SecurityRoles & Permissions

Roles & Permissions

Datafly Signal uses role-based access control (RBAC) to govern what each user can view and modify within an organisation. Every Management API request is authorised against the authenticated user’s role.

Roles

There are four roles, ordered from most to least privileged:

Owner

The organisation owner has full access to all resources and settings. There is exactly one owner per organisation. The owner is the only role that can manage billing and delete the organisation.

Admin

Admins can manage all operational resources: sources, integrations, transformations, users, and the Org Data Layer. They can view audit logs. They cannot manage billing or delete the organisation.

Editor

Editors can create and modify sources, integrations, and transformations. They cannot manage users, view audit logs, or modify the Org Data Layer.

Viewer

Viewers have read-only access to all resources. They can view source configurations, integration settings, and transformation rules. They can also use the real-time event debugger to inspect live events. They cannot create, modify, or delete anything.

Permissions Matrix

ActionOwnerAdminEditorViewer
Sources
View sourcesYesYesYesYes
Create sourcesYesYesYes
Edit sourcesYesYesYes
Delete sourcesYesYes
Build/download collectorYesYesYes
Integrations
View integrationsYesYesYesYes
Create integrationsYesYesYes
Edit integrationsYesYesYes
Delete integrationsYesYes
Transformations
View transformationsYesYesYesYes
Create transformationsYesYesYes
Edit transformationsYesYesYes
Delete transformationsYesYesYes
Run dry-runYesYesYes
Data Layer
View Org Data LayerYesYesYesYes
Edit Org Data LayerYesYes
Users
View usersYesYes
Invite usersYesYes
Edit user rolesYesYes
Remove usersYesYes
Audit Logs
View audit logsYesYes
Debugging
Real-time event debuggerYesYesYesYes
Organisation
Manage billingYes
Delete organisationYes

How Authorisation Works

  1. The client sends a request with a JWT access token in the Authorization header.
  2. The Management API extracts the role claim from the JWT.
  3. The API checks the role against the required permission for the endpoint.
  4. If the role has sufficient permission, the request proceeds.
  5. If not, the API returns 403 Forbidden:
{
  "error": {
    "code": "FORBIDDEN",
    "message": "Your role (viewer) does not have permission to create sources."
  }
}

Role Assignment

  • The first user in an organisation is automatically assigned the owner role.
  • Admins and owners can invite new users and assign them any role up to their own level (an admin cannot create another owner).
  • Roles can be changed at any time by an admin or owner via the Users API.

Transferring Ownership

The owner role can only be transferred by the current owner:

  1. The current owner assigns the owner role to another user via PUT /v1/admin/users/{id}.
  2. The current owner’s role is automatically downgraded to admin.
⚠️

There must always be exactly one owner per organisation. If the owner account becomes inaccessible, contact Datafly support for assistance with ownership transfer.

Best Practices

  • Use the principle of least privilege. Assign users the minimum role needed for their responsibilities.
  • Use viewer accounts for stakeholders who need to see dashboards and live events but should not modify configuration.
  • Use editor accounts for developers who manage sources and integrations but should not control user access.
  • Reserve admin for team leads who need to manage users and review audit logs.
  • Limit owner to one trusted account — typically the primary technical contact or engineering lead.

All role changes are recorded in the audit log. Review the audit log periodically to ensure role assignments align with your access policies.

AuthenticationConsent Enforcement