Role-Based Access Control (RBAC)

Align your team structure with your data governance strategy.

When you have multiple projects and environments, it’s important to manage who has access to which projects and environments and what permissions they have, in support of your data governance approach.

With RBAC, you have the ability to designate each user's role.

Additionally, you can restrict non-Admin users’ access to a subset of form submissions, projects, and environments (Admin users always have access to all environments and form submissions).

Roles

Admins have the ability to administer HIPAA Allowlists when HIPAA mode is enabled.

Only users in the Admin role can perform the following operations:

  • Administer Users: Invite, delete, set role, and set project and environment access.

  • Administer Projects and Environments: Create or delete either projects or environments.

  • Administer Form Submission Permissions: Manage which teammates can view submissions for specific forms.

  • Administer Freshpaint Tag Manager code snippets.

Non-admin roles can perform the following operations:

  • Data Manager: Members can view and manage web analytics, view EHR analytics, selectively view form submissions, edit forms, modify allowlists, view PHI, access web tracker monitoring, and configure destinations, events, and transformations. Cannot manage other users.

  • General User: Members can view and manage web analytics, view EHR analytics, selectively view form submissions, view PHI, access web tracker monitoring, configure destinations, events, and transformations, but cannot manage other users, edit forms, or modify allowlists.

  • Event Manager: Members can view and manage web analytics, view EHR analytics, selectively view form submissions, modify allowlists, access web tracker monitoring, and configure destinations, events, and transformations. Cannot manage other users, edit forms, or view PHI.

  • Data Viewer: Members can view web analytics, view EHR analytics, and selectively view form submissions. Cannot manage other users, modify allowlists, view PHI, edit forms, access web tracker monitoring, or configure destinations, events, or transformations.

The Data Manager and Event Manager roles are exclusive to our Enterprise Plus and Elite customers. To learn more or upgrade your plan, please reach out to our sales team at sales@freshpaint.io.

Access to Projects and Environments

The Teams page has a dropdown for role selection, and when you click on a non-Admin user, you’ll see a selectable list of projects and environments they can access. In the example below, this user has access to the Staging environment, but not Production:

When inviting a user to the account, you'll likewise be able to choose their role, and if a non-Admin user, the projects and environments they can access:

When the RBAC feature is first turned on, all of your users will start out in the Admin role. You can then set each user’s role and access as appropriate.

On the Projects page, when creating a new environment as part of a new or existing project, that environment will start with all users having access. To restrict access to the newly-created environment, visit the Teams page to specify access for each user.

Access to Form Submissions

Forms are currently in beta. Learn more.

Admins can view all submissions for all forms. All other roles need an admin to grant permission to view the submissions for a given form.

Last updated