Team Setup Guide¶
Set up Dango for a small team with multiple users and roles.
What You'll Set Up¶
By the end of this guide, you'll have:
- An admin account with full access
- Team members with appropriate roles (editor, viewer)
- Shared dashboards visible to the team
- Optionally, a cloud deployment for remote access
Duration: ~20 minutes
Prerequisites¶
- A Dango project with data already synced (complete the E-commerce Tutorial or similar first)
dango startrunning
Step 1: Verify Auth Is Enabled¶
Dango v1 enables authentication by default. Verify your setup:
Expected output shows auth enabled, your admin account, and session settings.
If auth is not enabled (e.g., you initialized with an older version):
You'll be prompted to set an admin password.
Step 2: Understand Roles¶
Dango has three roles with distinct permissions:
| Role | Access | Use For |
|---|---|---|
| Admin | Full access — all operations, user management, settings | Project owners, data engineers |
| Editor | Source management, dbt operations, dashboard creation, notebooks, scheduling | Analysts, data team members |
| Viewer | Read-only — view dashboards, sources, models, logs | Stakeholders, executives |
Detailed Permissions
- Admin: Wildcard access to all operations
- Editor: Source CRUD, CSV upload, dbt build/run, dashboard create/edit, notebook access, scheduler management
- Viewer: View sources, dbt models, dashboards, health status, logs, notebooks (read-only), schedules
See Users & Roles for the full permissions matrix.
Step 3: Add Team Members¶
Add users with the dango auth add-user command. Each user gets an invite link they can use to set their own password.
Add an Editor¶
dango auth add-user [email protected] --role editor
Output:
User created: [email protected] (role: editor)
Invite link (expires in 72 hours):
http://localhost:8800/invite/abc123...
Share this link with the user to complete setup.
Add a Viewer¶
dango auth add-user [email protected] --role viewer
Add Another Admin¶
dango auth add-user [email protected] --role admin
Verify Users¶
Password-Based Setup
If you prefer to set a temporary password instead of using invite links, use the --password flag:
dango auth add-user [email protected] --role editor --password
The user will be prompted to change the password on first login.
Step 4: Accept Invites¶
Share the invite link with each team member. When they visit the link:
- They see a "Set Your Password" form
- They choose a password (minimum 8 characters, NIST-compliant — no special character requirements)
- After setting their password, they're automatically logged in
- They see only what their role permits
Invite Expiry
Invite links expire after 72 hours. If an invite expires before the user accepts it, generate a new one:
dango auth reset-password [email protected]
Step 5: Manage Ongoing Access¶
Change a User's Role¶
dango auth change-role [email protected] admin
Deactivate a User¶
Deactivation preserves the user record but prevents login:
dango auth deactivate-user [email protected]
To reactivate later:
dango auth reactivate-user [email protected]
Reset a Password¶
dango auth reset-password [email protected]
Delete a User¶
dango auth delete-user [email protected]
Last Admin Protection
Dango prevents you from demoting, deactivating, or deleting the last admin account. There must always be at least one active admin.
Step 6: Deploy for Team Access (Optional)¶
For remote team access, deploy Dango to a cloud server:
The deploy wizard walks you through server provisioning. Once deployed, regenerate invite links with the server URL:
dango auth add-user [email protected] --role editor --base-url https://dango.yourcompany.com
See Deployment for the full deployment guide.
Step 7: Dashboard Sharing Workflow¶
Team members access dashboards through Metabase, which is integrated into the Dango web UI.
Share Dashboards¶
- Open the Dango web UI at
http://localhost:8800(or your server URL) - Log in with your credentials
- Navigate to Metabase via the sidebar
- Create dashboards in the "Shared" collection so all team members can see them
- Personal dashboards go in each user's personal collection
Export Dashboards¶
Save dashboard configurations to version control:
This exports dashboards and questions as YAML files under metabase/dashboards/ and metabase/questions/. See Save & Load Dashboards for details.
Step 8: Audit and Monitor¶
Track who's accessing your Dango instance:
# View recent auth events
dango auth audit
# Filter by date
dango auth audit --since 2024-01-15
# Filter by event type
dango auth audit --type login_success
# Limit results
dango auth audit --limit 20
See Audit Logging for the full list of audited events.
Troubleshooting¶
Locked Out¶
If all admin accounts are locked or passwords forgotten:
This creates a recovery admin account.
Expired Invite¶
Generate a new invite by resetting the user's password:
dango auth reset-password [email protected]
Wrong Role Assigned¶
Change the role at any time:
dango auth change-role [email protected] viewer
User Can't See Dashboards¶
- Verify their role with
dango auth list-users - Ensure dashboards are in the "Shared" collection in Metabase, not a personal collection
- Check that the user's account is active (not deactivated)
Summary¶
You've set up Dango for team access:
- Auth verified and admin account configured
- Team members added with appropriate roles
- Invite workflow for self-service password setup
- User management commands for ongoing access control
- Audit logging for security monitoring
Next Steps¶
- Authentication - Deep dive into auth configuration
- Users & Roles - Full permissions reference
- Deployment - Deploy for remote team access
- Audit Logging - Monitor access and changes