Role-Based Access Control
Overview
Role-based access control (RBAC) is a method of restricting access to internal company resources and managing permissions within each resource area. It is based on user roles that are assigned to every user in your account. RBAC ensures that users can only access the resources and have only the minimal permissions that they need to do their job. Also, RBAC prevents users from accessing resources that don't pertain to them.
In our RBAC model, we provide a set of standard and custom roles to grant or deny access to different Fivetran resources within the Fivetran account:
The user roles also manage permissions for related areas of each resource, like Usage and Billing for the Account resource, or Logs and Transformations for the Destinations resource.
Standard roles in our RBAC model
Our RBAC model enables you to manage access to Fivetran resources in a granular and hierarchical way. There are the following resource types in Fivetran listed in descending hierarchical order:
- Account
- Destination
- Connectors
For example, an account-level role (depending on its permissions) can view or manage connectors within the account, but a connector-level role can't access or manage account-related entities.
TIP: If you want a user to have access to all destinations, set the account-level role based on the permissions you want that user to have. If you want a user to have access to a specific destination and its connectors, we recommend setting a destination-level role for that destination.
See our Role Permission Matrix Tables documentation to learn more about the permissions of each standard role available in our role-based access model.
The following table lists the user roles in our RBAC model:
| Current RBAC Model User Role | Legacy RBAC Model User Role | Description |
|---|---|---|
| Account Administrator | Owner | View and edit account information, including billing, usage, users, roles, API access, and security settings. Create, view, edit, and delete destinations and connectors. Create, view, edit, and delete transformations and logs. Register HVR hub system. |
| Account Billing | Billing | View billing and usage information. Cannot edit security settings, users, roles, destinations, and connectors. |
| Account Analyst | N/A | View the list of destinations and users in the account. View destinations and view, create, edit and delete transformations. Create, view, edit, and delete connectors. Cannot edit account information. Cannot create, edit, or delete destinations. |
| Account Reviewer | Read Only | View account information, destinations, and connectors. Cannot edit account information. Cannot create, edit, or delete destinations and connectors. |
| Destination Creator | N/A | Create new destinations. Cannot view, edit, or delete existing destinations. Cannot create, view, edit, or delete connectors. Cannot edit account information. Destination Creators are Destination Administrators in destinations they created. |
| Destination Administrator | Administrator | View, edit, and delete destinations. Create, view, edit, and delete connectors. Create, view, edit, and delete transformations and logs. Cannot edit account information. |
| Destination Analyst | Analyst | View destinations. Create, view, edit, and delete connectors. Create, view, edit, and delete transformations. Cannot edit account information. |
| Destination Reviewer | Read Only | View the destinations that you are invited to and their associated connectors. Cannot create, edit, or delete destinations or connectors. Cannot edit account information. |
| - | Read Only | View account information and the list of destinations. Cannot edit account information. Cannot create, edit, or delete destinations and connectors. |
| Connector Creator | N/A | Create, view, edit, and delete connectors. View destinations in which this role is assigned. Cannot create, edit, or delete destinations. Cannot edit account information. Connector Creators are Connector Administrators for connectors they created. |
| Connector Administrator* | N/A | View, edit, and delete connectors. Cannot create new connectors. Cannot create, view, edit, and delete destinations. Cannot edit account information. |
| Connector Collaborator* | N/A | View and edit connectors assigned to the role. Cannot create or delete connectors. Cannot view, create, edit, and delete destinations. Cannot edit account information. |
| Connector Reviewer* | N/A | View connectors assigned to the role. Cannot create, edit, or delete connectors. Cannot create, view, edit, or delete destinations. Cannot edit account information. |
| <Inherited> | N/A | For roles in the destination or for the connector, this role inherits all the permissions of the role in the account. |
*NOTE: These roles are only available on the Enterprise or Business Critical plan.
NOTE: The API access is available only for the Account Administrator role in the Free, Standard, Enterprise, and Business Critical accounts. You can also try it out during your Trial period.
NOTE: You can only use account-level roles with Fivetran SCIM user provisioning. Destination-level or connector-level roles are not supported in the Fivetran SCIM API.
RBAC model benefits
The following team structure is typical for enterprise customers' organizations:
- A core data team manages a central destination within the organization's Fivetran account
- One or more teams manage centralized destinations, such as Snowflake, and are responsible for the data that lands in the destinations
- One or several project or operational teams need to manage their specific data sources
Organizational team structures like this and today's fast-paced business environment raise the following concerns about organizational resource access control and management:
- The ever-changing needs and urgent nature of business projects assume immediate access to data both in the source and the destination. Any time spent waiting for the core data team to grant the required roles and permissions to project, operational, or data teams may prevent you from accomplishing a critical project or task on time
- The number of requests the data team receives in larger organizations to assign roles and permissions granting access to Fivetran resources within the organization's account may become overwhelming very quickly, as well as the time it takes to assign the roles and permissions manually on a per-user basis
- The ability to set access and management permissions on a very granular level becomes critical to comply with strict yet dynamic enterprise governance policies
The solution we provide with our RBAC model introduces the following entities and features:
- Teams let you scale managing roles and permissions across large numbers of employees easily, while not affecting individual employee's role and permissions
- Delegating permissions from the user and team roles in the account to the team and user roles in destinations to the team and user roles for connectors along with the ability to create and assign multiple custom roles provide a flexible and powerful means of access management in a very granular way.
- The Destination Creator and Connector Creator roles automatically make you and your team members the Destination or Connector Administrator of the destinations or connectors you or your team created. This access automation lets you eliminate any waiting time for the approval by the central data team and independently manage access permissions for the resource right after its creation.
Our RBAC model works as follows:
- Account administrators manage the entire account. They add Destination Administrators and assign them existing destinations or give them permissions to create a destination.
- Destination Administrators create and manage destinations they have access to. They add teams that need to sync data to the destination.
- Each team has a team manager who adds users to the team as team members, or remove them from the team.
- Team roles in account, destinations, and connectors allow delegating permissions in the corresponding resources in the same way as user roles do. This means that teams also don't have to rely on Destination Administrators or Account Administrators to manage memberships. In turn, Destination Administrators don't have to rely on Account Administrators to create destinations or add teams.
How we recommend using our RBAC model
Account Permissions
- Get a list of users who need access to the entire account.
- Set up a team and add these users to the team.
- Set the team's role to Account Administrators.
NOTE: We recommend having at least two Account Administrators at all times. A single Account Administrator may be locked out due to a potential security breach, or be unavailable when, for example, a role needs to be assigned or unassigned.
Destination Permissions
- Get a list of users who need to set up their own destinations.
- Map the list of destinations to the list of users who need to manage it.
- Create a team per destination or a set of destinations.
- Assign the team to each of those destinations.
NOTE: We recommend having at least two Destination Administrators at all times. A single Destination Administrator may be locked out due to a potential security breach, or be unavailable when, for example, a destination needs to be edited or deleted).
Connector Permissions
- Get a list of connectors syncing data to Fivetran.
- Get a list of teams who own those connectors and map them out.
- Get a list of managers for those teams.
- Set up teams and associate connector level permissions.
NOTE: We recommend having one team as a Connector Administrator per connector. If a user from another team needs to be added, the individual user can be added to the specific connector needed.
Custom roles in our RBAC model
We provide a set of standard user roles that have preset and fixed access scope and one or several permissions.
We also support custom user roles where you can modify both the access scope and resource area permissions.
IMPORTANT: You must have an Enterprise or Business Critical plan to create and manage custom user roles.
RBAC permissions
The following table describes the permissions we use in our RBAC model:
| Permission | Description |
|---|---|
| View | Allows user to view the relevant resource areas. Applicable for:
|
| Create | Allows users to create and then view and manage only those objects of the relevant resource areas they created. Applicable for:
|
| Edit | Allows user to edit and view objects of the relevant resource areas. Applicable for:
|
| Manage | Allows user to view, create, edit, and delete objects of the relevant resource areas. Applicable for:
|
| None | Disables user's access to objects in the relevant resource area. Applicable for:
|
The following tables show the list of permissions used for each resource area.
Account permissions
| Resource area | Permissions |
|---|---|
| Settings | Edit, View, None |
| Billing | Edit, View, None |
| Roles | Manage, View, None |
| Users | Manage, None |
Destination permissions
| Resource area | Permissions |
|---|---|
| Destinations | Manage, Create, Edit, View |
| Users | Manage, None |
| Logs | Manage, None |
| Transformations | Manage, View, None |
Connector permissions
You can grant the user role access to either All, Selected connector types, or None.
For connectors, you can select one of the following permissions:
- Manage
- Create
- Edit
- View
IMPORTANT: You must be logged in as an Account Administrator or use a custom role with the Roles:Manage permission to create a custom user role.
Teams
Teams let you split the account into independent parts that reflect your organization structure (including external contractors). Teams allow to easily manage permissions for many users across the destinations within the account and connectors within the destinations.
Account Administrators and Team Managers can add users to one or multiple teams. Each team has a standard or custom role in the account and one or several destinations as well as for each connector in the destinations. For each team member, the team role extends the account permissions and group/destination permissions, including the connector permissions that the team member is assigned as an account user. For example, if your role in the destination has the View permissions for all connectors, and your team role has the Manage permission for all connector, then you can manage all connectors in the destination.
A team can be assigned permissions to create a destination. A team becomes the Destination Administrator of the created destination. A team can manage, including assigning roles to users and teams, destinations and connectors where the team is Destination Administrator or Connector Administrator, respectively.
IMPORTANT: We recommend using teams when you want to ensure that only the relevant users or groups of users have access to the relevant destinations, connectors or account settings. We recommend using organizations when you need to use separate security settings - SAML or SCIM.
IMPORTANT: You must be logged in as an Account Administrator or use a custom role with the Roles:Manage permission to create a custom user role. Therefore, you must have an Enterprise or Business Critical plan to create and manage teams.