GovernRBACOverview

Role-Based Access Control (RBAC)

Zeotap uses role-based access control to manage who can access and modify resources within a workspace. The RBAC system provides three built-in roles plus custom workspace roles, 47 fine-grained permissions across 15 resource categories, and an additive permission model that makes it straightforward to reason about what any member can do.

How RBAC Works

Every workspace member is assigned exactly one role. That role determines which permissions the member has. Permissions are checked on every API request and UI action — if a member lacks the required permission, the action is denied.

Core Concepts

ConceptDescription
RoleA named set of permissions assigned to a member. Zeotap includes three built-in roles (Owner, Admin, Member) and supports custom roles with any combination of permissions.
PermissionA specific action on a specific resource type (e.g., sources.create, audiences.delete).
GroupA collection of members. Groups can be assigned a role and/or granted direct permissions, which are merged with each member’s own role permissions. Groups can also be used for access filter assignment.
Access FilterA row-level filter assigned to a group. When active, it restricts which data rows a member can see.

Additive Permission Model

Zeotap uses an additive permission model — permissions are granted, never denied. A member’s effective permissions come from the union of their direct role permissions, all group roles they belong to, and any direct permissions granted to those groups. There is no concept of “deny” rules or permission overrides.

This means:

  • If a role includes a permission, the member can perform that action
  • If a group the member belongs to has a role or direct permissions, those are added to the member’s effective permissions
  • There are no ways to selectively deny a permission that a role or group grants

Permission Evaluation

When a member performs an action (via the UI or API), Zeotap:

  1. Identifies the member’s role
  2. Collects permissions from the member’s role
  3. Collects permissions from all groups the member belongs to (both group roles and direct group permissions)
  4. Unions all permissions together
  5. Checks if the required permission is present

This check happens in middleware on every API request, ensuring consistent enforcement regardless of how the action is initiated.

Built-in Roles

Zeotap provides three built-in roles that cover common organizational patterns:

RoleTarget UsersSummary
OwnerWorkspace creators, billing contactsFull unrestricted access, including workspace deletion and ownership transfer
AdminTeam leads, senior operatorsFull access to all resources and settings, except workspace deletion
MemberAnalysts, marketers, individual contributorsRead/write access to operational resources; no access to infrastructure or governance settings

See Roles for a detailed permission comparison.

In addition to these built-in roles, workspace admins can create custom roles with any subset of permissions. See Roles for details.

Permission Categories

Permissions are organized into 15 resource categories:

CategoryPermissionsDescription
Sources5Manage warehouse connections
Models4Manage SQL models
Destinations7Manage destination connections
Syncs5Manage data syncs
Audiences4Manage audience segments
Traits4Manage computed traits
Identity Graphs2Manage identity resolution
Journeys2Manage multi-step journeys
Events2Manage event ingestion
Loaders2Manage loaders
Govern2Manage filters, access filters, groups
Insights1View analytics dashboards
Settings2Manage workspace settings
Agent2Manage AI agent sessions
Roles2Manage custom role definitions

Total: 47 permissions across 15 categories.

See Permissions for the complete reference table.

Groups

Groups organize members into logical teams. Groups serve two purposes:

  • Grant additional permissions — A group can be assigned a role or granted specific permissions directly. Members of the group inherit those permissions in addition to their own role’s permissions.
  • Control data visibility — Groups are the assignment target for access filters. When a group has access filters, its members’ queries are automatically filtered.

See Groups and Access Filters for details.

Quick Start

1. Understand the Default Roles

When a workspace is created, the creator is assigned the Owner role. New members invited to the workspace are assigned the role specified in the invitation.

2. Invite Members with Appropriate Roles

For most team members, start with the Member role. Promote to Admin when a member needs to manage infrastructure resources (sources, destinations) or governance settings.

3. Create Groups for Data Access

If different teams need to see different portions of data, create groups and assign access filters:

  1. Create a group (e.g., “EMEA Team”)
  2. Create an access filter (e.g., region = 'EMEA')
  3. Assign the access filter to the group
  4. Add members to the group

4. Set Up Destination Filters

If you need to control where data can flow, create destination filters to block, transform, or rate-limit syncs.

API Reference

# Members
GET    /api/v1/members
POST   /api/v1/members/invite
PUT    /api/v1/members/{id}
DELETE /api/v1/members/{id}
 
# Groups
GET    /api/v1/groups
POST   /api/v1/groups
PUT    /api/v1/groups/{id}
DELETE /api/v1/groups/{id}
 
# Group Membership
POST   /api/v1/groups/{id}/members
DELETE /api/v1/groups/{id}/members/{member_id}
 
# Custom Roles
GET    /api/v1/workspaces/{id}/roles
POST   /api/v1/workspaces/{id}/roles
PUT    /api/v1/workspaces/{id}/roles/{roleId}
DELETE /api/v1/workspaces/{id}/roles/{roleId}
 
# Group Permissions
GET    /api/v1/workspaces/{id}/groups/{groupId}/permissions
PUT    /api/v1/workspaces/{id}/groups/{groupId}/permissions

See the API Reference for full request/response schemas.

Pages in This Section

  • Roles — Built-in role definitions and permission comparison
  • Permissions — Complete permission reference (47 permissions, 15 categories)
  • Groups — Creating and managing groups
  • Managing Members — Inviting, modifying, and removing workspace members
Access FiltersRoles