Access Control

Users in DX have access to specific features based on their role. Each user in DX is assigned at least one role, and with those role(s) comes a set of permissions. Permissions define the level of acesss that users have to each feature in DX (usually read or write access).

In addition to users accessing data themselves, users can also create Personal Access Tokens. These tokens can access DX data and make changes through the API. Tokens don’t have roles assigned explicitly - instead they take on the the role of the user that created them. Based on the token creator’s role, each token gets access to a set of scopes, which are similar to permissions.

For example, if User A’s role only allows viewing reports, any token they create can only be granted report-viewing scopes, but not report-creation scopes.

If a user’s role is downgraded after creating a token, their token’s scopes get removed accordingly. For example, if User A’s role was downgraded to not being able to view or create reports, the report-viewing scope would be removed from their token.

At a high-level:

  • Roles are mapped to both a set of permissions and a set of scopes.
  • When users are assigned a role, they receive the corresponding mapped set of permissions.
  • When users create a token, the scopes they can assign to that token depend on their role

See Roles for a list of available roles, see Permissions for the set of permissions that are mapped to each role, and see Scopes for a full list of scopes and how they map to each role.