Authorization
Console uses an IAM-style (AWS IAM-inspired) permission system with Groups, Policies, and fine-grained Actions.
How It Works
User → Groups → Policies → Actions on Resources
Users do not have permissions directly. They belong to one or more Groups. Each group has one or more Policies attached (or inline). Policies define which actions are allowed or denied on which resources.
Action Format
Actions follow the format service:action:
users:list # List users
users:invite # Invite a new user
connections:sync # Sync database metadata
visualizations:execute # Run a visualization query
data_api:execute # Consume a data API endpoint
Wildcards are supported:
| Pattern | Meaning |
|---|---|
users:* | All actions in the users service |
*:list | The list action in every service |
* | Full access (all services, all actions) |
Policy Document
A policy contains one or more statements, each with an effect (Allow or Deny), a list of actions, and a list of resources (ARN patterns or *).
{
"version": "2025-01-01",
"statements": [
{
"sid": "AllowReadUsers",
"effect": "Allow",
"actions": ["users:list", "users:get"],
"resources": ["*"]
},
{
"sid": "DenyDeleteUsers",
"effect": "Deny",
"actions": ["users:delete"],
"resources": ["*"]
}
]
}
Evaluation Logic
Permissions are evaluated in this order:
- Owner bypass — users marked as owner have full access, bypassing all checks
- Explicit Deny — any matching
Denystatement blocks access (Deny always wins) - Explicit Allow — any matching
Allowstatement grants access - Default — implicit deny (no match = access denied)
Available Services
| Service | Actions |
|---|---|
users | list, get, invite, update, delete, activate, deactivate, list_integration_users, create_integration_user, delete_integration_user, assign_groups, remove_groups |
groups | list, get, create, update, delete, attach_policy, detach_policy |
policies | list, get, create, update, delete |
company | get, update |
api_keys | list, list_own, get, create, create_own, revoke, revoke_own |
connections | list, get, create, update, delete, test, sync |
vpn_profiles | list, get, create, update, delete |
visualizations | list, get, create, update, delete, execute, publish, share, schedule |
dashboards | list, get, create, update, delete, publish, share, schedule |
analysis-folders | list, get, create, update, delete |
managed-tables | list, get, create, update, delete, upload, data-read, data-write |
viz_api_endpoints | list, read, create, update, delete |
data_api | execute, get_job |
concepts | list, get, create, update, delete |
knowledge_reviews | list, review, generate, manage_jobs |
semantic | list, create, update, delete |
ontology | list, create, update, delete |
share_tags | list, read, create, update, delete |
audit-logs | list |
metadata | read |
The full list of available actions can be fetched at runtime:
GET /api/v1/policies/actions
Pre-defined Managed Policies
Console provides ready-to-use managed policies:
| Policy | Description |
|---|---|
FullAdmin | Full access to everything |
ReadOnly | Read-only access across all services |
UserManager | Manage users (invite, activate, assign groups) |
GroupManager | Manage groups and list policies |
ApiKeyManager | Manage integration users and API keys |
ConnectionManager | Manage connections, VPN profiles, and managed tables |
VisualizationViewer | View and execute dashboards and visualizations |
VisualizationManager | Full management of visualizations, dashboards, and analysis folders |
AnalyticsAuthor | Create and publish visualizations, dashboards, and API endpoints |
KnowledgeManager | Manage domain knowledge (concepts, semantic, ontology) |
DataEngineer | Manage connections, managed tables, and metadata |
PolicyManager | Manage policies |
CompanyAdmin | Manage company settings |
DataAPIConsumer | Execute data API endpoints and poll async job results |
Checking Permissions
Use the permissions endpoint to retrieve the list of actions the current user is allowed to perform:
GET /api/v1/auth/permissions
Authorization: Bearer YOUR_TOKEN
Response:
{
"actions": ["users:list", "users:get", "visualizations:*"],
"is_owner": false
}
Managing permissions through the UI? See Policies Reference for API details.