User Management
Datafi provides a centralized interface for managing every user in your workspace. You can invite new users, organize them into groups, assign roles that control platform access, and define custom attributes used by the policy engine.
Adding Users
You invite users to your workspace by email. Navigate to Administration > Users and click Add User.
- Enter one or more email addresses, separated by commas.
- Select an initial Role for the invited users.
- Optionally assign one or more Groups.
- Click Send Invitation.
Each recipient receives an email with a link to accept the invitation and complete their account setup. Pending invitations appear in the Invitations tab with their current status.
| Invitation Status | Meaning |
|---|---|
| Pending | The email has been sent but the user has not yet accepted. |
| Accepted | The user has completed registration and can access the workspace. |
| Expired | The invitation link has passed its 7-day validity window. You can resend it. |
| Revoked | An administrator has manually cancelled the invitation. |
You can bulk-invite users by pasting a comma-separated list of email addresses. Datafi deduplicates addresses and skips any that already exist in the workspace.
Roles
Roles define what a user can do within the platform. Datafi ships with a set of built-in roles that cover common access patterns.
| Role | Description | Typical Use Case |
|---|---|---|
| Owner | Full administrative control. Can manage billing, workspace settings, and all resources. | Workspace creator, CTO, or IT lead. |
| Admin | Can manage users, data sources, policies, and platform configuration. Cannot modify billing. | IT administrators, data platform managers. |
| Editor | Can create and modify Data Views, Data Apps, and queries. Cannot manage users or policies. | Analysts, data engineers. |
| Viewer | Read-only access to shared Data Views and Data Apps. Cannot create or edit resources. | Business stakeholders, executives. |
You assign a role when inviting a user or by editing their profile in the user directory. A user can hold exactly one role at a time.
Groups
Groups let you organize users into logical collections for easier policy assignment and resource sharing. Common grouping strategies include department, project team, region, or data classification level.
To create a group:
- Navigate to Administration > Groups.
- Click Create Group.
- Enter a group name and optional description.
- Add members by searching for existing users.
- Click Save.
You reference groups in Policies & Governance to apply row-level, column-level, or object-level access rules to all members at once.
A user can belong to multiple groups. When policies from different groups conflict, Datafi applies the most restrictive rule by default.
User Attributes
Attributes are key-value pairs attached to a user profile. The ABAC (Attribute-Based Access Control) engine evaluates these attributes at query time to enforce fine-grained policies.
| Attribute | Example Value | Policy Use Case |
|---|---|---|
department | finance | Restrict access to financial datasets. |
region | eu-west | Enforce data residency rules. |
clearance | confidential | Control access to classified data columns. |
cost_center | CC-4200 | Track query costs by business unit. |
To add or edit attributes:
- Navigate to the user's profile in Administration > Users.
- Open the Attributes tab.
- Add key-value pairs or modify existing ones.
- Click Save.
Attributes are available immediately for use in policy expressions.
Approval Levels
For sensitive operations -- such as accessing restricted datasets or exporting data -- you can require one or more levels of approval before the action is permitted.
| Approval Level | Approvers | Use Case |
|---|---|---|
| Level 1 | Group lead or data steward | Standard data access requests. |
| Level 2 | Department head or compliance officer | Access to PII or regulated data. |
| Level 3 | Workspace Owner or designated executive | Bulk data export or cross-tenant access. |
To configure approval workflows:
- Navigate to Administration > Approval Settings.
- Define approval levels and assign approver roles or specific users.
- Map approval levels to actions (e.g., "Export > 10,000 rows" requires Level 2).
- Click Save.
When a user triggers an action that requires approval, the request is routed to the designated approvers. The user is notified once the request is approved or denied.
If all designated approvers for a level are unavailable, the request remains in a pending state. Ensure you assign at least two approvers per level to avoid bottlenecks.
Next Steps
- Workspace Management -- Configure workspace settings and branding.
- AI/ML Configuration -- Set up LLM providers for your workspace.
- Events and Notifications -- Define event-driven notifications.