Roles & Permissions
Calabi uses a role-based access control (RBAC) model that governs which platform modules, features, and data each user can access. Roles are defined at the tenant level and can be customized to match your organization's data governance requirements.
Built-In Roles
Calabi ships with four pre-defined roles that cover the most common user archetypes. These roles cannot be deleted, but their permissions can be viewed (not modified) as a reference for creating custom roles.
| Role | Intended For | Default Module Access |
|---|---|---|
| Admin | Platform administrators | Full access to all modules, settings, and user management |
| Data Steward | Data governance owners | Calabi Catalogue (full), CalabiIQ (view + publish), Calabi Pipelines (view), AI Agent |
| Analyst | Business analysts, data consumers | CalabiIQ (view + create charts/dashboards), AI Agent, Calabi Catalogue (read-only) |
| Viewer | Stakeholders, executives | CalabiIQ (view dashboards only), AI Agent (read-only), Calabi Catalogue (read-only) |
Permission Matrix
The table below shows the access each built-in role has across all Calabi modules.
| Permission | Admin | Data Steward | Analyst | Viewer |
|---|---|---|---|---|
| Calabi Catalogue | ||||
| Search and view assets | Yes | Yes | Yes | Yes |
| Edit asset descriptions and tags | Yes | Yes | No | No |
| Create / delete domains | Yes | Yes | No | No |
| Manage glossary | Yes | Yes | No | No |
| Configure data quality tests | Yes | Yes | No | No |
| View quality test results | Yes | Yes | Yes | Yes |
| Assign asset owners | Yes | Yes | No | No |
| CalabiIQ | ||||
| View dashboards | Yes | Yes | Yes | Yes |
| Create and edit charts | Yes | No | Yes | No |
| Create and edit dashboards | Yes | No | Yes | No |
| Publish dashboards | Yes | Yes | Yes | No |
| Run SQL in SQL Lab | Yes | No | Yes | No |
| Manage datasets | Yes | No | Yes | No |
| Export data (CSV/Excel) | Yes | No | Yes | No |
| Manage database connections | Yes | No | No | No |
| AI Agent | ||||
| Use AI Agent (chat) | Yes | Yes | Yes | Yes |
| Generate charts via Agent | Yes | Yes | Yes | No |
| Save Agent-generated charts | Yes | Yes | Yes | No |
| Download data via Agent | Yes | No | Yes | No |
| Calabi Pipelines | ||||
| View DAGs and run history | Yes | Yes | No | No |
| Trigger DAG runs | Yes | No | No | No |
| Pause / unpause DAGs | Yes | No | No | No |
| Modify DAG configuration | Yes | No | No | No |
| View task logs | Yes | Yes | No | No |
| Calabi Connect | ||||
| View connector status | Yes | Yes | No | No |
| Configure connectors | Yes | No | No | No |
| Trigger syncs | Yes | No | No | No |
| Calabi ML | ||||
| View experiments and runs | Yes | No | Yes | No |
| Create experiments | Yes | No | Yes | No |
| Promote models to Production | Yes | No | No | No |
| Delete experiments | Yes | No | No | No |
| Calabi Automate | ||||
| View workflows | Yes | Yes | No | No |
| Create and edit workflows | Yes | No | No | No |
| Activate / deactivate workflows | Yes | No | No | No |
| Manage credentials | Yes | No | No | No |
| Calabi AI Builder | ||||
| View chatflows | Yes | No | No | No |
| Create and edit chatflows | Yes | No | No | No |
| Deploy chatflows (API/Slack) | Yes | No | No | No |
| Admin | ||||
| Manage users | Yes | No | No | No |
| Manage roles | Yes | No | No | No |
| View audit logs | Yes | No | No | No |
| Configure SSO | Yes | No | No | No |
| Manage Helm configuration | Yes | No | No | No |
| View platform health | Yes | No | No | No |
Custom Roles
For organizations with more granular access requirements, you can define custom roles.
Creating a Custom Role
- Navigate to Admin → Roles → + New Role.
- Enter a Role Name (e.g., "Finance Analyst") and optional Description.
- Assign permissions from the tree selector. Permissions are organized by module.
- Click Save Role.
- Assign the role to users (see Role Assignment below).
Custom Role Examples
Finance Analyst — CalabiIQ access to finance dashboards only:
- CalabiIQ: View dashboards , Create charts , Run SQL
- CalabiIQ row-level security:
department = 'Finance' - Calabi Catalogue: Read-only
- AI Agent: Chat , Download data
- All other modules: No access
Pipeline On-Call — operations visibility without write access:
- Calabi Pipelines: View DAGs , View run history , View logs , Trigger runs
- Calabi Connect: View status
- Calabi Catalogue: Read-only
- CalabiIQ: View dashboards
- All write operations: No access
Role Assignment
Assigning a Role to a User
- Navigate to Admin → Users.
- Click the user's name or the Edit icon.
- Under Roles, click + Add Role.
- Select one or more roles from the dropdown.
- Click Save.
A user can hold multiple roles simultaneously. Their effective permissions are the union of all assigned roles.
Assigning Roles via SCIM
If you use SSO with SCIM provisioning (Okta, Azure AD), roles can be assigned automatically via group membership:
- Navigate to Admin → SSO → SCIM Configuration.
- Map each IdP group to a Calabi role:
{
"group_mappings": [
{ "idp_group": "Calabi-Admins", "calabi_role": "Admin" },
{ "idp_group": "Data-Stewards", "calabi_role": "Data Steward" },
{ "idp_group": "Analysts", "calabi_role": "Analyst" },
{ "idp_group": "All-Staff", "calabi_role": "Viewer" }
]
} - When a user is added to or removed from an IdP group, their Calabi role is automatically updated on next login.
Data-Level Permissions (Row-Level Security in CalabiIQ)
Beyond module-level access, Calabi supports row-level security (RLS) in CalabiIQ, which restricts the data rows a user can see within a chart or SQL query based on their attributes.
Configuring Row-Level Security
- Navigate to CalabiIQ → Security → Row Level Security.
- Click + Add Rule.
- Configure:
- Name: A descriptive label (e.g., "Region filter by user attribute")
- Filter Type:
Regular(applied to a specific role) orBase(applied to all users) - Roles: Select which Calabi role this rule applies to
- Tables: Select the CalabiIQ datasets the rule applies to
- Clause: A SQL WHERE clause fragment, e.g.:
or using a custom attribute:
region = '{{ current_username() }}'department_code IN (
SELECT department_code FROM user_departments WHERE username = '{{ current_username() }}'
)
RLS Examples
| Use Case | Clause |
|---|---|
| Users see only their own region's data | region = (SELECT region FROM user_profile WHERE username = '{{ current_username() }}') |
| Finance users see only Finance rows | cost_center LIKE 'FIN%' (applied to the Finance Analyst role only) |
| Managers see their own team's records | manager_id = (SELECT user_id FROM users WHERE username = '{{ current_username() }}') |
| Everyone sees aggregate data; only Admins see PII | Apply a PII masking rule to Analyst and Viewer roles |
Module Access by Tier
Calabi's module availability varies by subscription tier. Even if a user has the Admin role, they cannot access modules not included in their tenant's tier.
| Module | Starter | Professional | Enterprise |
|---|---|---|---|
| CalabiIQ | Yes | Yes | Yes |
| Calabi Catalogue | Yes | Yes | Yes |
| AI Agent | Yes | Yes | Yes |
| Calabi Connect | Limited | Yes | Yes |
| Calabi Pipelines | No | Yes | Yes |
| Calabi Transform | No | Yes | Yes |
| Calabi Automate | No | Yes | Yes |
| Calabi ML | No | No | Yes |
| Calabi AI Builder | No | No | Yes |
| Multi-tenancy | No | No | Yes |
Audit Logging for Permission Changes
All role assignments and permission changes are recorded in the Calabi audit log:
- Event:
role.assigned,role.removed,role.created,role.deleted,permission.changed - Actor: The admin user who made the change
- Timestamp: UTC timestamp
- Target: The affected user or role
Access audit logs at Admin → Audit Logs or via the platform monitoring dashboards (see Platform Monitoring).
Related Pages
- Single Sign-On — SAML and SCIM integration for automated role provisioning
- Multi-Tenancy — How tenant isolation interacts with the RBAC model
- Platform Monitoring — Audit log access and user activity tracking