# Global and Dataset Roles Soda Cloud uses **Global Roles** and **Dataset Roles** to manage access and permissions. These roles ensure users and user groups have the right level of access based on their responsibilities. ## Global Roles {% hint style="warning" %} Only users with the **Manage organization settings** permission on the organization can define and assign global roles. [Global and Dataset Roles](https://docs.soda.io/soda-v4/organization-and-admin-settings/global-and-dataset-roles) {% endhint %} Global roles define permissions across the entire organization in Soda Cloud. By default, Soda Cloud provides to Global Roles: Admin and Users. You can create custom roles with a subset of the permissions

Permission Group	Descriptions	Admin	User
Manage data sources and agents	Allow to deploy a new Soda Agent as well as configure data source connections in Soda Cloud.	✓
Create new datasets and data sources with Soda Core library	Allow the creation of new data sources in Soda Cloud when using the Soda Core library. Allow to onboard datasets in Soda Cloud on data sources connected with Soda Agent. See onboard-datasets-on-soda-cloud	✓	✓
Manage attributes	Allow to define which datasets and check attributes are available to use in the organization.	✓
Manage notification rules	Allow to manage how notifications are sent.	✓	✓
Manage organization settings	Manage organization settings Deactivate users Create, edit, or delete user groups Create, edit, or delete dataset roles Create, edit, or delete global roles Assign global roles to users or user groups Add, edit, or delete integrations Access and download the audit trail	✓
Manage scan definitions	Update scan definition Run scan definition manually	✓

### Create Custom Global Roles You can create custom global roles to match your organization’s needs. To create a global role: {% stepper %} {% step %} Go to the **Global Roles** section in **Settings**. {% endstep %} {% step %} Click Add Global Role to create a new role.

{% endstep %} {% step %} Enter a **name** for the role. {% endstep %} {% step %} Select the **permissions** the role should have.

{% endstep %} {% step %} Click **Save**. {% endstep %} {% endstepper %} ### Edit Custom Global Roles You can edit global roles at any time to adjust permissions as your organization’s needs evolve. To edit a global role: {% stepper %} {% step %} Go to the **Global Roles** section in **Settings**. {% endstep %} {% step %} Find the global role you want to modify. {% endstep %} {% step %} Click the context menu next to the role and select Edit Global Role.

{% endstep %} {% step %} Adjust the role’s **name** and **permissions** as needed. {% endstep %} {% step %} Click **Save** to apply your changes. {% endstep %} {% endstepper %} ### Assign Members to Global Roles You can assign roles to individual users or user groups to grant them the associated permissions. To assign a global role: {% stepper %} {% step %} Go to the **Global Roles** section in **Settings**. {% endstep %} {% step %} Find the global role you want to assign. {% endstep %} {% step %} Click the context menu next to the role and select **Assign Members**.

{% endstep %} {% step %} Select the users or user groups that should have the global roles. {% endstep %} {% step %} Click **Save** to apply your changes. {% endstep %} {% endstepper %} You can also assign roles on the Users and User groups tabs: * For users: [user-management](https://docs.soda.io/organization-and-admin-settings/user-management "mention") * For user groups: [user-management](https://docs.soda.io/organization-and-admin-settings/user-management "mention") ## Dataset roles Dataset roles define permissions for specific datasets. {% hint style="warning" %} Only users with the **Manage organization settings** permission on the organization can define and update dataset roles, as well as default responsibilities. [Global and Dataset Roles](https://docs.soda.io/soda-v4/organization-and-admin-settings/global-and-dataset-roles) {% endhint %} By default, Soda Cloud provides to Dataset Roles: Manager, Editor, and User. You can create custom roles with a subset of the permissions

Permission Group	Description	Manager	Editor	Viewer
View dataset	Access the dataset and view checks	✓	✓	✓
Access dataset profiling and samples	Allow users to see insights about the data	✓	✓	✓
Access failed row samples for checks	Allow users to see samples of rows that are considered invalid	✓	✓	✓
Configure dataset	Allow users to define dataset attributes and owner, change settings, and add/enable/configure metric monitors at a dataset level	✓	✓
Manage dataset responsibilities	Allow users to grant and remove permissions through responsibilities.	✓
Manage Contracts	Allow users to modify as well as verifying the Data contract	✓	✓
Propose checks	Allow users to propose changes in the Data Contract	✓	✓	✓
Manage incidents	Allow users to edit and close incidents.	✓	✓	✓
Delete dataset	Allow users to remove a dataset and its checks.	✓

### Create Custom Dataset Roles You can create custom dataset roles to match your organization’s needs. To create a dataset role: {% stepper %} {% step %} Go to the **Dataset Roles** section in **Settings**. {% endstep %} {% step %} Click **Add Dataset Role** to create a new role.

{% endstep %} {% step %} Enter a **name** for the role. {% endstep %} {% step %} Select the **permissions** the role should have.

{% endstep %} {% step %} Click **Save** to apply your changes. {% endstep %} {% endstepper %} ### Edit Dataset Roles You can edit dataset roles at any time to adjust permissions as your organization’s needs evolve. To edit a dataset role: {% stepper %} {% step %} Go to the **Dataset Roles** section in **Settings**. {% endstep %} {% step %} Find the dataset role you want to modify. {% endstep %} {% step %} Click the context menu next to the role and select **Edit Dataset Role**.

{% endstep %} {% step %} Adjust the role’s **name** and **permissions** as needed. {% endstep %} {% step %} Click **Save** to apply your changes. {% endstep %} {% endstepper %} ### Assign dataset responsibilities **Responsibilities** in Soda Cloud define who has access to a dataset and what they are allowed to do. They are assigned by mapping **users** or **user groups** to a **dataset role.** This ensures that the right people have the appropriate permissions for each dataset, such as the ability to manage checks, propose new rules, or view profiling information. For example: * Assign a **Manager** role to a dataset owner who needs full control. * Assign a **Viewer** role to a business user who only needs to monitor data quality results. By assigning responsibilities, you ensure clear access control, accountability, and governance across your datasets. Learn about how to set up responsibilities on a dataset: [dataset-attributes-and-responsibilities](https://docs.soda.io/dataset-attributes-and-responsibilities "mention") ### Define default responsibilities #### For the dataset owner Soda Cloud allows you to define **default responsibilities** for the dataset owner, which will automatically be granted for all dataset owners. This ensures that all users have a consistent baseline level of access unless you choose to customize it. By default, all dataset owners have the "Manager" role. **How to Configure Default Responsibilities** {% stepper %} {% step %} Go to the **Organization Settings** page in Soda Cloud. {% endstep %} {% step %} Locate the **Datasets Roles** section. {% endstep %} {% step %} Select the **dataset role** to assign to the Dataset Owners

{% endstep %} {% step %} Click **Save** on the top right of the page to apply changes

{% endstep %} {% endstepper %} #### **For everyone** Soda Cloud allows you to define **default responsibilities** for the **Everyone** group, which will automatically apply to all newly onboarded datasets. This ensures that all users have a consistent baseline level of access unless you choose to customize it. By default: * The **Everyone** group is assigned as a "Viewer" for all new datasets. * This setting applies to **all users** in your organization unless disabled. You can either customize the default role or **disable** the default responsibilities if you do not want the Everyone group to receive any automatic access to new datasets. **How to Configure Default Responsibilities** {% stepper %} {% step %} Go to the **Organization Settings** page in Soda Cloud. {% endstep %} {% step %} Locate the **Datasets Roles** section. {% endstep %} {% step %} Select the **dataset role** to assign to the Everyone group for new datasets. {% endstep %} {% step %} To disable default responsibilities, toggle the feature **off**.

{% endstep %} {% step %} Click **Save** on the top right of the page to apply changes

{% endstep %} {% endstepper %} *** ## Role-Based Access Control (RBAC) Role-Based Access Control (RBAC) in Soda Cloud ensures that users can only access and interact with data according to their assigned roles; roles and permissions are fully customizable to adapt to your organization's needs. RBAC is designed to: * Enforce least-privilege access * Prevent direct user-to-permission grants * Scope access by organization and role * Ensure that all access is authenticated and authorized Here’s how these features can benefit your organization on the journey to governed data democratization: #### Customizable roles and permissions With Soda, **you can tailor access to data** to align with your specific needs. For instance, you can create a role for Product Marketing that allows the team to view sample data and propose data quality checks on particular datasets, while restricting editing capabilities on others. If a **default role** is not quite what you're looking for, **you can easily edit its permissions** to add new capabilities.

#### Streamlined user management You can **enable user group synchronization from your Identity Provider (IdP) to Soda Cloud**, reducing the administrative burden of ensuring consistent permissions. This saves time during onboarding and offboarding while minimizing human error. #### Bulk editing for enhanced efficiency You can assign roles and permissions to multiple datasets in one go through Soda Cloud UI or via [API](https://docs.soda.io/organization-and-admin-settings/broken-reference).

### Architecture #### Strong identity as the security perimeter Access to critical systems is federated via an Identity Provider (IdP) with: * Multi-factor authentication (MFA) enforcement * Role-based access control (RBAC) * Unique user identification * Least-privilege, role-scoped permissions Roles are: * Managed centrally in the IdP * Mapped to system permissions User group synchronization from the IdP to Soda Cloud is supported to streamline onboarding and offboarding while minimizing human error. #### Authentication and enforcement Every request to Soda Cloud: 1. Is authenticated 2. Is scoped to the user’s organization 3. Passes through RBAC enforcement {% hint style="info" %} Soda Cloud does **not** provide a capability to publish content or files that can be accessed by users who are not authenticated members of the organization. Public link sharing and anonymous access capabilities are not allowed to **prevent exposure of Soda Cloud content outside the authenticated organization**. {% endhint %} ### **How access control helps data democratization** Access control empowers data owners to efficiently manage data requests while ensuring that data is accessible. * **Accelerates value creation** by enabling quick access to a wide range of dataset * **Improves decision making** by ensuring users can easily identify and use the most relevant data
*** {% if visitor.claims.plan === 'free' %} {% hint style="success" %} You are **logged in to Soda** and seeing the **Free license** documentation. Learn more about [documentation-access-and-licensing](https://docs.soda.io/reference/documentation-access-and-licensing "mention"). {% endhint %} {% endif %} {% if visitor.claims.plan === 'teams' %} {% hint style="success" %} You are **logged in to Soda** and seeing the **Team license** documentation. Learn more about [documentation-access-and-licensing](https://docs.soda.io/reference/documentation-access-and-licensing "mention"). {% endhint %} {% endif %} {% if visitor.claims.plan === 'enterprise' || visitor.claims.plan === 'enterpriseUserBased' %} {% hint style="success" %} You are **logged in to Soda** and seeing the **Enterprise license** documentation. Learn more about [documentation-access-and-licensing](https://docs.soda.io/reference/documentation-access-and-licensing "mention"). {% endhint %} {% endif %} {% if !(visitor.claims.plan === 'free' || visitor.claims.plan === 'teams' || visitor.claims.plan === 'enterprise' || visitor.claims.plan === 'enterpriseUserBased') %} {% hint style="info" %} You are **not logged in to Soda** and are viewing the default public documentation. Learn more about [documentation-access-and-licensing](https://docs.soda.io/reference/documentation-access-and-licensing "mention"). {% endhint %} {% endif %}