When you assign roles to a user from the Manage Users interface, two tabs are available:
Predefined Roles. The original set of broad, job-function roles, for example Admin, Audience Manager, or Data Manager. Each role bundles permissions across several feature areas. These cover most common team structures and are documented in the matrices on the Managing Users page.
Granular Permissions. A catalog of narrow roles, each one paired as a view (read-only) and manage (read and write) for a single feature area. Granular permissions are designed for least-privilege assignments where a user should have access only to the features they actually use.
Roles from both tabs can be assigned to the same user. Permissions are additive across every assigned role.
How permissions combine
A few rules to keep in mind when assigning roles:
Additive across all roles. A user gets the union of permissions from every assigned role. There is no subtractive or "deny" rule that one role can apply over another.
Manage includes View. Assigning both the view and manage role for the same area is redundant. Just assign the manage role.
Predefined and granular can be combined. A user can hold predefined roles and granular permissions at the same time. Where they overlap, the broader access wins.
Account-scoped. Every role applies within a single Lytics account. A user with access to multiple accounts has a separate set of role assignments in each one.
No per-resource control. Roles gate access to a feature area as a whole, for example all segments or no segments. You cannot restrict a user to a single segment, schema table, or flow.
Granular Permissions catalog
The catalog below mirrors the cards on the Granular Permissions tab. Each row lists the slug used in API calls and SSO group assertions, the display name as it appears in the UI, and what the permission grants.
Access Tokens
Slug
Display Name
Grants
v2_auth_view
Authorizations View
Read access to authorizations.
v2_auth_manage
Authorizations Manage
Read and write access to authorizations, including credential management.
Account Goals
Slug
Display Name
Grants
v2_goal_view
Goal View
Read access to account goals.
v2_goal_manage
Goal Manage
Read and write access to account goals.
Account Settings
Slug
Display Name
Grants
v2_account_settings_view
Account Settings View
Read access to account settings, including the private fields list.
v2_account_settings_manage
Account Settings Manage
Read and write access to account settings.
Anomaly Rules
Slug
Display Name
Grants
v2_anomaly_rule_view
Metrics Rule View
Read access to metrics rules (also referred to as anomaly rules in the API).
v2_anomaly_rule_manage
Metrics Rule Manage
Read and write access to metrics rules.
Audiences
Slug
Display Name
Grants
v2_segment_view
Audience View
Read access to audiences.
v2_segment_manage
Audience Manage
Read and write access to audiences.
Campaigns
Slug
Display Name
Grants
v2_campaign_view
Campaign View
Read access to campaigns and programs.
v2_campaign_manage
Campaign Manage
Read and write access to campaigns and programs.
Connections
Slug
Display Name
Grants
v2_connections_view
Connections View
Read access to connections.
v2_connections_manage
Connections Manage
Read and write access to connections. Authorizations remain view-only under this permission, so pair it with Authorizations Manage if needed.
Content
Slug
Display Name
Grants
v2_content_view
Content View
Read access to content documents and content classifications.
v2_content_manage
Content Manage
Read and write access to content documents and classifications, including blocklists.
Data Model
Slug
Display Name
Grants
v2_data_model_view
Data Model View
Read access to the data model.
v2_data_model_manage
Data Model Manage
Read and write access to the data model, including CloudConnect sync configuration.
Experiences
Slug
Display Name
Grants
v2_experience_view
Experience View
Read access to experiences.
v2_experience_manage
Experience Manage
Read and write access to experiences.
Flows
Slug
Display Name
Grants
v2_flow_view
Flow View
Read access to flows and the work and workflow records they generate.
v2_flow_manage
Flow Manage
Read and write access to flows.
Jobs
Slug
Display Name
Grants
v2_jobs_view
Jobs View
Read access to jobs, work records, and workflow status.
v2_jobs_manage
Jobs Manage
Read and write access to jobs, including pause and resume.
Journeys
Slug
Display Name
Grants
v2_journey_view
Journey View
Read access to journeys and stages.
v2_journey_manage
Journey Manage
Read and write access to journeys and stages.
Lookalike Models
Slug
Display Name
Grants
v2_lookalike_view
View Lookalike Models
Read access to lookalike models and the audiences they reference.
v2_lookalike_manage
Manage Lookalike Models
Read and write access to lookalike models.
Queries
Slug
Display Name
Grants
v2_query_view
Query View
Read access to saved queries.
v2_query_manage
Query Manage
Read and write access to saved queries.
Reports
Slug
Display Name
Grants
v2_report_view
Report View
Read access to reports.
v2_report_manage
Report Manage
Read and write access to reports.
Schema
Slug
Display Name
Grants
v2_schema_view
Schema View
Read access to schema tables and field definitions.
v2_schema_manage
Schema Manage
Read and write access to schema tables, fields, identity configuration, and rankings.
Streams
Slug
Display Name
Grants
v2_stream_view
Stream View
Read access to data streams and their configuration.
v2_stream_manage
Stream Manage
Read and write access to data streams.
Templates
Slug
Display Name
Grants
v2_template_view
Template View
Read access to message and content templates.
v2_template_manage
Template Manage
Read and write access to templates.
User Profiles
Slug
Display Name
Grants
v2_user_profile_view
User Profile View
Read access to user profiles (entity records).
v2_user_profile_manage
User Profile Manage
Read and write access to user profiles.
Other
The Other card holds opt-in notification permissions. They do not grant access to any feature area on their own, so they are typically assigned alongside other roles.
Slug
Display Name
Grants
job_alerts
Job Alerts
Receives email notifications about job lifecycle events (success, failure, completion).
metrics_rule_alerts
Metrics Rule Alerts
Receives email notifications when a metrics rule fires.
📘
Inviting users and assigning roles still require the Admin predefined role
Granular permissions do not include the ability to invite new users or change other users' role assignments. A user who needs to manage other users must hold the Admin predefined role in addition to any granular permissions.
Common patterns
Some assemblies of granular permissions that come up often:
Read-only auditor. Pair the view permissions for the areas you want them to inspect. A common combination is Audience View, Schema View, Jobs View, Connections View, and Report View.
Audience-only marketer. Audience Manage plus Campaign View. The user can build and edit audiences and see how campaigns are using them, but cannot change campaigns themselves.
Data engineer (no audience write). Schema Manage, Stream Manage, Jobs Manage, and Query Manage. The user owns the data pipeline but cannot publish audiences.
Integration owner. Authorizations Manage, Connections Manage, and Jobs View. The user can stand up and maintain destinations and authorizations and watch the resulting export jobs run.
Lookalike modeler. Manage Lookalike Models plus Audience View. The user can train and tune lookalike models against existing audiences without being able to edit them.
On-call data operator. Jobs Manage plus Job Alerts and Metrics Rule Alerts from the Other card. The user can manage jobs and gets paged on the events they care about.
Mixing predefined roles with granular permissions
Predefined roles and granular permissions can be combined on the same user. A few notes:
If a user has a predefined role that already covers an area (for example Marketer covering audiences and campaigns), adding the matching granular view permission is redundant.
Adding Admin alongside any other roles always grants full access. Granular permissions do not constrain Admin.
For predictable behavior, pick one model per user where possible. If the predefined roles do not fit, switch that user to granular permissions entirely rather than mixing.
Custom roles
Lytics supports custom roles defined at the account level. A custom role lets an account use a permission shape that the predefined and granular catalogs do not cover, for example a hand-picked combination of access that does not fit any built-in role.
🚧
Custom roles are not self-service today
There is no in-app role editor. Customers who need a custom role should contact their Lytics representative or Lytics Support. Once provisioned, the custom role appears in the Manage Users interface alongside the built-in roles and can be assigned the same way.
What granular permissions cannot do
A few boundaries to be aware of:
No per-resource access. You cannot grant access to a single segment, schema table, flow, or any other individual resource. Permissions operate at the feature-area level.
No workspace tier. All roles are scoped to a Lytics account. Lytics does not have a sub-account or workspace concept that roles can target.
No time-bound assignments. A role assignment lasts until an admin removes it.
No role inheritance. There is no parent-child hierarchy between roles.
PII access is governed separately. Personally Identifiable Information (PII) visibility is controlled by the private fields account setting and the predefined roles called out in the Managing Users page. Granular permissions do not unlock or restrict PII visibility on their own.
Assigning roles in practice
Roles are assigned the same way regardless of which tab they come from:
From the Manage Users interface. Open Manage Users from the account menu, select the user, and choose roles from the Predefined Roles or Granular Permissions tab. Multiple roles can be selected across both tabs.
Via SSO group assertions. If your account uses SSO, every slug listed in this catalog and in the Single Sign-On Overview works in the standard lytics_<AID>_<role> group assertion format. For example, lytics_123_v2_segment_manage assigns the Audience Manage permission for account 123.
📘
Need to audit who has which role?
The Manage Users interface lists every user in the account and their assigned roles. For programmatic auditing, the User API returns the same information.
