User Management and Access Control
Complete guide to managing users, configuring access controls, and understanding permissions in Atlan.
How can I find all users in Atlan?
You must be an admin user to see the full user list. In the Admin centre open Users & Groups → Users to view, filter, and export all users in your workspace.
Can I change my access level as an admin to test member and guest permissions?
Changing your own admin role is risky because any background workflows or playbooks you own might fail. Instead, create separate member and guest test accounts (for example, with disposable email addresses) and use an incognito browser window to verify permissions.
How can a user with a member role query tables?
Give the member a persona or purpose that contains the necessary data access policies for the tables they need to query.
How do you become an admin for a connection?
Only an existing connection admin (or a workspace admin) can assign additional connection admins. Ask a current connection admin to add you via the connection sidebar or by editing the connector workflow.
Why do some assets have a lock or a request to get approval from an admin?
A member sees a lock icon when they're neither a connection admin nor part of any persona or purpose that permits asset changes. To gain edit rights, become a connection admin or be added to a suitable persona or purpose.
Which permissions take priority when policies have overlapping assets?
When more than one policy affects the same asset, Atlan applies the most restrictive rule. An explicit deny always overrides a permit. See How do I control access to metadata and data? for details.
Can I restrict business users to only view verified assets?
No. Access policies can currently target connections and tags but not certification status.
What's the default landing page for users with two or more personas?
After you set landing page preferences:
- If exactly one persona applies to the user, they land on that persona's configured page.
- If multiple personas apply and the "All assets" view is disabled, Atlan chooses the first persona alphabetically.
- If the "All assets" view is available, the default landing page is All assets.
Can I restrict metadata access to a subset of columns?
Yes. Create a metadata policy and, in the asset selector, drill down to choose only the columns that should be visible.
How's the atlan_user id used for authentication in Redshift?
Atlan connects via the Amazon Redshift JDBC driver, using the IAM credentials you configure. The atlan_user identifier is not used to log in; instead, Atlan attributes each query to the actual user in Redshift's logs.
Is the data for queries or sample preview masked in memory?
Yes. Atlan rewrites the SQL at run-time so that masked values (for example, via REPLACE) are returned directly from the source database; the unmasked data never reaches Atlan's memory.
Can users link terms to assets without glossary access?
Yes: provided their metadata policy allows them to add or remove terms. They can link terms from the asset sidebar even if they don't have edit rights on the glossary itself.
Why do I get permission denied when running an API request?
Add one or more personas to the API token so it can access the connection's assets. You can assign personas to a token in Admin → API authentication. For steps, see API authentication.
Does Atlan have a password policy?
Yes. Atlan enforces these minimum requirements:
- Minimum length: 12 characters
- Must include at least 1 digit
- Must include both lowercase and uppercase letters
- Must include at least 1 special character
Generated passwords expire after 90 days, and you can't reuse your last 5 passwords.
What assets can be transferred from a removed user and how?
Removing a user from Atlan and transferring ownership of their assets may entail one of the following actions or a combination thereof:
- Remove the user from a list of owners.
- Delete the associated asset.
- Transfer ownership of assets to a new user.
| Category | Condition | Action |
|---|---|---|
| Persona | User is present | Remove user from the persona |
| Purpose | User is present | Remove user from the purpose |
| Owner metadata | Sole owner | Transfer ownership to transferee |
| Multiple owners | Remove user from owner metadata attribute | |
| Connection admin | Sole connection admin | Transfer role to transferee |
| Multiple connection admins | Remove user from list of connection admins | |
| Query collection owner | If query collection is private | Delete query collection along with its folders and queries |
| If query collection is shared and user has view permissions | Remove user from query collection | |
| If query collection is shared and user is sole owner | Transfer query collection to transferee | |
| If query collection is shared and has multiple owners | Remove user from list of owners | |
| Query owner | If parent collection of the query is to be deleted | Delete the query |
| If parent collection of the query is not to be deleted and user is sole owner | Transfer ownership to transferee | |
| If parent collection of the query is not to be deleted and query has multiple owners | Remove user from owner metadata of the query | |
| Starred assets | User is present in the starredBy attribute of an asset | Remove user from starredBy attribute |
| API tokens | User has created API tokens | Delete all API tokens created by user |
| SCIM tokens | User has created SCIM tokens | Delete all SCIM tokens created by user |
| User-level integrations | User has created an integration with Jira, Slack, Teams, or more | Delete all user-level integrations |
| Requests | User has submitted requests | Delete all requests from user |
| Playbooks | One-time playbooks | No action |
| Scheduled playbooks | If user is the creator of the playbook and playbook schedule, transfer playbook and schedule to transferee | |
| Workflows | One-time workflows | No action |
| Scheduled workflows | If user is the creator of the workflow and workflow schedule, transfer workflow and cron to transferee | |
| Scheduled queries | If results are shared with other users | Remove user from the list of query result recipients, transfer the workflow, cron, and parent collection to transferee, and remove deleted user from owner metadata in queries |
| If results are not shared with other users | Delete the workflow |
Can I remove users if SSO or SCIM is enforced?
Yes, you can remove users irrespective of whether you're using basic authentication, SSO, or SCIM provisioning in Atlan.
Will the activity log include metadata updates made by a removed user?
The activity log will retain historical information on any metadata updates made by a removed user, logged under their username. This is crucial to maintain data integrity for auditing purposes.
Is it possible to reactivate a removed user?
No, it is not possible to reactivate a removed user. Since the user will be hard-deleted from Atlan, there will be no trace of the user in the identity system. Atlan maintains historical records of removed users for auditing purposes only. Whether you're using basic authentication, SSO, or SCIM provisioning, any returning user with the same username will be treated as a new user in Atlan.
My guest users can see assets but can't suggest changes: How do I fix that?
Guests are read-only by default: they can browse assets but cannot edit anything. If you want guests to contribute suggestions without giving them full edit access, turn on metadata requests. Go to Settings → Labs → Access control and enable Allow guests to raise requests for metadata updates.
Once enabled, guests see a request button on any asset they can view. They can propose changes to descriptions, owners, tags, and other metadata fields. The request lands in the standard requests queue: an admin or member reviews it and either approves or rejects it. No metadata actually changes until someone approves. The original asset is untouched in the meantime.
To turn this off again, go back to the same toggle and disable it. Pending requests already in the queue stay there and can still be processed; guests just can't create new ones.
Can I add a guest to a persona, or do I need to make them a member first?
You can add a guest to a persona without changing their role. A persona can include any user regardless of role: it controls which assets a person sees, while their workspace role (Guest, Member, or Admin) controls what they can do with those assets. A guest added to a persona sees that persona's assets but stays read-only.
If you want the guest to be able to edit or create, change their role to Member from the Users list in the admin settings (Settings → Users, or Admin → Users on the Old UI). Roles and personas are independent, so you can combine them however you need.
Members and guests can only see a subset of assets: How do I open up visibility to everything?
By design, members and guests only see assets that fall within the personas they belong to. This is Atlan's access scoping model. If you want to temporarily or permanently let everyone see all assets regardless of persona, go to Settings → Labs → Access control and enable View "All assets" in Assets Discovery.
With this on, the persona visibility rules are bypassed for asset discovery: every member and guest sees the full catalog. This is useful during initial rollout when personas aren't fully configured yet, or for workspaces where open access is intentional. Be aware that enabling it effectively removes the access scoping that personas provide.
To restore persona-based scoping, disable the toggle. Users will return to seeing only what their personas cover.
The business graph is showing too many connected assets: Can I limit it to what a user's persona covers?
By default, the business graph shows all upstream and downstream connected assets regardless of what a user can actually access. This can be overwhelming or expose asset names users shouldn't see. To make the business graph respect persona policies, go to Settings → Labs → Access control and enable Persona switcher in Business Graph.
With this on, users only see the parts of the lineage graph that fall within their active persona. They can also switch between personas (if they belong to more than one) to explore different views. Disabling the toggle returns the business graph to showing all connected assets globally.
Users are asking why they can't copy or download sample data: How do I enable that?
The ability to copy values or download a CSV from the sample data preview is off by default. To turn it on, go to Settings → Labs → Access control and enable Allow users to copy or download sample data preview.
Once enabled, users who already have a data access policy granting them access to the asset's data can copy individual values from the sample data tab or download the preview as a CSV file. Users without a data access policy for the asset still cannot see or interact with sample data: the toggle doesn't bypass data policies, it only unlocks the copy/download action for users who already have access.
To restrict this again, disable the toggle. Existing downloads are unaffected, but users lose the ability to do new ones.
My members can't see the Reporting Center: Is this a permissions issue?
Yes, by default the Reporting Center is only accessible to admins. Members and guests don't see it even if they have access to the underlying data. To make Reporting available to all members, go to Settings → Labs → Access control and enable Allow member users to access Reporting Center.
Once enabled, members can open the Reporting Center and view dashboards and reports. They do not gain admin rights: they can view reports but cannot change workspace configuration. Guests are not affected by this toggle.
To restrict it back to admins only, disable the toggle.
Is there a way for Atlan users to see asset metadata (tags, descriptions, certification) directly in Tableau?
Yes. Atlan can surface tags, descriptions, owners, and certification status from the catalog as an embedded panel inside Tableau. To enable this, go to Settings → Labs → Access control and turn on View embedded Atlan metadata in Tableau.
Once on, users who have both Tableau and Atlan access will see an Atlan metadata panel on assets within Tableau without needing to switch tools. This requires the Atlan integration for Tableau to be set up first: the toggle only controls whether the embedded view is visible.
To hide the Atlan panel in Tableau, disable the toggle.
Workflow admins on my team say they can only see their own workflows: Can I change that?
Yes. By design, workflow admins see and manage only the workflows they created. This is a deliberate scope limit. If you need workflow admins to have full visibility across all workflows in the workspace: for example, to troubleshoot, reassign, or centrally manage automation: go to Settings → Labs → Access control and enable Allow workflow admins and other custom roles to access all workflows.
With this on, workflow admins can view, edit, run, and manage all workflows regardless of who created them. Regular members and guests are unaffected. To return to creator-only visibility, disable the toggle.
How do I let workflow admins install and manage apps, not just workflows?
Workflow admin access covers workflow management by default but not the broader apps and packages catalog. If your workflow admins also need to install, configure, or manage apps and packages, go to Settings → Labs → Access control and enable Allow workflow admins and related sub roles to access all apps and packages.
Once enabled, workflow admins and related sub-roles can access the full apps and packages catalog: installing new apps, configuring existing ones, and viewing all installed packages. This is useful when a platform team manages both workflows and the apps that underpin them, without needing to give everyone full workspace admin rights.
To revoke this access, disable the toggle. Workflow admins return to managing only their own workflows.
Does AI Chat in Atlan respect persona-based access controls?
AI Chat does not currently enforce persona-based filtering at the query layer. This means AI Chat may surface information about assets even if the requesting user's persona does not include those assets. Do not rely on AI Chat as an access control boundary. This is a known platform gap and is being addressed.
For Guest users specifically: Guest users can open AI Chat and send an initial message, but the follow-up input is disabled after the first message. This is a role-level ceiling that cannot be lifted by persona configuration.
If you are building an AI agent using the MCP integration, note that OAuth Client Credentials (M2M) do not currently inherit persona restrictions. Use a user-level API key from a dedicated service account with the appropriate persona assigned for least-privilege MCP integration.
What is the $guest or $admin value I see in API responses and admin exports?
In API responses, admin exports, and audit logs, you may see role identifiers with a dollar-sign prefix: $guest, $member, $admin. These are the internal system identifiers for the built-in Atlan roles. They are equivalent to Guest, Member, and Admin respectively. The prefix distinguishes system roles from any custom roles your organization has created. No action is needed; these are expected values, not errors.