Skip to main content
Docs
Feature Requests Onboarding Trust Center Status Page

Community

Other: Support for Multiple Account-Level Roles and Default Role Handling

Answered
Mohsen Bazghaleh Admin account User

Current Limitation:
There are two related constraints in the current Fivetran Authorization model regarding Account-Level roles:

  1. Single Role Limit: Fivetran supports only one account-level role per user. If an Identity Provider (like Entra ID) attempts to send multiple roles, the provisioning fails or becomes unpredictable.
  2. Rejection of Default Role: Fivetran rejects the default "User" role sent by Entra ID when no specific role is assigned or when the SingleAppRoleAssignment expression defaults. This causes provisioning failures because Fivetran does not recognize "User" as a valid account-level role.

Business Impact:
Users often require cross-functional permissions (e.g., a user needing both "Account Billing" and "Account Analyst" capabilities). The current "one role per user" limit restricts this flexibility. Furthermore, the rejection of the default "User" role causes unnecessary sync failures, requiring complex expression handling in the IDP to ensure a specific role is always present.

Please sign in to leave a comment.

Comments

2 comments

Date Votes
  • Official comment
    Pieter Humphrey Fivetranner

    Hi Mohsen,

    This feature—support for multiple account-level roles per user and default role handling—is not currently on the Fivetran roadmap. Feedback and upvotes on requests help us gauge overall demand; each upvote strengthens the case for prioritizing its development.

    Regarding the rejection of the default role, I don't see a way forward there since we cannot make assumptions for you about a given SCIM user's role for security reasons. Open to ideas.

    What you can do in the meantime:
    1.  Layer destination- or connection-level roles on top of the lone account role.  For example, an Account Reviewer can still be given Manage Destination for “Snowflake-Prod” or Manage Connection for a particular Salesforce connector.  These lower-scope roles are unlimited in number and can be granted directly or via Teams.
    2.  Put the user in multiple Teams.  Each team carries its own account/destination/connection role and those permissions union with the user’s personal account role.
    Why it works this way:
    •  The RBAC schema stores one resource_memberships row per user+resource+role.  For the Account resource that row must be unique, so only one role fits.  
    •  SCIM provisioning is likewise limited to the roles[] array on the User object and accepts one account role string (destination/connection scope isn’t supported).  
    •  The dashboard only renders a single “Account Role” select menu; choosing another value simply replaces the existing one. So, if a colleague needs privileges that no single account role provides, combine a minimal account role (often Account Reviewer) with one or more destination/connection roles or add them to an appropriately-scoped Team.

    Thanks,
    Pieter

  • Amanda Wong User

    Hi Mohsen,

    Thank you for reaching out. We're discussing these constraints and potential improvements with the team and will provide an update as soon as possible.

    Thanks,
    Amanda