Configuration
Role-Based Access Control (RBAC)
Learn how to manage user permissions, data access, and dashboard sharing in camelAI Enterprise
RBAC is only available in our Enterprise tier. Need enterprise-grade access control? Book a call with our sales team.
Permissions Hierarchy
Access permissions in camelAI follow this hierarchy (from highest to lowest):Superuser
System-level access with complete control
Org Admin
Organization-wide access and control (Enterprise only)
Owner
Resource creator with management permissions
- In non-Enterprise tiers: full control
- In Enterprise tier: control dependent on group membership
Group Member
Access based on group permissions (Enterprise only)
External Viewer
View-only access to shared dashboards (via email)
No Access
Cannot view or interact with the resource
Detailed Permission Matrix
The following table provides a comprehensive breakdown of permissions by role in camelAI Enterprise:| Permission | Superuser | Org Admin | Owner | Group Member | External Viewer | No Access |
|---|---|---|---|---|---|---|
| User Management | ||||||
| Add users to organization | ✅ | ✅ | ✗ | ✗ | ✗ | ✗ |
| Assign users to groups | ✅ | ✅ | ✗ | ✗ | ✗ | ✗ |
| Toggle admin status | ✅ | ✅ | ✗ | ✗ | ✗ | ✗ |
| Deactivate users | ✅ | ✅ | ✗ | ✗ | ✗ | ✗ |
| Data Source Management | ||||||
| Connect data sources | ✅ | ✅ | ✗ | ✗ | ✗ | ✗ |
| Assign data sources to groups | ✅ | ✅ | ✗ | ✗ | ✗ | ✗ |
| Private Connection Management | ||||||
| Create private connections⁵ | ✅ | ✅ | ✅ | ✅ | ✗ | ✗ |
| Edit own private connections | ✅ | ✅ | ✅ | ✗ | ✗ | ✗ |
| Delete own private connections | ✅ | ✅ | ✅ | ✗ | ✗ | ✗ |
| Share private connection data⁶ | ✅ | ✅ | ✗ | ✗ | ✗ | ✗ |
| Group Management | ||||||
| Create/delete groups | ✅ | ✅ | ✗ | ✗ | ✗ | ✗ |
| Configure external sharing for groups | ✅ | ✅ | ✗ | ✗ | ✗ | ✗ |
| Dashboard Access | ||||||
| View shared dashboards | ✅ | ✅ | ✅ | ✅ | ✅ | ✗ |
| Dashboard Management | ||||||
| Create dashboards | ✅ | ✅ | ✅ | ✅ | ✗ | ✗ |
| View all organization’s dashboards | ✅ | ✅ | ✗ | ✗ | ✗ | ✗ |
| Edit any dashboard | ✅ | ✅ | ✗ | ✗ | ✗ | ✗ |
| Edit own dashboard | ✅ | ✅ | ✅ | ✗ | ✗ | ✗ |
| Delete any dashboard | ✅ | ✅ | ✗ | ✗ | ✗ | ✗ |
| Delete own dashboard | ✅ | ✅ | ✅ | ✗ | ✗ | ✗ |
| Dashboard Sharing | ||||||
| Share with groups¹ | ✅ | ✅ | ✅ | ✗ | ✗ | ✗ |
| External email sharing² | ✅ | ✅ | ✅ | ✗ | ✗ | ✗ |
| Artifact Management | ||||||
| Create artifacts | ✅ | ✅ | ✅ | ✅ | ✗ | ✗ |
| Edit any artifact | ✅ | ✅ | ✗ | ✗ | ✗ | ✗ |
| Edit own artifact | ✅ | ✅ | ✅ | ✗ | ✗ | ✗ |
| Delete any artifact | ✅ | ✅ | ✗ | ✗ | ✗ | ✗ |
| Delete own artifact | ✅ | ✅ | ✅ | ✗ | ✗ | ✗ |
| Chat/Query Access | ||||||
| Use AI chat with any data source | ✅ | ✅ | ✗ | ✗ | ✗ | ✗ |
| Use AI chat with permitted data sources³ | ✅ | ✅ | ✅ | ✅ | ✗ | ✗ |
| Start chat with dashboard artifact⁴ | ✅ | ✅ | ✅ | ✅ | ✗ | ✗ |
| View database queries | ✅ | ✅ | ✅ | ✅ | ✗ | ✗ |
- The owner is a member of the group
- The group has access to all data sources used by artifacts in the dashboard
- The owner belongs to a group with external sharing enabled (
can_share_externally=true) - All artifacts in the dashboard use data sources from groups with external sharing enabled
Admin Panel Features
Enterprise tier organizations have access to an admin panel with the following management capabilities:- Add users and assign them to groups
- Toggle admin status for users
- Deactivate users
- Users can belong to multiple groups
- Toggle permission for users to create private connections (enabled by default)
Dashboard Sharing Rules
Conditions for Sharing with Groups (Enterprise Tier)
1
Group Data Source Access
The group must have access to all data sources used by all artifacts in the dashboard
2
User Group Membership
The user attempting to access must be a member of all required groups
3
Private Connection Limitations
Dashboards containing artifacts that use private connections cannot be shared unless an org-admin has added those private connections to a group
Conditions for External Sharing
External sharing permissions are carefully controlled to protect sensitive data.
1
Owner Permissions
The dashboard owner must be in a group with external sharing enabled
2
Data Source Permissions
All artifacts in the dashboard must use data sources from groups that allow external sharing
3
Changes in Conditions
If any condition changes (e.g., artifact added using a restricted data source), external access should be revoked
Access Revocation
Access is automatically removed when:User Removed from Group
User Removed from Group
A user is removed from a group required to access a dashboard
Data Source Removed from Group
Data Source Removed from Group
A data source is removed from a group and dashboards using that data source are shared with the group
External Sharing Settings Changed
External Sharing Settings Changed
External sharing settings for a group are changed, affecting dashboards with artifacts using data sources from that group
Private Connection Added to Dashboard
Private Connection Added to Dashboard
A user adds an artifact using a private connection to a previously shared dashboard, causing the dashboard to become private until an org-admin adds the private connection to the relevant groups
Private Connection Removed from Group
Private Connection Removed from Group
An org-admin removes a private connection from a group, restricting access to dashboards containing artifacts using that connection