Contents x
    Data Access Roles at Preset
    • 05 Mar 2026
    • 5 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Data Access Roles at Preset

    • Updated on 05 Mar 2026
    • 5 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    Overview

    In this article we will look at data access roles and how they operate in coordination with workspace roles and row level security to provide a wide range of access control in Preset.

    Data access begins with workspace roles, which are broadly responsible for determining whether a user has restricted access or not.

    Restricted access is configured using data access roles, which are used to configure either wide access coverage (e.g., all databases) or access to specific datasources.

    Lastly, Preset's row level security feature enables organizations to achieve granular data control by configuring which data access roles can query & view data within datasets.

    Let's have a closer look at how data access roles play an integral part in how access is managed.

    Workspace Roles

    Concept

    At the highest level, data access is controlled at the workspace level. Within a workspace, a user's access permissions fall into one of four categories:

    Category

    Role(s)

    Full Admin access

    Workspace Admin

    Full non-Admin access

    Primary Creator

    Data access role-based access

    Secondary Creator, Limited Creator, Viewer, Dashboard Interactor, or Dashboard Viewer

    No access

    No access

    The roles of Workspace Admin, Primary Creator, and No access are all fairly self-explanatory. The user has either admin access, full non-admin access, or no access whatsoever, respectively.

    The three data access role-based options, however, enable organizations to access Preset's built-in functionality around role-based access permissions and, potentially, use row-level security to achieve granular control at the data-in-dataset level.

    First, though, let's learn about workspace roles and the specific access they provide.

    Role details

    Workspace role definitions are as follows:

    Role

    Feature Access

    Data Access

    Data Role Management

    Workspace Admin

    All

    All

    Yes

    Primary Creator

    All

    All

    No

    Secondary Creator

    Limited based on Data Access Role. Can create physical datasets.

    Restricted

    No

    Limited Creator

    Limited based on Data Access Role. Can only create virtual datasets.

    Restricted

    No

    Viewer

    Published Charts and Dashboards, based on Data Access Role

    Restricted

    No

    Dashboard Interactor

    Published Dashboards, based on Data Access Role

    Restricted

    No

    Dashboard Viewer

    Published Dashboards, based on Data Access Role

    Restricted

    No

    No Access

    None

    None

    No

    Further details about which functionalities are available to each Workspace Role can be found on this article

    Note: While Workspace Admins and Primary Creators are not subject to data restrictions defined by Data Access Roles (DARs), they are still subject to any Row Level Security (RLS) rules applied to datasets. This allows organizations to apply RLS rules even to admin-level users when necessary (e.g., for testing, scoped access, or role-based visibility control).

    Data restriction (via data access roles) is possible for the following workspace roles:

    Secondary Creator

    Secondary Creators have access to all data within a workspace, but is subject to data restrictions as defined by a data access role. This role grants data access restricted dataset write access to the users. For example, they can create physical datasets from databases or schemas they have access to, they can edit datasets if they are the owner, they can create and manage alerts/reports, and they can upload CSVs if CSV upload is enabled the database they have access to.

    Limited Creator
    Similar to the Secondary Creator, this user role has access to all data within a workspace, but is subject to data restrictions as defined by a data access role. Limited Creators can't create physical datasets from databases and schemas, and they can't upload CSVs to databases. However, they can create virtual datasets and charts/dashboards using the data they have access to. 

    Viewer
    This user role only has access to visualizations (charts and dashboards) that are published, and is also subject to any defined data access role-based restrictions. For example, an external marketing agency may be given view access to published visualizations from a specified dataset. 

    Dashboard Interactor
    This user role only has access to dashboards that are published, and is also subject to any defined data access role-based restrictions. They can view or interact with dashboards by drilling to chart details. For example, a regional sales manager needs to view a sales performance dashboard and interact with the data filters and drill-down capabilities to investigate specific sales trends in their region.

    Dashboard Viewer
    This user role only has access to dashboards that are published, and is also subject to any defined data access role-based restrictions. For example, a potential business partner is given view access rights to a quarterly product sales dashboard used in a presentation by your company.

    All of the roles above are assigned to specific users in Preset Manager on the Workspace Roles screen (see Give a User Access to a Workspace to learn more).

    So, what are data access roles?

    Data Access Roles

    Data access roles work by creating a role in Preset, assigning user(s), and then assigning access to datasources for that role.

    Important: While Data Access Roles (DARs) define access to data, Row Level Security (RLS) rules operate independently of that scope. This means that if a Workspace Admin or Primary Creator is added to a DAR, they can still be affected by active RLS filters tied to that dataset.

    In other words, being exempt from data access restrictions through DARs does not exempt a user from RLS rules. If a user is assigned to a DAR that is associated with RLS filters, those filters will still be applied to their queries, regardless of their workspace role.

    Levels of Data Access Role Coverage

    By default, all limited roles (Secondary Creator, Limited Creator, Viewer, Dashboard Interactor, and Dashboard Viewer) have no access to data. To grant access to specific assets, users must be added to a Data Access Role (DAR).

    Once added, the level of access depends on the user's role:

    • Viewer-type roles gain access to Dashboards and Charts powered by that data.

    • Creator-type roles can additionally build new assets using those datasets.

    • Users with SQL Lab access can also query the allowed data directly in SQL Lab.

    Wide Access

    • All database access: This is the most permissive option. It grants access to all database connections in the Workspace. This includes all datasets, and also all tables for SQL Lab (for users with SQL Lab access).

    • All dataset access: Grants access to all datasets.

    • All query access: Grants access to the Query History.

    Specific Permissions

    More granular data access controls are also available:

    • Database Access: Grants access to an entire DB Connection, including all catalogs, schemas, and tables/datasets.

    • Catalog Access: Grants access to an entire catalog, including all schemas and table/datasets.

    • Schema Access: Grants access to all tables and datasets within the schema.

    • Dataset Access: This is the most restrictive access. It grants access to a specific dataset.

    Select_DAR_Permissions



    Was this article helpful?
    What's Next