Roles
Zeotap includes three built-in roles and supports custom roles that workspace admins can create with any combination of permissions. Each member is assigned exactly one role, and that role determines their base permissions across all resource categories.
Role Summary
| Role | Description | Typical Users |
|---|---|---|
| Owner | Unrestricted access to everything, including workspace management | Workspace creator, billing contact, CTO/VP |
| Admin | Full operational access to all resources and settings | Team leads, senior data engineers, platform administrators |
| Member | Read/write access to operational resources, no infrastructure or governance access | Analysts, marketers, growth engineers, individual contributors |
In addition to these three built-in roles, workspace admins can create custom roles tailored to specific team needs. See Custom Roles below.
Permission Comparison
The following table shows which capabilities each role has. See Permissions for the detailed permission-level breakdown.
| Capability | Owner | Admin | Member |
|---|---|---|---|
| Warehouses | |||
| View warehouse configurations | Yes | Yes | Yes |
| Create new warehouses | Yes | Yes | No |
| Modify warehouse settings | Yes | Yes | No |
| Delete warehouses | Yes | Yes | No |
| Test warehouse connections | Yes | Yes | No |
| Models | |||
| View models and preview results | Yes | Yes | Yes |
| Create new models | Yes | Yes | Yes |
| Modify model SQL and configuration | Yes | Yes | Yes |
| Delete models | Yes | Yes | Yes |
| Destinations | |||
| View destination configurations | Yes | Yes | Yes |
| Create new destinations | Yes | Yes | No |
| Modify destination settings | Yes | Yes | No |
| Delete destinations | Yes | Yes | No |
| Test destination connections | Yes | Yes | No |
| Manage destination configuration for syncs | Yes | Yes | No |
| Syncs | |||
| View syncs and run history | Yes | Yes | Yes |
| Create new syncs | Yes | Yes | Yes |
| Modify sync configuration | Yes | Yes | Yes |
| Delete syncs | Yes | Yes | Yes |
| Manually trigger sync runs | Yes | Yes | Yes |
| Audiences | |||
| View audiences and estimates | Yes | Yes | Yes |
| Create audiences | Yes | Yes | Yes |
| Modify audience filters | Yes | Yes | Yes |
| Delete audiences | Yes | Yes | Yes |
| Traits | |||
| View trait definitions | Yes | Yes | Yes |
| Create traits | Yes | Yes | Yes |
| Modify traits | Yes | Yes | Yes |
| Delete traits | Yes | Yes | Yes |
| Identity Graphs | |||
| View identity graphs and profiles | Yes | Yes | Yes |
| Create, modify, delete, run identity graphs | Yes | Yes | No |
| Journeys | |||
| View journeys and execution status | Yes | Yes | Yes |
| Create, modify, delete, activate, pause journeys | Yes | Yes | No |
| Events | |||
| View event configuration and live stream | Yes | Yes | Yes |
| Manage write keys, contracts, transformations | Yes | Yes | No |
| Loaders | |||
| View loader configurations and runs | Yes | Yes | Yes |
| Create, modify, delete, trigger loaders | Yes | Yes | No |
| Govern | |||
| View filters, access filters, and RBAC configuration | Yes | Yes | Yes |
| Manage destination filters, access filters, groups | Yes | Yes | No |
| Roles | |||
| View custom role definitions | Yes | Yes | Yes |
| Create, modify, and delete custom roles | Yes | Yes | No |
| Insights | |||
| View all insight dashboards | Yes | Yes | Yes |
| Settings | |||
| View workspace settings | Yes | Yes | Yes |
| Modify workspace settings, manage members | Yes | Yes | No |
| Agent / AI | |||
| View agent sessions and audit log | Yes | Yes | Yes |
| Create sessions, manage agent policies | Yes | Yes | No |
| Workspace Management | |||
| Delete workspace | Yes | No | No |
| Transfer workspace ownership | Yes | No | No |
Owner
The Owner role provides unrestricted access to every feature in the workspace. This is the only role that can:
- Delete the workspace — Permanently remove the workspace and all its data
- Transfer ownership — Assign the Owner role to another member
- Manage billing — View and modify billing settings and payment methods
Every workspace must have at least one Owner. If you attempt to remove the last Owner, the action will be denied.
When to use: Assign the Owner role to the person or service account responsible for the workspace’s lifecycle and billing. In most organizations, this is the workspace creator or a platform engineering lead.
Admin
The Admin role provides full access to all resources and settings except workspace-level management (deletion, ownership transfer). Admins can:
- Create and manage all infrastructure resources (warehouses, destinations)
- Configure governance settings (destination filters, access filters, groups)
- Manage workspace members (invite, change roles, remove)
- Create, modify, and delete custom roles
- Access all data without access filter restrictions
- Manage events, loaders, journeys, and identity graphs
When to use: Assign the Admin role to team leads, senior data engineers, or anyone who needs to configure the platform infrastructure. Admins are trusted to manage the full platform without the risk of accidentally deleting the workspace.
Member
The Member role provides read/write access to the day-to-day operational resources that analysts and marketers use most often:
- Can do: Create and manage models, syncs, audiences, and traits. View all resources. Trigger sync runs. View custom role definitions.
- Cannot do: Create or modify warehouses, destinations, identity graphs, journeys, events, loaders, governance settings, workspace settings, or custom roles. Cannot manage members or groups.
Members can see all data in the workspace (subject to access filter restrictions from their group membership). They simply cannot modify the underlying infrastructure.
When to use: Assign the Member role to analysts, marketers, growth engineers, and anyone who consumes the platform’s capabilities without needing to configure its infrastructure.
Custom Roles
In addition to the three built-in roles, workspace admins can create custom roles tailored to specific team needs. Custom roles have any subset of the available permissions — you choose exactly what a custom role can and cannot do.
Common Custom Role Examples
| Custom Role | Typical Permissions | Use Case |
|---|---|---|
| Data Engineer | Sources (all), Models (all), Connections (all) | Team members who manage warehouse infrastructure but shouldn’t configure destinations or governance |
| Marketing Analyst | Models (read), Audiences (all), Traits (all), Syncs (read), Destinations (read) | Analysts who build segments but shouldn’t modify infrastructure |
| Sync Operator | Syncs (all), Destinations (read), Models (read), syncs.trigger | Operations team that monitors and triggers syncs without modifying configuration |
Creating a Custom Role
Via the UI
- Navigate to Settings > Roles
- Click Create Custom Role
- Enter a name and description for the role
- Select the permissions to include — permissions are grouped by category with checkboxes
- Click Save
Via the API
curl -X POST https://your-workspace.zeotap.dev/api/v1/workspaces/{workspace_id}/roles \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Data Engineer",
"description": "Manages warehouse infrastructure",
"permissions": ["sources.read", "sources.write", "models.read", "models.write", "connections.read", "connections.write"]
}'Editing a Custom Role
Changes to a custom role’s permissions take effect immediately for all members assigned to that role.
- Navigate to Settings > Roles
- Find the custom role in the permission matrix
- Toggle permissions on or off using the checkboxes
- Changes are saved automatically
Deleting a Custom Role
When you delete a custom role, all members assigned to it are automatically reassigned to the Member built-in role. Groups referencing the deleted role have their role assignment cleared.
- Navigate to Settings > Roles
- Click the delete button on the custom role column
- Confirm the deletion
Limitations
- Custom role names must be unique within the workspace
- Reserved names (
owner,admin,member) cannot be used for custom roles - Built-in roles cannot be modified or deleted
- Custom roles are workspace-scoped — they are not shared across workspaces
Changing a Member’s Role
Via the UI
- Navigate to Settings > Members
- Find the member in the list
- Click the role dropdown next to their name
- Select the new role
- Confirm the change
Via the API
curl -X PUT https://your-workspace.zeotap.dev/api/v1/workspaces/{workspace_id}/members/{member_id}/role \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"role_id": "00000000-0000-0000-0000-000000000002"
}'You can use the role ID of any built-in or custom role. Built-in role IDs are stable and listed in the API Reference.
Who Can Change Roles
- Owners can change any member’s role, including promoting to Owner or demoting from Admin
- Admins can change a Member’s role to Admin, or an Admin’s role to Member. Admins cannot promote themselves to Owner or demote Owners.
- Members cannot change roles
Safeguards
- There must always be at least one Owner. You cannot demote the last Owner.
- Changing a role takes effect immediately. The member’s permissions update on their next API request or page navigation.
- Role changes are logged in the workspace audit trail.
Access Filter Exemption
By default, members with the Owner or Admin role are exempt from access filter filtering. They can see all data regardless of their group membership.
This behavior can be changed in Settings > Govern > Access Filter Settings by disabling “Exempt admins from access filters.” When disabled, Owners and Admins are subject to access filter filtering like Members.
Next Steps
- View the complete permission reference
- Create groups for team-based data access management
- Manage workspace members