Roles & Permissions
LakeSentry uses a three-tier role system: Owner, Admin, and User. Each role has a fixed set of capabilities. Roles are assigned when inviting users.
For managing users and invitations, see User Management & Invitations.
The owner is the highest-privilege role. There is exactly one owner per organization — the first user to set up the account becomes the owner automatically.
The owner has full access to everything, including:
- All admin capabilities
- Ownership transfer
- Webhook configuration
Ownership can be transferred to another admin. See Transferring Ownership.
Admins have full operational access. They can manage connectors, invite users, configure attribution rules, and approve action plans. The main restriction is that admins cannot configure webhooks or transfer ownership.
Users have read-only access to dashboards, reports, and insights. They can configure their own notification preferences, but cannot make changes to the organization’s configuration or take actions on insights.
Permission matrix
Section titled “Permission matrix”| Capability | Owner | Admin | User |
|---|---|---|---|
| Dashboards & Analytics | |||
| View dashboards and reports | Yes | Yes | Yes |
| Use Cost Explorer and filters | Yes | Yes | Yes |
| Export data | Yes | Yes | Yes |
| Insights & Actions | |||
| View insights | Yes | Yes | Yes |
| Snooze/dismiss insights | Yes | Yes | No |
| Approve action plans | Yes | Yes | No |
| Reject action plans | Yes | Yes | No |
| Manage auto-dismiss rules | Yes | Yes | No |
| Connectors | |||
| View connector status | Yes | Yes | Yes |
| Create/edit connectors | Yes | Yes | No |
| Generate connection strings | Yes | Yes | No |
| Reset checkpoints | Yes | Yes | No |
| Delete connectors | Yes | Yes | No |
| Attribution & Organization | |||
| View attribution rules | Yes | Yes | Yes |
| Create/edit attribution rules | Yes | Yes | No |
| Manage org hierarchy | Yes | Yes | No |
| Manage identity mappings | Yes | Yes | No |
| Create/edit budgets | Yes | Yes | No |
| Configure tag governance rules | Yes | Yes | No |
| User Management | |||
| View user list | Yes | Yes | Yes |
| Invite users | Yes | Yes | No |
| Revoke invitations | Yes | Yes | No |
| Remove users | Yes | Yes | No |
| Set user passwords | Yes | Yes | No |
| Transfer ownership | Yes | No | No |
| Settings | |||
| View organization settings | Yes | Yes | Yes |
| Edit organization settings | Yes | Yes | No |
| Configure webhooks | Yes | No | No |
| View billing and plan | Yes | Yes | Yes |
| Manage billing portal | Yes | Yes | Yes |
| Personal | |||
| Edit own notification preferences | Yes | Yes | Yes |
| Change own password | Yes | Yes | Yes |
Role assignment
Section titled “Role assignment”- New users receive a role when invited (Admin or User — Owner cannot be assigned via invitation).
- A user’s role is set at invitation time and persists for the lifetime of the account.
- The owner role can only be transferred using the ownership transfer flow.
API access
Section titled “API access”All roles authenticate using the same mechanism (session tokens). The API enforces role checks on every request:
- Endpoints that modify configuration require Admin or Owner.
- Most read-only endpoints are available to all authenticated users. Some administrative read endpoints (such as auto-dismiss rule listings, tag discovery, and invitation listings) also require Admin or Owner.
- Owner-only endpoints (webhooks, ownership transfer) return
403 Forbiddenfor non-owner users.
Collector authentication
Section titled “Collector authentication”Collectors use a separate authentication mechanism (collector token) that is scoped to a specific connector. Collector tokens cannot access user-facing APIs and vice versa. This separation ensures that a compromised collector token cannot be used to access dashboards or modify configuration.
Next steps
Section titled “Next steps”- User Management & Invitations — Managing users and the invitation flow
- Settings — Organization configuration
- Audit Log — Tracking who did what and when