Permissions

Available to: Account Administrators Minimum plan: Free

This page explains TitanRDM's permission model in detail — how permissions are structured, what each permission type grants, and how they combine to control access across domains, branches, and tables.

Important! When Domains, Branches, and Table Definitions are created, one user group is automatically created for each applicable permission, making it easier to assign users to user groups rather than granting permissions to each user. On a day-to-day basis, you give users permissions by adding them to these user groups. This section explains permissions, but it isn't necessary for understanding how to give users permissions. See the User Groups section for more information.

Permission Model Overview

TitanRDM uses a group-based, polymorphic permission model:

Permission = User Group + Action + Permission Type + Resource (Model)

Each permission record has:

FieldDescription
User GroupThe group that holds this permission
PermissionThe permission type (e.g., admin, develop, data manager, approve, edit)
ActionThe action allowed (e.g., admin, develop, data manager, approve, edit)
Model TypeThe resource type (e.g., Account, Domain, Branch, TableDefinition)
Model IDThe specific resource instance (e.g., the Finance domain, the Development branch)

Permission Types

Account-Level Permissions

PermissionActionGrants
adminadminFull access to everything in the account. Bypasses all other checks.
developdevelopAccount-wide development capability. Required to access Development features.

Domain-Level Permissions

PermissionActionGrants
developdevelopCreate, edit, and delete table definitions within this domain
data managerdata managerView and edit data in deployed tables within this domain

Branch-Level Permissions

PermissionActionGrants
editeditBranch membership for End Users; grants no development actions
approveapproveApprove promotions and deployments targeting this branch. Receive notification emails.
developdevelopFull development access on this branch

Table-Level Permissions

PermissionActionGrants
editeditEdit this specific table definition's columns and properties

Permission Resolution

When TitanRDM checks if a user can perform an action, it evaluates permissions in this order:

  1. Account Admin check — is the user in the Account Administrator group? If yes, access granted (bypasses all other checks).
  2. Specific resource check — does the user belong to a group that has the required permission on the specific resource?

Examples

ActionRequired Permission
View/edit data in a tabledata manager on the table's domain
Create a table definitiondevelop on the target domain + develop on the current branch
Edit column definitionsdevelop on the table's domain + develop on the table's branch
Clone a table to a branchdevelop on the table's domain + develop on the target branch
Deploy on a branchdevelop on the branch
Approve a promotionapprove on the target branch
Create a private branchAccount-level develop permission
Add/remove usersadmin on the account
Change plan/billingadmin on the account

Permission Hierarchy

Permissions do not cascade automatically. Having develop on a domain does not grant data manager — these are separate permissions for separate roles.

However, Account Administrator access is an exception — it grants everything regardless of other group memberships.

Combining Domain and Branch Permissions

Many actions require permissions on both a domain and a branch. This is intentional — it allows fine-grained access control:

ScenarioDomain PermissionBranch PermissionResult
Developer on Finance, Developer on Dev branchdevelop on Financedevelop on DevelopmentCan create/edit Finance table definitions on Development
Developer on Finance, no branch permissiondevelop on FinanceNoneCannot edit table definitions (missing branch access)
No domain permission, Developer on Dev branchNonedevelop on DevelopmentCannot create table definitions (missing domain access)
End User on Finance Data Manager, Editor on Dev branchdata manager on Financeedit on DevelopmentCan view and edit data in Finance tables on Development
Data Manager on Finance, any branchdata manager on FinanceN/ACan view and edit data in Finance tables (data access is branch-independent via the current branch context)

End User Permissions

Users with license type end_user have a restricted permission set:

Allowed PermissionsNot Allowed
edit (on branches and table definitions)admin
data manager (on domains)develop
approve

End Users are designed for data entry and viewing — they cannot perform development or administrative tasks regardless of group membership.

Viewing a User's Effective Permissions

To see what a specific user can access:

  1. Navigate to Admin > Users
  2. Click the user's name
  3. View their User Groups list
  4. Each group name indicates the scope and role (e.g., "Domain Finance Data Manager")

There is no single "effective permissions" view — permissions are the sum of all group memberships.

Common Permission Configurations

Data Entry User (End User)

Groups: - Domain [Name] Data Manager (for each domain they need access to)

Result: Can view and edit data in tables within assigned domains.

Developer (Full Access to One Domain)

Groups: - Domain [Name] Developer - Domain [Name] Data Manager - Branch Development Editor - Branch Development Developer

Result: Can create table definitions, edit data, and deploy on the Development branch for one domain.

Approver (Test/Production)

Groups: - Branch Test Approver - Branch Production Approver

Result: Can approve promotions and deployments to Test and Production branches.

Full Admin

Groups: - Account Administrator

Result: Full access to everything. No other groups needed.

Related Pages