Role-Based Access Control (RBAC)

Align your team structure with your data governance strategy.

When you have multiple projects and environments, it’s important to manage who has access to which projects and environments and what permissions they have, in support of your data governance approach.

When your account has been enabled for RBAC, you’ll have the ability to designate each user as one of two roles, Admin and non-Admin.

Additionally, you can restrict non-Admin users’ access to a subset of projects and environments (Admin users always have access to all environments).


Only users in the the Admin role can perform the following operations:

  • Administer Users: Invite, Delete, Set Role.

  • Administer Projects and Environments: Create or Delete either Projects or Environments.

  • Administer HIPAA Allowlists (when HIPAA mode enabled).

  • Administer Freshpaint Tag Manager code snippets.

Access to Projects and Environments

The Teams page has a checkbox for the “Admin” role, and when you click on a non-Admin user, you’ll see a selectable list of projects and environments they can access. In the example below, this user has access to the Staging environment, but not Production:

When inviting a user to the account, you'll likewise be able to choose their role, and if a non-Admin user, the projects and environments they can access:

When the RBAC feature is first turned on, all of your users will start out in the Admin role. You can then set each user’s role and access as appropriate.

On the Projects page, when creating a new environment as part of a new or existing project, that environment will start with all users having access. To restrict access to the newly-created environment, visit the Teams page to specify access for each user.

Last updated