Permissions Reference

Zeotap has 47 fine-grained permissions organized across 15 resource categories. This page provides the complete reference for every permission, what it controls, and which built-in roles include it.

Permission Format

Permissions follow the format {category}.{action}:

Category identifies the resource type (e.g., sources, audiences, governance)
Action identifies the operation (e.g., read, create, update, delete, manage)

Some categories use a single manage permission that covers create, update, and delete operations. This is used for categories where these operations are typically managed together (e.g., identity graphs, orchestrations).

Complete Permission Table

Warehouses

Permission	Description	Owner	Admin	Member
`sources.read`	View source configurations, connection status, and metadata	Yes	Yes	Yes
`sources.create`	Create new source connections to data warehouses	Yes	Yes	No
`sources.update`	Modify source settings, credentials, and configuration	Yes	Yes	No
`sources.delete`	Delete source connections (blocked if active models depend on it)	Yes	Yes	No
`sources.test`	Test source connections to verify credentials and connectivity	Yes	Yes	No

Models

Permission	Description	Owner	Admin	Member
`models.read`	View model definitions, SQL, configuration, and preview results	Yes	Yes	Yes
`models.create`	Create new SQL models against configured sources	Yes	Yes	Yes
`models.update`	Modify model SQL, column configuration, and settings	Yes	Yes	Yes
`models.delete`	Delete models (blocked if active syncs depend on it)	Yes	Yes	Yes

Destinations

Permission	Description	Owner	Admin	Member
`destinations.read`	View destination configurations, connection status, and metadata	Yes	Yes	Yes
`destinations.create`	Create new destination connections (CRM, ad platforms, etc.)	Yes	Yes	No
`destinations.update`	Modify destination settings, credentials, and field mappings	Yes	Yes	No
`destinations.delete`	Delete destination connections (blocked if active syncs depend on it)	Yes	Yes	No
`destinations.test`	Test destination connections to verify credentials and API access	Yes	Yes	No
`destinations.manage`	Full administrative control over destination connections	Yes	Yes	No
`destinations.configure_sync`	Configure destination-specific settings used by syncs (field mappings, object selection)	Yes	Yes	No

Syncs

Permission	Description	Owner	Admin	Member
`syncs.read`	View sync definitions, run history, and status	Yes	Yes	Yes
`syncs.create`	Create new syncs between models and destinations	Yes	Yes	Yes
`syncs.update`	Modify sync configuration, schedule, and field mappings	Yes	Yes	Yes
`syncs.delete`	Delete syncs and their run history	Yes	Yes	Yes
`syncs.trigger`	Manually trigger a sync run outside the regular schedule	Yes	Yes	Yes

Audiences

Permission	Description	Owner	Admin	Member
`audiences.read`	View audience definitions, filter conditions, and size estimates	Yes	Yes	Yes
`audiences.create`	Create new audiences	Yes	Yes	Yes
`audiences.update`	Modify audience filter conditions and settings	Yes	Yes	Yes
`audiences.delete`	Delete audiences	Yes	Yes	Yes

Computed Attributes

Permission	Description	Owner	Admin	Member
`traits.read`	View computed attribute definitions, SQL, and computed values	Yes	Yes	Yes
`traits.create`	Create new SQL, aggregation, or formula computed attributes	Yes	Yes	Yes
`traits.update`	Modify computed attribute definitions and configuration	Yes	Yes	Yes
`traits.delete`	Delete computed attribute definitions	Yes	Yes	Yes

Identity Graphs

Permission	Description	Owner	Admin	Member
`identity_graphs.read`	View identity graph configurations, profiles, and resolution results	Yes	Yes	Yes
`identity_graphs.manage`	Create, modify, delete, and run identity resolution graphs	Yes	Yes	No

Orchestrations

Permission	Description	Owner	Admin	Member
`journeys.read`	View orchestration definitions, tile configurations, and execution status	Yes	Yes	Yes
`journeys.manage`	Create, modify, delete, activate, and pause orchestrations	Yes	Yes	No

Events

Permission	Description	Owner	Admin	Member
`events.read`	View event configuration, event sources, contracts, and live event stream	Yes	Yes	Yes
`events.manage`	Create/revoke event sources, manage contracts, transformations, and forwarding rules	Yes	Yes	No

Loaders

Permission	Description	Owner	Admin	Member
`loaders.read`	View loader configurations, run history, and status	Yes	Yes	Yes
`loaders.manage`	Create, modify, delete, and manually trigger loaders	Yes	Yes	No

Governance

Permission	Description	Owner	Admin	Member
`governance.read`	View destination policies, access policies, groups, and RBAC configuration	Yes	Yes	Yes
`governance.manage`	Create/modify/delete destination policies, access policies, and groups	Yes	Yes	No

Insights

Permission	Description	Owner	Admin	Member
`insights.read`	View all insight dashboards, charts, and analytics	Yes	Yes	Yes

Settings

Permission	Description	Owner	Admin	Member
`settings.read`	View workspace settings, API keys, and configuration	Yes	Yes	Yes
`settings.manage`	Modify workspace settings, create/revoke API keys, manage members	Yes	Yes	No

Agent / AI

Permission	Description	Owner	Admin	Member
`agent.read`	View AI agent sessions, conversation history, and audit log	Yes	Yes	Yes
`agent.manage`	Create new agent sessions, configure agent policies, and manage guardrails	Yes	Yes	No

Roles

Permission	Description	Owner	Admin	Member
`roles.read`	View custom role definitions and their assigned permissions	Yes	Yes	Yes
`roles.write`	Create, modify, and delete custom roles	Yes	Yes	No

Summary by Role

Owner (47/47 permissions)

The Owner role has all 47 permissions, plus the exclusive ability to delete the workspace and transfer ownership.

Admin (47/47 permissions)

The Admin role has all 47 permissions. The only differences from Owner are at the workspace management level — Admins cannot delete the workspace or transfer ownership.

Member (24/47 permissions)

The Member role has 24 of 47 permissions, focused on operational resources:

Has access to:

All read permissions across every category (15 permissions)
Full CRUD on models (4 permissions)
Full CRUD on syncs, including trigger (5 permissions)
Full CRUD on audiences (4 permissions)
Full CRUD on computed attributes (4 permissions)

Does not have access to:

Source management (sources.create, sources.update, sources.delete, sources.test)
Destination management (destinations.create, destinations.update, destinations.delete, destinations.test, destinations.manage, destinations.configure_sync)
Identity graph management (identity_graphs.manage)
Orchestration management (journeys.manage)
Event management (events.manage)
Loader management (loaders.manage)
Governance management (governance.manage)
Settings management (settings.manage)
Agent management (agent.manage)
Role management (roles.write)

Permission Checking in the API

Permissions are checked on every API request via middleware. The HTTP response indicates permission issues:

HTTP Status	Meaning
`401 Unauthorized`	The request is not authenticated (missing or invalid token)
`403 Forbidden`	The authenticated user lacks the required permission

The 403 response includes a permission field indicating which permission was missing:


{
  "error": "forbidden",
  "message": "You do not have permission to perform this action",
  "required_permission": "sources.create"
}

Next Steps

View role definitions for a capability-focused comparison
Create groups for team-based data access
Define access policies for row-level access control