Roles

SignalSmith includes three built-in roles that define what actions a workspace member can perform. Each member is assigned exactly one role, and that role determines their permissions across all resource categories.

Role Summary

Permission Comparison

The following table shows which capabilities each role has. See Permissions for the detailed permission-level breakdown.

Owner

The Owner role provides unrestricted access to every feature in the workspace. This is the only role that can:

• Delete the workspace — Permanently remove the workspace and all its data
• Transfer ownership — Assign the Owner role to another member
• Manage billing — View and modify billing settings and payment methods

Every workspace must have at least one Owner. If you attempt to remove the last Owner, the action will be denied.

When to use: Assign the Owner role to the person or service account responsible for the workspace’s lifecycle and billing. In most organizations, this is the workspace creator or a platform engineering lead.

Admin

The Admin role provides full access to all resources and settings except workspace-level management (deletion, ownership transfer). Admins can:

• Create and manage all infrastructure resources (warehouses, destinations)
• Configure governance settings (destination filters, access filters, groups)
• Manage workspace members (invite, change roles, remove)
• Access all data without access filter restrictions
• Manage events, loaders, journeys, and identity graphs

When to use: Assign the Admin role to team leads, senior data engineers, or anyone who needs to configure the platform infrastructure. Admins are trusted to manage the full platform without the risk of accidentally deleting the workspace.

Member

The Member role provides read/write access to the day-to-day operational resources that analysts and marketers use most often:

• Can do: Create and manage models, syncs, audiences, and traits. View all resources. Trigger sync runs.
• Cannot do: Create or modify warehouses, destinations, identity graphs, journeys, events, loaders, governance settings, or workspace settings. Cannot manage members or groups.

Members can see all data in the workspace (subject to access filter restrictions from their group membership). They simply cannot modify the underlying infrastructure.

When to use: Assign the Member role to analysts, marketers, growth engineers, and anyone who consumes the platform’s capabilities without needing to configure its infrastructure.

Changing a Member’s Role

Via the UI

1. Navigate to Settings > Members
2. Find the member in the list
3. Click the role dropdown next to their name
4. Select the new role
5. Confirm the change

Via the API

curl -X PUT https://your-workspace.signalsmith.dev/api/v1/members/{member_id} \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "role": "admin"
  }'

Who Can Change Roles

• Owners can change any member’s role, including promoting to Owner or demoting from Admin
• Admins can change a Member’s role to Admin, or an Admin’s role to Member. Admins cannot promote themselves to Owner or demote Owners.
• Members cannot change roles

Safeguards

• There must always be at least one Owner. You cannot demote the last Owner.
• Changing a role takes effect immediately. The member’s permissions update on their next API request or page navigation.
• Role changes are logged in the workspace audit trail.

Access Filter Exemption

By default, members with the Owner or Admin role are exempt from access filter filtering. They can see all data regardless of their group membership.

This behavior can be changed in Settings > Govern > Access Filter Settings by disabling “Exempt admins from access filters.” When disabled, Owners and Admins are subject to access filter filtering like Members.

Next Steps

• View the complete permission reference
• Create groups for team-based data access management
• Manage workspace members