Access Control
Access control defines who can open an organization, use an environment, and read or write catalog data. Altertable applies the same role model to team members and service accounts, so humans and automation can be scoped with the same rules.
Roles are assigned on three resource levels:
Level | What it controls | Common use |
|---|---|---|
Organization | Organization-wide access, administration, and billing | Admins and users who need access across every environment |
Environment | Dashboard access and default catalog access inside one environment | Production, staging, or customer-specific access boundaries |
Catalog | Read or write access to one Altertable or external catalog | Narrow data access for teams, agents, and service accounts |
Higher-level roles can cascade to lower-level resources. For example, an organization reader can read data across all environments, while a custom per-environment role lets you choose access separately for each environment and catalog.
Roles
Altertable exposes a small set of roles at each level:
Scope | Role | Behavior |
|---|---|---|
Organization | Admin | Manage members, access, billing, and organization settings |
Organization | Writer | Read and write data in every environment |
Organization | Reader | View data and dashboards in every environment |
Organization | Custom per environment | Set access separately for each environment and catalog |
Environment | Writer | Read and write data in that environment |
Environment | Reader | View data and dashboards in that environment |
Environment | Custom per catalog | Open the environment, then set read or write access per catalog |
Catalog | Writer | Read and write data in that catalog |
Catalog | Reader | Read data in that catalog |
Use organization roles for broad access, environment roles when each environment represents a meaningful boundary, and catalog roles when a person or service needs only a specific data source.
Team Members
Team members are managed from Organization settings. Users with organization management access can invite members, review pending invitations, and update roles from a member detail page.
Service Accounts
Service accounts are organization-scoped principals for automation such as CI/CD, dbt jobs, scheduled imports, and machine-to-machine API access.
New service accounts start with read access at the organization level. After creating one, open the service account detail page to narrow or expand its access with the same organization, environment, and catalog roles used for team members.
Recommended Patterns
- Give most people the narrowest organization role that matches their normal work.
- Use custom per-environment access when production and staging should have different audiences.
- Use catalog roles for sensitive datasets, shared customer environments, and automation that should not read every catalog.
- Prefer service accounts over shared human credentials for scheduled jobs and deployment pipelines.
Related Pages
- Workers: Where queries and source connectivity run
- Authentication: Credentials for analytical database clients
- MCP authentication: OAuth access for AI clients