Built-in Roles
Monte Carlo provides several built-in roles that cover most common access patterns. The comparison table below provides high-level information about each role to help select between them.
For detailed information on each role, including allowed and denied permissions, jump to the Roles Detail section below. You can also click the role name in the table to go directly to the role's details. We deny by default, so only the explicitly listed allowed permissions will be granted for a role.
Comparing Roles
The roles are ordered by least to most restrictive.
| Role | Description |
|---|---|
| Account Owner | Full access--able to do anything customers are allowed to do with their Monte Carlo account. Recommended for: Those responsible for configuring and managing all aspects of the Monte Carlo account (including integrations, billing, security, etc.). Restrictions: None. |
| Domains Manager | Allows access to all data + AI workflow features as well as managing personal API keys, data products, and domain-related settings such as domains, domain groups/users, ingestion, and notifications. Recommended for: Data/team/product leads who will assist in administration of domains and users. Restrictions: Cannot edit most account settings except for domain-related settings. No billing or secret value access. |
| Editor | Allows access to all data + AI workflow features, as well as managing personal API keys, their own data products, and ingestion and notifications settings. Recommended for: Data engineers that manage pipelines and data as a part of their job duties. Restrictions: Cannot edit most account settings except for ingestion and notifications settings. No billing or secret value access. |
| Monitor Editor | Allows access to most data + AI workflow features, as well as managing personal API keys, their own data products, and notifications settings. Recommended for: Those who will add metric and validation monitors to key tables and pipelines. Restrictions: Monitor-focused settings only—no catalog editing, account management, or billing/secret value access. |
| Responder | Allows read-only access to data + AI workflow features plus alert response actions. May also draft monitors. Recommended for: Those who triage and respond to alerts but will not manage Monte Carlo configuration/settings. Restrictions: Only able to respond to alerts. No changing account settings and no billing or secrets access. |
| Viewer | Allows read-only access to data + AI workflow features. May also draft monitors. Recommended for: Those who may benefit from understanding data + AI quality issues but who are not responsible for fixing them. Restrictions: Mostly read only. No changing account settings, no billing access, and no access to secret values. |
Roles Detail
In the Permission list for each role, only the permissions specifically allowed (✅) or denied (❌) for the role are listed.
If a permission is not listed, a user with only that role would be denied. Note that a user's
effective permissions are a combination of all the roles assigned to the authorization groups they are a member of.
You can hover over the ✅ or ❌ icon to see which policy statement allows or denies the permission. You can use the Definition tab to see the complete role definition with all of its policy statements.
Deprecated permissions are omitted from these lists.
Account Owner
Full access--able to do anything customers are allowed to do with their Monte Carlo account.
Restrictions: None.
Recommended for: Those responsible for configuring and managing all aspects of the Monte Carlo account (including integrations, billing, security, etc.).
Role name: mcd/owner
Built-in authorization group: Account Owners
| Permission | Description | |
|---|---|---|
| ✅ | Alerts → Access | Allow viewing alerts and their details. |
| ✅ | Alerts → Edit | Allow editing alerts, including merging, splitting, and updating properties. |
| ✅ | Alerts → Update Status | Allow updating alert status (e.g., acknowledging, resolving) and providing feedback on anomaly detections. |
| ✅ | Assets → Access | Allow viewing the assets catalog and asset metadata. |
| ✅ | Assets → Edit | Allow editing asset metadata in the catalog. |
| ✅ | Dashboard → Access | Allow viewing dashboards. |
| ✅ | Dashboard → Edit | Allow creating and editing all dashboards in the account. |
| ✅ | Dashboard → Edit Their Own | Allow creating and editing only dashboards the current user created. Those with dashboard/edit permission can also edit these dashboards. |
| ✅ | Data Exports → Access | Allow accessing and downloading data exports. |
| ✅ | Data Products → Access | Allow viewing data products. |
| ✅ | Data Products → Edit | Allow creating and editing all data products in the account. |
| ✅ | Data Products → Edit Their Own | Allow creating and editing only data products the current user created. Those with data-products/edit permission can also edit these data products. |
| ✅ | GraphQL → Mutate | Allow making modifications (executing mutations) via the GraphQL API. This is required for any writes. This is always asserted in addition to any more specific permissions. |
| ✅ | GraphQL → Query | Allow reading data (executing queries) via the GraphQL API. This is required for baseline read-only access to the system, and is always asserted in addition to any more specific permissions. |
| ✅ | Lineage → Access | Allow viewing lineage graphs and their metadata. |
| ✅ | Lineage → Edit | Allow creating and editing lineage metadata (nodes, edges, etc.). |
| ✅ | Monitors → Access | Allow viewing monitors and their configurations. |
| ✅ | Monitors → Aggregates | Allow viewing monitor metrics and aggregate summaries without full monitor access. Used for dashboards and reporting. |
| ✅ | Monitors → Draft | Allow creating and editing draft monitors before they are published. |
| ✅ | Monitors → Edit | Allow creating, updating, and deleting monitors. |
| ✅ | Monitors → Data Sampling → Access | Allow accessing sampled data from tables. Required to view sample data in the UI. |
| ✅ | Monitors → Data Sampling → Download | Allow downloading sampled data from tables. |
| ✅ | Monitors → Exceptions → Access | Allow viewing monitor exception activity logs. |
| ✅ | Monitors → Exceptions → Edit | Allow editing monitor exceptions, including updating attributes and adding comments. |
| ✅ | Performance → Access | Allow accessing the performance dashboard and query analytics. |
| ✅ | Settings → Access | Top-level permission for viewing account settings. This is used where there is not a more specific permission for a given setting. |
| ✅ | Settings → Edit | Top-level permission for editing account settings. This is used where there is not a more specific permission for a given setting. |
| ✅ | Settings → List Iam Resources | Allow listing IAM resource and permission definitions. Required for managing users, authorization groups, or roles, since these operations need to display available permissions. |
| ✅ | Settings → Set Account Name | Allow changing the account display name. |
| ✅ | Settings → Agents → Access | Allow viewing agent details, logs, and reachability information. |
| ✅ | Settings → Agents → Edit | Allow creating, updating, deleting, and managing data collection agents. |
| ✅ | Settings → API → Access | Allow accessing API settings and the API explorer. |
| ✅ | Settings → API → Edit | Allow managing personal API tokens. |
| ✅ | Settings → API → Manage Tokens | Allow managing account-level service tokens and integration tokens. |
| ✅ | Settings → Authorization Groups → Access | Allow viewing authorization groups and their members. Also required for user management, since group membership is displayed when managing users. |
| ✅ | Settings → Authorization Groups → Edit | Allow creating, editing, and deleting authorization groups. |
| ✅ | Settings → Authorization Groups → Manage Domains Managers | Allow managing members of the built-in Domains Managers authorization group. |
| ✅ | Settings → Authorization Groups → Manage Owners | Allow managing members of the built-in Account Owners authorization group. |
| ✅ | Settings → Billing → Access | Allow viewing billing information and invoices. |
| ✅ | Settings → Billing → Edit | Allow modifying billing plan and contract settings. |
| ✅ | Settings → Domains → Access | Allow viewing domain settings. |
| ✅ | Settings → Domains → Edit | Allow creating, editing, and deleting domains and related settings. |
| ✅ | Settings → Domains → List | Allow listing available domains. |
| ✅ | Settings → Domains → View Detail | Allow viewing detailed domain information and their assets. |
| ✅ | Settings → Ingestion → Access | Allow viewing data ingestion settings and metrics. |
| ✅ | Settings → Ingestion → Edit | Allow editing data ingestion settings. |
| ✅ | Settings → Ingestion → Manage Collection | Allow managing data collection settings, including upgrades and collection preferences. |
| ✅ | Settings → Integrations → Access | Allow viewing integrations and their configurations. |
| ✅ | Settings → Integrations → Edit | Allow creating, editing, and deleting integrations. |
| ✅ | Settings → Network → Access | Allow viewing network access control settings. |
| ✅ | Settings → Network → Edit | Allow managing network access control settings. |
| ✅ | Settings → Notifications → Access | Allow viewing notification settings, audiences, and channels. |
| ✅ | Settings → Notifications → Edit | Allow creating, editing, and deleting notification settings, audiences, and channels. |
| ✅ | Settings → PII Filters → Edit | Allow creating, editing, and deleting PII filters. |
| ✅ | Settings → PII Filters → List | Allow listing PII filters. |
| ✅ | Settings → PII Filters → View Metrics | Allow viewing PII filter detection metrics. |
| ✅ | Settings → Roles → Access | Allow viewing account roles and their permission definitions. Also required for managing authorization groups, since role assignment requires listing available roles. |
| ✅ | Settings → Roles → Edit | Allow creating, editing, and deleting custom account roles. |
| ✅ | Settings → Secrets → Access | Allow viewing secrets (names/metadata only, not values). Use settings/secrets/view-values to view secret values. |
| ✅ | Settings → Secrets → Edit | Allow creating, editing, and deleting secrets. |
| ✅ | Settings → Secrets → View Values | Allow viewing secret values. This grants access to sensitive credential data. |
| ✅ | Settings → SSO → Access | Allow viewing SSO configuration settings. |
| ✅ | Settings → SSO → Edit | Allow configuring single sign-on (SSO) settings. |
| ✅ | Settings → User → Subscribe Weekly Digest | Allow subscribing to or unsubscribing from the weekly digest email notification. |
| ✅ | Settings → Users → Access | Allow viewing authentication and authorization settings. |
| ✅ | Settings → Users → Edit | Allow managing users, authorization groups, SSO, and authorization provisioning (SCIM) settings. |
| ✅ | Users → List | Allow listing users in the account for features like assignee selection and @mentions. |
If a permission is not listed here, it is denied for this role.
Domains Manager
Allows access to all data + AI workflow features as well as managing personal API keys, data products, and domain-related settings such as domains, domain groups/users, ingestion, and notifications.
Restrictions: Cannot edit most account settings except for domain-related settings. No billing or secret value access.
Recommended for: Data/team/product leads who will assist in administration of domains and users.
Role name: mcd/domains-manager
Built-in authorization group: Domains Managers (All)
| Permission | Description | |
|---|---|---|
| ✅ | Alerts → Access | Allow viewing alerts and their details. |
| ✅ | Alerts → Edit | Allow editing alerts, including merging, splitting, and updating properties. |
| ✅ | Alerts → Update Status | Allow updating alert status (e.g., acknowledging, resolving) and providing feedback on anomaly detections. |
| ✅ | Assets → Access | Allow viewing the assets catalog and asset metadata. |
| ✅ | Assets → Edit | Allow editing asset metadata in the catalog. |
| ✅ | Dashboard → Access | Allow viewing dashboards. |
| ✅ | Dashboard → Edit | Allow creating and editing all dashboards in the account. |
| ✅ | Dashboard → Edit Their Own | Allow creating and editing only dashboards the current user created. Those with dashboard/edit permission can also edit these dashboards. |
| ✅ | Data Exports → Access | Allow accessing and downloading data exports. |
| ✅ | Data Products → Access | Allow viewing data products. |
| ✅ | Data Products → Edit | Allow creating and editing all data products in the account. |
| ✅ | Data Products → Edit Their Own | Allow creating and editing only data products the current user created. Those with data-products/edit permission can also edit these data products. |
| ✅ | GraphQL → Mutate | Allow making modifications (executing mutations) via the GraphQL API. This is required for any writes. This is always asserted in addition to any more specific permissions. |
| ✅ | GraphQL → Query | Allow reading data (executing queries) via the GraphQL API. This is required for baseline read-only access to the system, and is always asserted in addition to any more specific permissions. |
| ✅ | Lineage → Access | Allow viewing lineage graphs and their metadata. |
| ✅ | Lineage → Edit | Allow creating and editing lineage metadata (nodes, edges, etc.). |
| ✅ | Monitors → Access | Allow viewing monitors and their configurations. |
| ✅ | Monitors → Aggregates | Allow viewing monitor metrics and aggregate summaries without full monitor access. Used for dashboards and reporting. |
| ✅ | Monitors → Draft | Allow creating and editing draft monitors before they are published. |
| ✅ | Monitors → Edit | Allow creating, updating, and deleting monitors. |
| ✅ | Monitors → Data Sampling → Access | Allow accessing sampled data from tables. Required to view sample data in the UI. |
| ✅ | Monitors → Data Sampling → Download | Allow downloading sampled data from tables. |
| ✅ | Monitors → Exceptions → Access | Allow viewing monitor exception activity logs. |
| ✅ | Monitors → Exceptions → Edit | Allow editing monitor exceptions, including updating attributes and adding comments. |
| ✅ | Performance → Access | Allow accessing the performance dashboard and query analytics. |
| ✅ | Settings → Access | Top-level permission for viewing account settings. This is used where there is not a more specific permission for a given setting. |
| ✅ | Settings → Edit | Top-level permission for editing account settings. This is used where there is not a more specific permission for a given setting. |
| ✅ | Settings → List Iam Resources | Allow listing IAM resource and permission definitions. Required for managing users, authorization groups, or roles, since these operations need to display available permissions. |
| ✅ | Settings → Agents → Access | Allow viewing agent details, logs, and reachability information. |
| ✅ | Settings → API → Access | Allow accessing API settings and the API explorer. |
| ✅ | Settings → API → Edit | Allow managing personal API tokens. |
| ✅ | Settings → Authorization Groups → Access | Allow viewing authorization groups and their members. Also required for user management, since group membership is displayed when managing users. |
| ✅ | Settings → Authorization Groups → Edit | Allow creating, editing, and deleting authorization groups. |
| ✅ | Settings → Domains → Access | Allow viewing domain settings. |
| ✅ | Settings → Domains → Edit | Allow creating, editing, and deleting domains and related settings. |
| ✅ | Settings → Domains → List | Allow listing available domains. |
| ✅ | Settings → Domains → View Detail | Allow viewing detailed domain information and their assets. |
| ✅ | Settings → Ingestion → Access | Allow viewing data ingestion settings and metrics. |
| ✅ | Settings → Ingestion → Edit | Allow editing data ingestion settings. |
| ✅ | Settings → Integrations → Access | Allow viewing integrations and their configurations. |
| ✅ | Settings → Notifications → Access | Allow viewing notification settings, audiences, and channels. |
| ✅ | Settings → Notifications → Edit | Allow creating, editing, and deleting notification settings, audiences, and channels. |
| ✅ | Settings → PII Filters → Edit | Allow creating, editing, and deleting PII filters. |
| ✅ | Settings → PII Filters → List | Allow listing PII filters. |
| ✅ | Settings → PII Filters → View Metrics | Allow viewing PII filter detection metrics. |
| ✅ | Settings → Roles → Access | Allow viewing account roles and their permission definitions. Also required for managing authorization groups, since role assignment requires listing available roles. |
| ✅ | Settings → Secrets → Access | Allow viewing secrets (names/metadata only, not values). Use settings/secrets/view-values to view secret values. |
| ✅ | Settings → Secrets → Edit | Allow creating, editing, and deleting secrets. |
| ❌ | Settings → Secrets → View Values | Allow viewing secret values. This grants access to sensitive credential data. |
| ✅ | Settings → User → Subscribe Weekly Digest | Allow subscribing to or unsubscribing from the weekly digest email notification. |
| ✅ | Settings → Users → Access | Allow viewing authentication and authorization settings. |
| ✅ | Settings → Users → Edit | Allow managing users, authorization groups, SSO, and authorization provisioning (SCIM) settings. |
| ✅ | Users → List | Allow listing users in the account for features like assignee selection and @mentions. |
If a permission is not listed here, it is denied for this role.
Editor
Allows access to all data + AI workflow features, as well as managing personal API keys, their own data products, and ingestion and notifications settings.
Restrictions: Cannot edit most account settings except for ingestion and notifications settings. No billing or secret value access.
Recommended for: Data engineers that manage pipelines and data as a part of their job duties.
Role name: mcd/editor
Built-in authorization group: Editors (All)
| Permission | Description | |
|---|---|---|
| ✅ | Alerts → Access | Allow viewing alerts and their details. |
| ✅ | Alerts → Edit | Allow editing alerts, including merging, splitting, and updating properties. |
| ✅ | Alerts → Update Status | Allow updating alert status (e.g., acknowledging, resolving) and providing feedback on anomaly detections. |
| ✅ | Assets → Access | Allow viewing the assets catalog and asset metadata. |
| ✅ | Assets → Edit | Allow editing asset metadata in the catalog. |
| ✅ | Dashboard → Access | Allow viewing dashboards. |
| ✅ | Dashboard → Edit | Allow creating and editing all dashboards in the account. |
| ✅ | Dashboard → Edit Their Own | Allow creating and editing only dashboards the current user created. Those with dashboard/edit permission can also edit these dashboards. |
| ✅ | Data Exports → Access | Allow accessing and downloading data exports. |
| ✅ | Data Products → Access | Allow viewing data products. |
| ✅ | Data Products → Edit Their Own | Allow creating and editing only data products the current user created. Those with data-products/edit permission can also edit these data products. |
| ✅ | GraphQL → Mutate | Allow making modifications (executing mutations) via the GraphQL API. This is required for any writes. This is always asserted in addition to any more specific permissions. |
| ✅ | GraphQL → Query | Allow reading data (executing queries) via the GraphQL API. This is required for baseline read-only access to the system, and is always asserted in addition to any more specific permissions. |
| ✅ | Lineage → Access | Allow viewing lineage graphs and their metadata. |
| ✅ | Lineage → Edit | Allow creating and editing lineage metadata (nodes, edges, etc.). |
| ✅ | Monitors → Access | Allow viewing monitors and their configurations. |
| ✅ | Monitors → Aggregates | Allow viewing monitor metrics and aggregate summaries without full monitor access. Used for dashboards and reporting. |
| ✅ | Monitors → Draft | Allow creating and editing draft monitors before they are published. |
| ✅ | Monitors → Edit | Allow creating, updating, and deleting monitors. |
| ❌ | Monitors → Data Sampling → Access | Allow accessing sampled data from tables. Required to view sample data in the UI. |
| ❌ | Monitors → Data Sampling → Download | Allow downloading sampled data from tables. |
| ✅ | Monitors → Exceptions → Access | Allow viewing monitor exception activity logs. |
| ✅ | Monitors → Exceptions → Edit | Allow editing monitor exceptions, including updating attributes and adding comments. |
| ✅ | Performance → Access | Allow accessing the performance dashboard and query analytics. |
| ✅ | Settings → Access | Top-level permission for viewing account settings. This is used where there is not a more specific permission for a given setting. |
| ✅ | Settings → Agents → Access | Allow viewing agent details, logs, and reachability information. |
| ✅ | Settings → API → Access | Allow accessing API settings and the API explorer. |
| ✅ | Settings → API → Edit | Allow managing personal API tokens. |
| ✅ | Settings → Domains → List | Allow listing available domains. |
| ✅ | Settings → Domains → View Detail | Allow viewing detailed domain information and their assets. |
| ✅ | Settings → Ingestion → Access | Allow viewing data ingestion settings and metrics. |
| ✅ | Settings → Ingestion → Edit | Allow editing data ingestion settings. |
| ✅ | Settings → Integrations → Access | Allow viewing integrations and their configurations. |
| ✅ | Settings → Notifications → Access | Allow viewing notification settings, audiences, and channels. |
| ✅ | Settings → Notifications → Edit | Allow creating, editing, and deleting notification settings, audiences, and channels. |
| ✅ | Settings → PII Filters → List | Allow listing PII filters. |
| ✅ | Settings → PII Filters → View Metrics | Allow viewing PII filter detection metrics. |
| ✅ | Settings → Secrets → Access | Allow viewing secrets (names/metadata only, not values). Use settings/secrets/view-values to view secret values. |
| ✅ | Settings → Secrets → Edit | Allow creating, editing, and deleting secrets. |
| ❌ | Settings → Secrets → View Values | Allow viewing secret values. This grants access to sensitive credential data. |
| ✅ | Settings → User → Subscribe Weekly Digest | Allow subscribing to or unsubscribing from the weekly digest email notification. |
| ✅ | Users → List | Allow listing users in the account for features like assignee selection and @mentions. |
If a permission is not listed here, it is denied for this role.
Monitor Editor
Allows access to most data + AI workflow features, as well as managing personal API keys, their own data products, and notifications settings.
Restrictions: Monitor-focused settings only—no catalog editing, account management, or billing/secret value access.
Recommended for: Those who will add metric and validation monitors to key tables and pipelines.
Role name: mcd/monitor-editor
Built-in authorization group: Monitor Editors (All)
| Permission | Description | |
|---|---|---|
| ✅ | Alerts → Access | Allow viewing alerts and their details. |
| ✅ | Alerts → Edit | Allow editing alerts, including merging, splitting, and updating properties. |
| ✅ | Alerts → Update Status | Allow updating alert status (e.g., acknowledging, resolving) and providing feedback on anomaly detections. |
| ✅ | Assets → Access | Allow viewing the assets catalog and asset metadata. |
| ✅ | Dashboard → Access | Allow viewing dashboards. |
| ✅ | Dashboard → Edit | Allow creating and editing all dashboards in the account. |
| ✅ | Dashboard → Edit Their Own | Allow creating and editing only dashboards the current user created. Those with dashboard/edit permission can also edit these dashboards. |
| ✅ | Data Exports → Access | Allow accessing and downloading data exports. |
| ✅ | Data Products → Access | Allow viewing data products. |
| ✅ | Data Products → Edit Their Own | Allow creating and editing only data products the current user created. Those with data-products/edit permission can also edit these data products. |
| ✅ | GraphQL → Mutate | Allow making modifications (executing mutations) via the GraphQL API. This is required for any writes. This is always asserted in addition to any more specific permissions. |
| ✅ | GraphQL → Query | Allow reading data (executing queries) via the GraphQL API. This is required for baseline read-only access to the system, and is always asserted in addition to any more specific permissions. |
| ✅ | Lineage → Access | Allow viewing lineage graphs and their metadata. |
| ✅ | Lineage → Edit | Allow creating and editing lineage metadata (nodes, edges, etc.). |
| ✅ | Monitors → Access | Allow viewing monitors and their configurations. |
| ✅ | Monitors → Aggregates | Allow viewing monitor metrics and aggregate summaries without full monitor access. Used for dashboards and reporting. |
| ✅ | Monitors → Draft | Allow creating and editing draft monitors before they are published. |
| ✅ | Monitors → Edit | Allow creating, updating, and deleting monitors. |
| ❌ | Monitors → Data Sampling → Access | Allow accessing sampled data from tables. Required to view sample data in the UI. |
| ❌ | Monitors → Data Sampling → Download | Allow downloading sampled data from tables. |
| ✅ | Monitors → Exceptions → Access | Allow viewing monitor exception activity logs. |
| ✅ | Monitors → Exceptions → Edit | Allow editing monitor exceptions, including updating attributes and adding comments. |
| ✅ | Performance → Access | Allow accessing the performance dashboard and query analytics. |
| ✅ | Settings → Access | Top-level permission for viewing account settings. This is used where there is not a more specific permission for a given setting. |
| ✅ | Settings → Agents → Access | Allow viewing agent details, logs, and reachability information. |
| ✅ | Settings → API → Access | Allow accessing API settings and the API explorer. |
| ✅ | Settings → API → Edit | Allow managing personal API tokens. |
| ✅ | Settings → Domains → List | Allow listing available domains. |
| ✅ | Settings → Domains → View Detail | Allow viewing detailed domain information and their assets. |
| ✅ | Settings → Integrations → Access | Allow viewing integrations and their configurations. |
| ✅ | Settings → Notifications → Access | Allow viewing notification settings, audiences, and channels. |
| ✅ | Settings → Notifications → Edit | Allow creating, editing, and deleting notification settings, audiences, and channels. |
| ✅ | Settings → PII Filters → List | Allow listing PII filters. |
| ✅ | Settings → PII Filters → View Metrics | Allow viewing PII filter detection metrics. |
| ✅ | Settings → Secrets → Access | Allow viewing secrets (names/metadata only, not values). Use settings/secrets/view-values to view secret values. |
| ✅ | Settings → Secrets → Edit | Allow creating, editing, and deleting secrets. |
| ❌ | Settings → Secrets → View Values | Allow viewing secret values. This grants access to sensitive credential data. |
| ✅ | Settings → User → Subscribe Weekly Digest | Allow subscribing to or unsubscribing from the weekly digest email notification. |
| ✅ | Users → List | Allow listing users in the account for features like assignee selection and @mentions. |
If a permission is not listed here, it is denied for this role.
Responder
Allows read-only access to data + AI workflow features plus alert response actions. May also draft monitors.
Restrictions: Only able to respond to alerts. No changing account settings and no billing or secrets access.
Recommended for: Those who triage and respond to alerts but will not manage Monte Carlo configuration/settings.
Role name: mcd/responder
Built-in authorization group: Responders (All)
| Permission | Description | |
|---|---|---|
| ✅ | Alerts → Access | Allow viewing alerts and their details. |
| ✅ | Alerts → Edit | Allow editing alerts, including merging, splitting, and updating properties. |
| ✅ | Alerts → Update Status | Allow updating alert status (e.g., acknowledging, resolving) and providing feedback on anomaly detections. |
| ✅ | Assets → Access | Allow viewing the assets catalog and asset metadata. |
| ✅ | Dashboard → Access | Allow viewing dashboards. |
| ✅ | Data Exports → Access | Allow accessing and downloading data exports. |
| ✅ | Data Products → Access | Allow viewing data products. |
| ✅ | GraphQL → Mutate | Allow making modifications (executing mutations) via the GraphQL API. This is required for any writes. This is always asserted in addition to any more specific permissions. |
| ✅ | GraphQL → Query | Allow reading data (executing queries) via the GraphQL API. This is required for baseline read-only access to the system, and is always asserted in addition to any more specific permissions. |
| ✅ | Lineage → Access | Allow viewing lineage graphs and their metadata. |
| ✅ | Monitors → Access | Allow viewing monitors and their configurations. |
| ✅ | Monitors → Aggregates | Allow viewing monitor metrics and aggregate summaries without full monitor access. Used for dashboards and reporting. |
| ✅ | Monitors → Draft | Allow creating and editing draft monitors before they are published. |
| ✅ | Monitors → Data Sampling → Access | Allow accessing sampled data from tables. Required to view sample data in the UI. |
| ✅ | Monitors → Data Sampling → Download | Allow downloading sampled data from tables. |
| ✅ | Monitors → Exceptions → Access | Allow viewing monitor exception activity logs. |
| ✅ | Monitors → Exceptions → Edit | Allow editing monitor exceptions, including updating attributes and adding comments. |
| ✅ | Performance → Access | Allow accessing the performance dashboard and query analytics. |
| ✅ | Settings → Domains → List | Allow listing available domains. |
| ✅ | Settings → Domains → View Detail | Allow viewing detailed domain information and their assets. |
| ✅ | Settings → Integrations → Access | Allow viewing integrations and their configurations. |
| ✅ | Settings → Notifications → Access | Allow viewing notification settings, audiences, and channels. |
| ✅ | Settings → PII Filters → View Metrics | Allow viewing PII filter detection metrics. |
| ✅ | Users → List | Allow listing users in the account for features like assignee selection and @mentions. |
If a permission is not listed here, it is denied for this role.
Viewer
Allows read-only access to data + AI workflow features. May also draft monitors.
Restrictions: Mostly read only. No changing account settings, no billing access, and no access to secret values.
Recommended for: Those who may benefit from understanding data + AI quality issues but who are not responsible for fixing them.
Role name: mcd/viewer
Built-in authorization group: Viewers (All)
| Permission | Description | |
|---|---|---|
| ✅ | Alerts → Access | Allow viewing alerts and their details. |
| ✅ | Assets → Access | Allow viewing the assets catalog and asset metadata. |
| ✅ | Dashboard → Access | Allow viewing dashboards. |
| ✅ | Data Exports → Access | Allow accessing and downloading data exports. |
| ✅ | Data Products → Access | Allow viewing data products. |
| ✅ | GraphQL → Query | Allow reading data (executing queries) via the GraphQL API. This is required for baseline read-only access to the system, and is always asserted in addition to any more specific permissions. |
| ✅ | Lineage → Access | Allow viewing lineage graphs and their metadata. |
| ✅ | Monitors → Access | Allow viewing monitors and their configurations. |
| ✅ | Monitors → Aggregates | Allow viewing monitor metrics and aggregate summaries without full monitor access. Used for dashboards and reporting. |
| ✅ | Monitors → Draft | Allow creating and editing draft monitors before they are published. |
| ✅ | Monitors → Data Sampling → Access | Allow accessing sampled data from tables. Required to view sample data in the UI. |
| ✅ | Monitors → Data Sampling → Download | Allow downloading sampled data from tables. |
| ✅ | Monitors → Exceptions → Access | Allow viewing monitor exception activity logs. |
| ✅ | Performance → Access | Allow accessing the performance dashboard and query analytics. |
| ✅ | Settings → Domains → List | Allow listing available domains. |
| ✅ | Settings → Domains → View Detail | Allow viewing detailed domain information and their assets. |
| ✅ | Settings → Integrations → Access | Allow viewing integrations and their configurations. |
| ✅ | Settings → Notifications → Access | Allow viewing notification settings, audiences, and channels. |
| ✅ | Settings → PII Filters → View Metrics | Allow viewing PII filter detection metrics. |
| ✅ | Settings → Secrets → Access | Allow viewing secrets (names/metadata only, not values). Use settings/secrets/view-values to view secret values. |
| ❌ | Settings → Secrets → View Values | Allow viewing secret values. This grants access to sensitive credential data. |
| ✅ | Settings → User → Subscribe Weekly Digest | Allow subscribing to or unsubscribing from the weekly digest email notification. |
| ✅ | Users → List | Allow listing users in the account for features like assignee selection and @mentions. |
If a permission is not listed here, it is denied for this role.
Updated about 4 hours ago