Role-based access control (RBAC) is a method of restricting access to internal company resources and managing permissions within each resource area. It is based on user roles that are assigned to every user in your account. RBAC ensures that users can only access the resources and have only the minimal permissions that they need to do their job. Also, RBAC prevents users from accessing resources that don’t pertain to them.
In our RBAC models, we provide a set of user roles to grant or deny access to different Fivetran resources within the Fivetran account:
The user roles also manage permissions for related areas of each resource, like Usage and Billing for the Account resource or Logs and Transformations for the Destinations resource.
Legacy and new RBAC modellink
We support two RBAC models. Our new RBAC model, in comparison to the legacy RBAC model, provides more granular user role permission management. A user role now encompasses permissions across all types of Fivetran resources: accounts, destinations, and connectors.
TIP: In our new RBAC model, if you want a user to have access to all destinations, set the Account role based on the permissions you want that user to have. If you want a user to have access to a specific destination and its connectors, we recommend setting a destination-level role for that destination.
Compare the new and legacy RBAC model user roles in the following table:
|New RBAC Model User Role||Legacy RBAC Model User Role||Description|
|Account Administrator||Owner||View and change account information, including billing, users, roles, API access, and security settings. Create, manage, and delete destinations and connectors. Manage transformations and logs.|
|Account Billing||Billing||View and manage account’s billing information. Cannot access destinations or connectors.|
|Account Analyst||N/A||View the list of destinations and users in the account. View destinations and manage transformations. Create, manage, and delete connectors. Cannot change account information. Cannot manage or delete destinations.|
|Account Reviewer||Read Only||View account information, destinations, and connectors. Cannot change account information. Cannot create, manage, or delete destinations or connectors.|
|Destination Creator||N/A||Create new destinations. Cannot view, delete, or manage existing destinations. Cannot access connectors or account information.|
|Destination Administrator||Administrator||View, manage, and delete destinations. Create, manage, and delete connectors. Manage transformations and logs. Cannot access account information.|
|Destination Analyst||Analyst||View destinations. Create, manage, and delete connectors. Manage transformations. Cannot access account information.|
|Destination Reviewer||Read Only||View the destinations that you are invited to and their associated connectors. Cannot create, delete, or manage destinations or connectors. Cannot access account information.|
NOTE: The API access is available only for Account Administrator or Owner user roles in Standard, Enterprise, and Business Critical accounts. You can also try it out during your Trial period.
We are gradually migrating our customers to the new model. Your user experience may vary depending on your migration status. Accounts created after November 15, 2021 use the new model. We will support the legacy RBAC model until February 15, 2022.
In both the legacy and the new RBAC model, we provide a set of standard user roles that have preset and fixed access scope and one or several permissions.
We also support custom user roles where you can modify both the access scope and resource area permissions.
NOTE: In our legacy RBAC model, you can only create custom destination roles.
New RBAC permissionslink
The following table describes the permissions we use in our new RBAC model:
|View||Allows user to view the relevant resource areas. Applicable for:
|Create||Allows users to create and then view and manage only those objects of the relevant resource areas they created. Applicable for:
|Edit||Allows user to edit and view objects of the relevant resource areas. Applicable for:
|Manage||Allows user to create, edit, remove, and view objects of the relevant resource areas. Applicable for:
|None||Disables user’s access to objects in the relevant resource area. Applicable for:
The following tables show the list of permissions used for each resource area.
|Settings||Edit, View, None|
|Billing||Edit, View, None|
|Roles||Manage, View, None|
|Destinations||Manage, Create, Edit, View|
You can grant the user role access to either All, Selected connector types, or None. For connectors, you can select one of the following permissions: Manage, Create, Edit, View.
IMPORTANT: You must be logged in as an Account Administrator or use a custom role with the Roles:Manage permission to create a custom user role.
Legacy RBAC permissionslink
In our legacy RBAC model, we support the following permissions for standard roles.
|Role||Manage Destinations||Manage Security||Manage Users||View Account||View Usage||View Billing||Manage Billing|
Account permissions grant access to the following actions:
- Manage Destinations - create and remove destinations
- Manage Security - change account authentication configuration (accessible in the Settings tab)
- Manage Users - invite users to your account or remove them
- View Account - view the list of destinations and users for your account
- View Usage - view the credit consumption and MAR (monthly active rows) for all connectors and destinations in your account
- View Billing - view your account’s billing details (such as credit cards or invoices)
- Manage Billing - add a credit card or change your billing plan
|Role||Manage Destinations||Manage Log||Manage Members||Manage Connectors||Manage Transformations||Upload||View Destination|
Destination permissions grant access to the following actions:
Manage Destination - edit destination connection
Manage Log - set up/edit log service connection
Manage Members - invite users to the destination or remove them
Manage Connectors - set up, edit, and remove connectors
Manage Transformations - set up, edit, and remove transformations
Upload - upload files. See the Browser Upload section for details.
NOTE: The Upload permission is only valid for accounts created before April 9, 2021.
View Destination - view all destination information (connectors, users, and config)
IMPORTANT: You must be logged in as an Owner to create a custom user role.