Team Management
Roles, permissions, and team member management
dbtrail uses role-based access control (RBAC) to manage what each team member can do within a tenant.
Roles
Each user is assigned a role within a tenant. Roles form a hierarchy — each role inherits all permissions from the roles below it.
owner
└── admin
└── operator
└── analyst
└── viewerPermission matrix
| Permission | owner | admin | operator | analyst | viewer |
|---|---|---|---|---|---|
| Billing management | x | ||||
| Delete tenant | x | ||||
| Manage users | x | x | |||
| Manage roles | x | x | |||
| Manage API keys | x | x | |||
| Register/delete servers | x | x | |||
| Update servers | x | x | x | ||
| Execute recovery | x | x | x | ||
| Query changes | x | x | x | x | |
| View audit log | x | x | x | x | |
| View servers | x | x | x | x | x |
| View status | x | x | x | x | x |
| Claude access | x | x | x | x |
Inviting team members
From the dashboard, go to Settings → Team → Invite Member:
- Enter the user's email address
- Select a role
- Send the invitation
The invited user will receive an email with a link to join the tenant. If they don't have a dbtrail account, they'll be prompted to create one first.
Changing roles
Owners and admins can change a member's role from Settings → Team. Click the role dropdown next to the member's name and select the new role.
Role restrictions
- Only owners can promote someone to admin
- Admins cannot change the owner's role
- You cannot change your own role
Table and column access
In addition to functional permissions, each role can have restrictions on which MySQL tables and columns they can see. See Access Rules for full details on configuring data-level access control, including:
- Hiding PII columns from analysts
- Restricting access to sensitive tables
- Compliance with data access policies
API key inheritance
When a user generates an API key, the key inherits their role. If a user's role is later downgraded, their existing API keys will operate with the new, reduced permissions.