Understanding Permissions
Learn how user roles and resource access levels work together
Semaphor has two types of permissions that work together to control access.
User Roles (Platform-Wide Capabilities)
Your user role determines what you can do in Semaphor overall:
| Role | Who Has It | What They Can Do |
|---|---|---|
| VIEWER | Read-only users | View dashboards and use filters, but cannot create, edit, or share anything |
| POWER_USER | Tenant users | Create, edit, share, and delete dashboards within their tenant |
| AUTHOR | Organization users | Create, edit, and share dashboards across all tenants |
| ADMIN | Organization users | Full access to all features including user and group management |
Access Levels (When Sharing Dashboards)
When someone shares a dashboard with you, they assign an access level that controls what you can do with that specific dashboard:
| Access Level | What You Can Do |
|---|---|
| VIEWER | View and interact only |
| EDITOR | View and modify |
| CONTRIBUTOR | View, modify, and share with others |
| OWNER | Full control including delete |
How They Work Together
Permission Model
Your user role sets the maximum capabilities (the ceiling). Resource access levels grant permissions to specific dashboards, but can't exceed your role's ceiling.
Example 1 - Access grants permission:
- You have POWER_USER role (editing allowed)
- Someone shares their dashboard with you as EDITOR access
- ✅ You can edit this dashboard, even though you don't own it
Example 2 - Access restricts permission:
- You have POWER_USER role (editing allowed)
- Someone shares their dashboard with you as VIEWER access
- ❌ You can only view this dashboard, cannot edit it at all
This is useful when you want users to create their own dashboards, but restrict access to certain reference or sensitive dashboards to view-only.
Example 3 - Role blocks permission:
- You have VIEWER role (editing not allowed by your role)
- Someone shares a dashboard with you as EDITOR access
- ❌ You still can't edit because your role doesn't permit editing at all
Permission Matrix
What each user type can do:
| Action | Tenant VIEWER | Tenant POWER_USER | Org AUTHOR/ADMIN |
|---|---|---|---|
| View shared dashboards | ✓ | ✓ | ✓ |
| Create dashboards | ✗ | ✓ | ✓ |
| Edit owned dashboards | ✗ | ✓ | ✓ |
| Edit dashboards (with EDITOR+ access) | ✗ | ✓ | ✓ |
| Share dashboards (with CONTRIBUTOR+ access) | ✗ | ✓ | ✓ |
| Delete dashboards (with OWNER access) | ✗ | ✓ | ✓ |
| Manage groups | ✗ | ✗ | ✓ |
| Share across tenants | ✗ | ✗ | ✓ |
Common Scenarios
Self-Service Analytics in Your SaaS Product
Setup:
- Give end users POWER_USER role
- They create their own dashboards
- Share reference dashboards (like "Product Metrics") with them as VIEWER access
Result:
- Users can build custom dashboards for their analysis
- Reference dashboards remain read-only for consistency
- Self-service analytics without compromising data governance
Read-Only Partners or Stakeholders
Setup:
- External users get VIEWER role
- Share specific dashboards with VIEWER access
Result:
- Partners can view and interact with shared dashboards
- Cannot create or modify anything
- Complete data isolation between different partners
Managed Analytics Service
Setup:
- Organization users (your team) have AUTHOR/ADMIN roles
- Create dashboards for customers
- Share with tenant users as EDITOR or VIEWER
Result:
- Your team manages dashboard creation and curation
- Customers can view or edit based on their needs
- You maintain control over the analytics experience
Best Practices
Choosing User Roles
- Start with VIEWER for read-only users (external customers, stakeholders)
- Use POWER_USER for users who need to create content (analysts, power users)
- Reserve ADMIN for platform administrators
- AUTHOR is ideal for managed service teams creating dashboards for customers
Managing Access Levels
- Give users POWER_USER role for creation privileges, then use VIEWER access on specific dashboards to restrict editing
- Start with the least privilege (VIEWER access) and increase as needed
- Grant CONTRIBUTOR access to users who need to help manage sharing
- Reserve OWNER access for primary dashboard maintainers
- Regularly audit who has access to sensitive dashboards
Using Both Together
The power of Semaphor's permission system comes from combining roles and access levels:
- Role defines the ceiling of capabilities
- Access level grants specific permissions (up to the ceiling)
- Ownership automatically grants OWNER access to creators
This lets you:
- Enable self-service while protecting sensitive dashboards
- Grant temporary elevated access without changing roles
- Maintain security boundaries across tenants
Security Considerations
Data Isolation
- Tenant users can only access dashboards within their tenant
- Organization users can access dashboards across tenants (based on permissions)
- Group access respects tenant boundaries
- Resource-level permissions are enforced at the API level
Token-Based Access
Dashboard access can be further controlled via authentication tokens:
- Tokens can specify a fixed dashboard_id for limited access
- Connection-level security policies can be applied
- Row-level and column-level security can restrict data visibility
Security Best Practice
Always implement appropriate security policies in addition to sharing permissions. Combine dashboard-level sharing with connection-level, schema-level, or row-level security for comprehensive data protection.
Related Documentation
- Dashboard Management - Managing your dashboards
- Sharing Resources - Share with users and groups
- Security & Multi-Tenancy - Data isolation patterns