Add and manage users
Users are the people in your Atlan workspace, and each user's role sets the ceiling on what they can do, from the day they join to the day they leave. You add users by email or through your identity provider, give each one a role, and remove or downgrade them when they move on. Groups and personas decide which assets a user sees; their role decides what they are allowed to do with those assets.
Roles
Every user has exactly one platform-wide role. It sets the ceiling on what actions are possible across the workspace, no matter what their personas allow.
Full control. Manages users, SSO, connections, governance, and every workspace setting. Sees all assets; persona scoping does not apply.
The everyday role. Browses assets, runs queries, and edits metadata, but only for the assets their persona grants. No access to workspace settings.
Read-only. Views the assets they are given access to, nothing more. Always capped at read-only, even with a persona.
Sub-roles
An Admin can grant a Member extra powers without making them a full Admin.
Manages personas, purposes, and policies. Cannot manage users or workspace config.
Manages automation workflows and apps. Cannot touch governance or users.
What each role can do
Role controls what a user can do. Persona controls what a user can see. They evaluate separately. A Guest user in a persona that grants lineage access can see lineage; their role doesn't block it. But a Guest user cannot add announcements regardless of persona, because the Guest role is a hard ceiling on that action.
| Action | Guest | Member | Admin | Notes |
|---|---|---|---|---|
| Search and discover assets | Yes | Yes | Yes | Subject to persona scope |
| View asset metadata | Yes | Yes | Yes | Lock icon where no edit access |
| Edit asset metadata | No | Yes | Yes | Guest ceiling; persona cannot lift it |
| Add announcements | No | Yes | Yes | Counts as a metadata write, blocked at role level |
| Preview sample data | Conditional | Conditional | Yes | Requires explicit data policy allow plus the Labs toggle enabled |
| View lineage | Conditional | Conditional | Yes | Requires persona to grant lineage tab visibility |
| Run queries in Insights | No | Conditional | Yes | Requires data policy plus role-based Insights access |
| Suggest metadata changes (requests) | Conditional | Yes | Yes | Requires Labs "Allow guests to raise requests" to be enabled |
| Create data quality rules | No | Conditional | Yes | Requires Governance Admin sub-role for Members |
| Access AI Chat | Yes (limited) | Yes | Yes | Guest can open AI Chat but cannot send follow-up messages; input is disabled after the first message |
| Connection Admin on a specific connection | Yes | Yes | Yes | Connection Admin status lifts the Guest ceiling for that connection's assets only |
| Access Insights nav / Domains nav | No | Yes | Yes | These nav items do not appear for Guest role |
A common question is whether a persona that grants access to a sidebar tab or asset overrides the Guest role. The answer depends on the action. Persona controls visibility (which tabs and assets appear). Role controls what actions are possible. A persona cannot grant edit access to a Guest, because that is blocked at the role level regardless of policy.
In API responses and admin exports, you may see $guest, $member, or $admin with a dollar-sign prefix. These are the internal system identifiers for the built-in roles. They are equivalent to Guest, Member, and Admin respectively. The prefix distinguishes system roles from custom roles.
Manage users and roles
Invite new users
Add people by email when SSO is not enforced, or through your identity provider when it is.
Assign admin sub-roles
Manually give a Member the Governance Admin or Workflow Admin sub-role.
Sync roles from your IdP
Map OIDC or SAML claims to Atlan roles so they update on every sign-in.
Assign roles by group name
Use the User Role Sync app to set each user's role from their group membership.
Import user roles
Bulk-assign roles to many users from a CSV with the User Role Import app.
Offboard users
Automatically downgrade users to Guest when they join a designated offboarding group.
See also
- What are groups?: Bundle users so you can assign access to a whole team at once.
- Scope team access: Control which assets users see with personas.
- Set default role for SSO users: Pick the role new SSO users land with on first sign-in.
- How access policies combine: How role, persona, and purpose interact.