GovernRBACPermissions

Permissions Reference

SignalSmith has 42 fine-grained permissions organized across 14 resource categories. This page provides the complete reference for every permission, what it controls, and which built-in roles include it.

Permission Format

Permissions follow the format {category}.{action}:

  • Category identifies the resource type (e.g., sources, audiences, governance)
  • Action identifies the operation (e.g., read, create, update, delete, manage)

Some categories use a single manage permission that covers create, update, and delete operations. This is used for categories where these operations are typically managed together (e.g., identity graphs, journeys).

Complete Permission Table

Warehouses

PermissionDescriptionOwnerAdminMember
sources.readView source configurations, connection status, and metadataYesYesYes
sources.createCreate new source connections to data warehousesYesYesNo
sources.updateModify source settings, credentials, and configurationYesYesNo
sources.deleteDelete source connections (blocked if active models depend on it)YesYesNo
sources.testTest source connections to verify credentials and connectivityYesYesNo

Models

PermissionDescriptionOwnerAdminMember
models.readView model definitions, SQL, configuration, and preview resultsYesYesYes
models.createCreate new SQL models against configured sourcesYesYesYes
models.updateModify model SQL, column configuration, and settingsYesYesYes
models.deleteDelete models (blocked if active syncs depend on it)YesYesYes

Destinations

PermissionDescriptionOwnerAdminMember
destinations.readView destination configurations, connection status, and metadataYesYesYes
destinations.createCreate new destination connections (CRM, ad platforms, etc.)YesYesNo
destinations.updateModify destination settings, credentials, and field mappingsYesYesNo
destinations.deleteDelete destination connections (blocked if active syncs depend on it)YesYesNo
destinations.testTest destination connections to verify credentials and API accessYesYesNo

Syncs

PermissionDescriptionOwnerAdminMember
syncs.readView sync definitions, run history, and statusYesYesYes
syncs.createCreate new syncs between models and destinationsYesYesYes
syncs.updateModify sync configuration, schedule, and field mappingsYesYesYes
syncs.deleteDelete syncs and their run historyYesYesYes
syncs.triggerManually trigger a sync run outside the regular scheduleYesYesYes

Audiences

PermissionDescriptionOwnerAdminMember
audiences.readView audience definitions, filter conditions, and size estimatesYesYesYes
audiences.createCreate new audience segmentsYesYesYes
audiences.updateModify audience filter conditions and settingsYesYesYes
audiences.deleteDelete audience segmentsYesYesYes

Traits

PermissionDescriptionOwnerAdminMember
traits.readView trait definitions, SQL, and computed valuesYesYesYes
traits.createCreate new SQL traits, aggregation traits, or formula traitsYesYesYes
traits.updateModify trait definitions and configurationYesYesYes
traits.deleteDelete trait definitionsYesYesYes

Identity Graphs

PermissionDescriptionOwnerAdminMember
identity_graphs.readView identity graph configurations, profiles, and resolution resultsYesYesYes
identity_graphs.manageCreate, modify, delete, and run identity resolution graphsYesYesNo

Journeys

PermissionDescriptionOwnerAdminMember
journeys.readView journey definitions, tile configurations, and execution statusYesYesYes
journeys.manageCreate, modify, delete, activate, and pause journeysYesYesNo

Events

PermissionDescriptionOwnerAdminMember
events.readView event configuration, write keys, contracts, and live event streamYesYesYes
events.manageCreate/revoke write keys, manage contracts, transformations, and forwarding rulesYesYesNo

Loaders

PermissionDescriptionOwnerAdminMember
loaders.readView loader configurations, run history, and statusYesYesYes
loaders.manageCreate, modify, delete, and manually trigger loadersYesYesNo

Governance

PermissionDescriptionOwnerAdminMember
governance.readView destination filters, access filters, groups, and RBAC configurationYesYesYes
governance.manageCreate/modify/delete destination filters, access filters, and groupsYesYesNo

Insights

PermissionDescriptionOwnerAdminMember
insights.readView all insight dashboards, charts, and analyticsYesYesYes

Settings

PermissionDescriptionOwnerAdminMember
settings.readView workspace settings, API keys, and configurationYesYesYes
settings.manageModify workspace settings, create/revoke API keys, manage membersYesYesNo

Agent / AI

PermissionDescriptionOwnerAdminMember
agent.readView AI agent sessions, conversation history, and audit logYesYesYes
agent.manageCreate new agent sessions, configure agent policies, and manage guardrailsYesYesNo

Summary by Role

Owner (42/42 permissions)

The Owner role has all 42 permissions, plus the exclusive ability to delete the workspace and transfer ownership.

Admin (42/42 permissions)

The Admin role has all 42 permissions. The only differences from Owner are at the workspace management level — Admins cannot delete the workspace or transfer ownership.

Member (22/42 permissions)

The Member role has 22 of 42 permissions, focused on operational resources:

Has access to:

  • All read permissions across every category (14 permissions)
  • Full CRUD on models (4 permissions)
  • Full CRUD on syncs, including trigger (5 permissions minus infrastructure operations)
  • Full CRUD on audiences (4 permissions)
  • Full CRUD on traits (4 permissions)
  • Create, update, delete, trigger syncs (4 permissions)

Does not have access to:

  • Source management (sources.create, sources.update, sources.delete, sources.test)
  • Destination management (destinations.create, destinations.update, destinations.delete, destinations.test)
  • Identity graph management (identity_graphs.manage)
  • Journey management (journeys.manage)
  • Event management (events.manage)
  • Loader management (loaders.manage)
  • Governance management (governance.manage)
  • Settings management (settings.manage)
  • Agent management (agent.manage)

Permission Checking in the API

Permissions are checked on every API request via middleware. The HTTP response indicates permission issues:

HTTP StatusMeaning
401 UnauthorizedThe request is not authenticated (missing or invalid token)
403 ForbiddenThe authenticated user lacks the required permission

The 403 response includes a permission field indicating which permission was missing:

{
  "error": "forbidden",
  "message": "You do not have permission to perform this action",
  "required_permission": "sources.create"
}

Next Steps

RolesGroups