delete files.
  • ManageIngestionJobs: Start, stop, cancel, and delete an ingestion job. This permission is required to query deep storage data asynchronously.
  • ManageTables: View table data and modify schema. View and create lookups.
  • ReadDataSources: Read data using the Query API. This permission is automatically assigned to users who have the AccessQueries permission.

Analytics

  • AccessAlerts: View the contents of the Alerts tab.
  • AccessDashboards: View dashboards.
  • AccessDataCubes: View data cubes.
  • AccessReports: View the contents of the Reports tab.
  • AccessVisualization: View data cubes and dashboards.
  • AdministerAlerts: View, create, and manage all alert configurations irrespective of their sharing and access configuration.
  • AdministerDashboards: View, create, and manage all dashboards irrespective of their sharing and access configuration.
  • AdministerDataCubes: View, create, and manage all data cubes irrespective of their sharing and access configuration.
  • AdministerEmbedLinks: View and manage embedding links.
  • AdministerReports: View, create, and manage all scheduled reports irrespective of their access configuration.
  • FilterWithRegex: Use the regex filter for string dimensions.
  • ManageAlerts: Modify alerts within the access granted by their individual configuration.
  • ManageAlertsWebhooks: Configure alerts to send webhook notifications.
  • ManageDataCubes: Create, modify, and delete data cubes within the access granted by their individual configuration.
  • ManageDashboards: Create, modify, and delete dashboards within the access granted by their individual configuration.
  • ManageReports: Create and manage reports within the access granted by their individual configuration.
  • ViewTables: View table data and schema for all tables.

Learn more

See Manage user groups for information on user groups.