Predefined Roles and Granular Permissions

Overview

When you assign roles to a user from the Manage Users interface, two tabs are available:

  • Predefined Roles. The original set of broad, job-function roles, for example Admin, Audience Manager, or Data Manager. Each role bundles permissions across several feature areas. These cover most common team structures and are documented in the matrices on the Managing Users page.
  • Granular Permissions. A catalog of narrow roles, each one paired as a view (read-only) and manage (read and write) for a single feature area. Granular permissions are designed for least-privilege assignments where a user should have access only to the features they actually use.
Predefined Roles tab in Manage Users Granular Permissions tab in Manage Users

Roles from both tabs can be assigned to the same user. Permissions are additive across every assigned role.

How permissions combine

A few rules to keep in mind when assigning roles:

  • Additive across all roles. A user gets the union of permissions from every assigned role. There is no subtractive or "deny" rule that one role can apply over another.
  • Manage includes View. Assigning both the view and manage role for the same area is redundant. Just assign the manage role.
  • Predefined and granular can be combined. A user can hold predefined roles and granular permissions at the same time. Where they overlap, the broader access wins.
  • Account-scoped. Every role applies within a single Lytics account. A user with access to multiple accounts has a separate set of role assignments in each one.
  • No per-resource control. Roles gate access to a feature area as a whole, for example all segments or no segments. You cannot restrict a user to a single segment, schema table, or flow.

Granular Permissions catalog

The catalog below mirrors the cards on the Granular Permissions tab. Each row lists the slug used in API calls and SSO group assertions, the display name as it appears in the UI, and what the permission grants.

In the role picker the cards are arranged into domain columns (such as Streams, Jobs, User Profiles, and Cloud Connect) to group related areas together. The Cloud Connect column holds the Connections and Data Model cards. The column a card appears in is purely an organizational aid in the UI — the slug and what it grants are unchanged.

Access Tokens

SlugDisplay NameGrants
v2_auth_viewAuthorizations ViewRead access to authorizations.
v2_auth_manageAuthorizations ManageRead and write access to authorizations, including credential management.

Account Goals

SlugDisplay NameGrants
v2_goal_viewGoal ViewRead access to account goals.
v2_goal_manageGoal ManageRead and write access to account goals.

Account Settings

SlugDisplay NameGrants
v2_account_settings_viewAccount Settings ViewRead access to account settings, including the private fields list.
v2_account_settings_manageAccount Settings ManageRead and write access to account settings.

Anomaly Rules

SlugDisplay NameGrants
v2_anomaly_rule_viewMetrics Rule ViewRead access to metrics rules (also referred to as anomaly rules in the API).
v2_anomaly_rule_manageMetrics Rule ManageRead and write access to metrics rules.

Audiences

SlugDisplay NameGrants
v2_segment_viewAudience ViewRead access to audiences.
v2_segment_manageAudience ManageRead and write access to audiences.

Campaigns

SlugDisplay NameGrants
v2_campaign_viewCampaign ViewRead access to campaigns and programs.
v2_campaign_manageCampaign ManageRead and write access to campaigns and programs.

Connections

SlugDisplay NameGrants
v2_connections_viewConnections ViewRead access to connections.
v2_connections_manageConnections ManageRead and write access to connections. Authorizations remain view-only under this permission, so pair it with Authorizations Manage if needed.

Content

SlugDisplay NameGrants
v2_content_viewContent ViewRead access to content documents and content classifications.
v2_content_manageContent ManageRead and write access to content documents and classifications, including blocklists.

Data Model

SlugDisplay NameGrants
v2_data_model_viewData Model ViewRead access to the data model.
v2_data_model_manageData Model ManageRead and write access to the data model, including CloudConnect sync configuration.

Experiences

SlugDisplay NameGrants
v2_experience_viewExperience ViewRead access to experiences.
v2_experience_manageExperience ManageRead and write access to experiences.

Flows

SlugDisplay NameGrants
v2_flow_viewFlow ViewRead-only access to flows and the work and workflow records they generate. The flow canvas opens in a view-only state: the node and edge editing affordances, the label field, and the publish and delete controls are all disabled.
v2_flow_manageFlow ManageRead and write access to flows, covering creating, editing, and deleting them along with publishing changes from the canvas.

Jobs

SlugDisplay NameGrants
v2_jobs_viewJobs ViewRead access to jobs, work records, and workflow status.
v2_jobs_manageJobs ManageRead and write access to jobs, including pause and resume.

Journeys

SlugDisplay NameGrants
v2_journey_viewJourney ViewRead access to journeys and stages.
v2_journey_manageJourney ManageRead and write access to journeys and stages.

Lookalike Models

SlugDisplay NameGrants
v2_lookalike_viewView Lookalike ModelsRead access to lookalike models and the audiences they reference.
v2_lookalike_manageManage Lookalike ModelsRead and write access to lookalike models.

PII

SlugDisplay NameGrants
v2_pii_viewPII ViewRead access to Personally Identifiable Information (PII) on data and user profiles. PII that the user is not granted is redacted server-side. There is no manage counterpart — this permission only unhides PII for reading. In the role picker this card is grouped under the User Profiles column.

Queries

SlugDisplay NameGrants
v2_query_viewQuery ViewRead access to saved queries.
v2_query_manageQuery ManageRead and write access to saved queries.

Reports

SlugDisplay NameGrants
v2_report_viewReport ViewRead access to reports.
v2_report_manageReport ManageRead and write access to reports.

Route Rules

SlugDisplay NameGrants
v2_route_rule_viewRoute Rule ViewRead access to route rules. In the role picker this card is grouped under the Streams column.
v2_route_rule_manageRoute Rule ManageRead and write access to route rules, including creating, editing, duplicating, and deleting them.

Schema

SlugDisplay NameGrants
v2_schema_viewSchema ViewRead access to schema tables and field definitions.
v2_schema_manageSchema ManageRead and write access to schema tables, fields, identity configuration, and rankings.

Streams

SlugDisplay NameGrants
v2_stream_viewStream ViewRead access to data streams and their configuration.
v2_stream_manageStream ManageRead and write access to data streams.

Templates

SlugDisplay NameGrants
v2_template_viewTemplate ViewRead access to message and content templates.
v2_template_manageTemplate ManageRead and write access to templates.

User Profiles

SlugDisplay NameGrants
v2_user_profile_viewUser Profile ViewRead access to user profiles (entity records).
v2_user_profile_manageUser Profile ManageRead and write access to user profiles.

Workflow Rules

SlugDisplay NameGrants
v2_workflow_rule_manageWorkflow Rule ManageRead and write access to workflow rules, which include the destination filters applied to export jobs. There is no view counterpart — workflow rules have no separate read gate, so manage is the only role. In the role picker this card is grouped under the Jobs column.

Notifications & Preferences

Opt-in email notification preferences are not part of the Granular Permissions tab. They live in their own Notifications & Preferences card on the user summary page (see Managing Users). They do not grant access to any feature area on their own — they only control which emails the user receives.

Unlike predefined roles and granular permissions, these preferences can be toggled by the user on their own profile; an admin does not have to set them.

SlugDisplay NameGrants
job_alertsJob AlertsReceives email notifications about job lifecycle events (success, failure, completion).
metrics_rule_alertsMetrics Rule AlertsReceives email notifications when a metrics rule fires.
📘

Inviting users and assigning roles still require the Admin predefined role

Granular permissions do not include the ability to invite new users or change other users' role assignments. A user who needs to manage other users must hold the Admin predefined role in addition to any granular permissions.

Common patterns

Some assemblies of granular permissions that come up often:

  • Read-only auditor. Pair the view permissions for the areas you want them to inspect. A common combination is Audience View, Schema View, Jobs View, Connections View, and Report View.
  • Audience-only marketer. Audience Manage plus Campaign View. The user can build and edit audiences and see how campaigns are using them, but cannot change campaigns themselves.
  • Data engineer (no audience write). Schema Manage, Stream Manage, Jobs Manage, and Query Manage. The user owns the data pipeline but cannot publish audiences.
  • Integration owner. Authorizations Manage, Connections Manage, and Jobs View. The user can stand up and maintain destinations and authorizations and watch the resulting export jobs run.
  • Lookalike modeler. Manage Lookalike Models plus Audience View. The user can train and tune lookalike models against existing audiences without being able to edit them.
  • On-call data operator. Jobs Manage, plus the Job Alerts and Metrics Rule Alerts preferences from the Notifications & Preferences card. The user can manage jobs and gets paged on the events they care about.

Mixing predefined roles with granular permissions

Predefined roles and granular permissions can be combined on the same user. A few notes:

  • If a user has a predefined role that already covers an area (for example Marketer covering audiences and campaigns), adding the matching granular view permission is redundant.
  • Adding Admin alongside any other roles always grants full access. Granular permissions do not constrain Admin.
  • For predictable behavior, pick one model per user where possible. If the predefined roles do not fit, switch that user to granular permissions entirely rather than mixing.

Converting predefined roles to granular permissions

To help move a user from the broad predefined model to least-privilege granular permissions, the Predefined Roles tab includes a Convert to granular permissions button. With one or more non-Admin predefined roles selected, clicking it will:

  1. Select the equivalent granular permissions for the access those predefined roles grant.
  2. Clear the predefined roles that were converted.
  3. Switch you to the Granular Permissions tab so you can review the result before saving.

The conversion is conservative and never escalates access. A granular permission is selected only when every permission it would grant is already granted by the predefined roles you converted. If a predefined role grants some access that no granular permission expresses exactly, that access is dropped and listed in a warning so you can decide how to handle it (for example, by keeping the predefined role or contacting Lytics about a custom role).

A few details:

  • Admin is excluded. Admin grants everything, so it has no meaningful granular equivalent. The button is disabled when only Admin (or nothing) is selected, and Admin is left untouched when converting alongside other roles.
  • Nothing is saved until you submit. The button only changes the selections in the form. Review the resulting granular permissions — and any dropped-access warning — and submit the form to apply them.
  • Not available when editing your own user. To prevent users from changing their own access, the button is disabled when you are editing your own account.

Custom roles

Lytics supports custom roles defined at the account level. A custom role lets an account use a permission shape that the predefined and granular catalogs do not cover, for example a hand-picked combination of access that does not fit any built-in role.

🚧

Custom roles are not self-service today

There is no in-app role editor. Customers who need a custom role should contact their Lytics representative or Lytics Support. Once provisioned, the custom role appears in the Manage Users interface alongside the built-in roles and can be assigned the same way.

What granular permissions cannot do

A few boundaries to be aware of:

  • No per-resource access. You cannot grant access to a single segment, schema table, flow, or any other individual resource. Permissions operate at the feature-area level.
  • No workspace tier. All roles are scoped to a Lytics account. Lytics does not have a sub-account or workspace concept that roles can target.
  • No time-bound assignments. A role assignment lasts until an admin removes it.
  • No role inheritance. There is no parent-child hierarchy between roles.
  • PII access is governed by the PII View permission and the private fields setting together. Which fields count as Personally Identifiable Information (PII) is controlled by the private fields account setting; whether a user can see those fields is granted by the PII View (v2_pii_view) granular permission (or an equivalent predefined role). Without it, PII is redacted server-side regardless of the user's other permissions. PII View only unhides PII for reading — it does not grant write access to any feature area.

Assigning roles in practice

Roles are assigned the same way regardless of which tab they come from:

  • From the Manage Users interface. Open Manage Users from the account menu, select the user, and choose roles from the Predefined Roles or Granular Permissions tab. Multiple roles can be selected across both tabs.
  • Via SSO group assertions. If your account uses SSO, every slug listed in this catalog and in the Single Sign-On Overview works in the standard lytics_<AID>_<role> group assertion format. For example, lytics_123_v2_segment_manage assigns the Audience Manage permission for account 123.
📘

Need to audit who has which role?

The Manage Users interface lists every user in the account and their assigned roles. For programmatic auditing, the User API returns the same information.