Permissions Matrix
Complete reference for Dango's role-based access control system.
Overview
Dango uses a role-based access control (RBAC) system with 3 roles and 29 permissions. Permissions follow a <domain>.<action> naming convention across 9 domains.
Authentication is always enabled by default for both local and cloud deployments. The initial admin account is created during dango init.
Roles
| Role | Permissions | Description |
| Admin | All (wildcard *) | Full access to all features including user management and platform configuration |
| Editor | 19 permissions | Can sync sources, run dbt, create dashboards, manage notebooks, and view governance data |
| Viewer | 8 permissions | Read-only access to sources, models, dashboards, health, logs, notebooks, schedules, and governance |
Permission Matrix
The complete mapping of all 29 permissions to roles:
| Permission | Admin | Editor | Viewer | Description |
source.view |  | | | List sources, view status |
source.view_credentials | | | | View OAuth tokens and secrets |
source.sync | | | | Trigger a sync |
source.manage | | | | Add, remove, or configure sources |
csv.upload | | | | Upload CSV files |
csv.delete | | | | Delete uploaded CSV files |
dbt.view | | | | View dbt models and docs |
dbt.run | | | | Trigger dbt runs |
dbt.manage | | | | Add or remove dbt models |
dashboard.view | | | | View Metabase dashboards |
dashboard.create | | | | Create and edit dashboards |
dashboard.manage | | | | Manage Metabase settings |
query.execute | | | | Run ad-hoc SQL queries |
health.view | | | | View platform health and status |
logs.view | | | | View activity logs |
platform.manage | | | | Start, stop, or configure platform |
config.view | | | | View project configuration |
config.manage | | | | Modify project configuration |
users.view | | | | List users |
users.manage | | | | Create, edit, or deactivate users |
auth.manage | | | | Manage auth settings (2FA policy, etc.) |
audit.view | | | | View audit logs |
notebooks.view | | | | View notebooks |
notebooks.execute | | | | Run notebook cells |
notebooks.manage | | | | Create or delete notebooks |
governance.view | | | | View PII reports and schema drift |
governance.manage | | | | Configure governance rules |
scheduler.view | | | | View scheduled jobs |
scheduler.manage | | | | Create or edit schedules |
Permissions by Domain
Source (4 permissions)
| Permission | Admin | Editor | Viewer |
source.view | | | |
source.view_credentials | | | |
source.sync | | | |
source.manage | | | |
CSV (2 permissions)
| Permission | Admin | Editor | Viewer |
csv.upload | | | |
csv.delete | | | |
dbt (3 permissions)
| Permission | Admin | Editor | Viewer |
dbt.view | | | |
dbt.run | | | |
dbt.manage | | | |
Dashboard (4 permissions)
| Permission | Admin | Editor | Viewer |
dashboard.view | | | |
dashboard.create | | | |
dashboard.manage | | | |
query.execute | | | |
| Permission | Admin | Editor | Viewer |
health.view | | | |
logs.view | | | |
platform.manage | | | |
config.view | | | |
config.manage | | | |
Auth (4 permissions)
| Permission | Admin | Editor | Viewer |
users.view | | | |
users.manage | | | |
auth.manage | | | |
audit.view | | | |
Notebooks (3 permissions)
| Permission | Admin | Editor | Viewer |
notebooks.view | | | |
notebooks.execute | | | |
notebooks.manage | | | |
Governance (2 permissions)
| Permission | Admin | Editor | Viewer |
governance.view | | | |
governance.manage | | | |
Scheduler (2 permissions)
| Permission | Admin | Editor | Viewer |
scheduler.view | | | |
scheduler.manage | | | |
Session & Security
Session Timeouts
Session timeouts are configured in the auth section of project.yml:
| Setting | Local Default | Cloud Default | Description |
idle_timeout_minutes | 1440 (24 hours) | 60 (1 hour) | Session invalidated after this period of inactivity |
session_max_days | 365 (1 year) | 30 (30 days) | Maximum session lifetime regardless of activity |
Info
Cloud defaults are set during dango deploy and differ from local defaults for security. You can customize both in project.yml.
Account Lockout
| Setting | Default | Description |
max_attempts | 5 | Failed login attempts before account is locked |
lockout_minutes | 15 | Duration of account lockout |
Locked accounts can be unlocked by an admin via POST /api/admin/users/{user_id}/unlock.
Rate Limiting
| Endpoint Group | Default Limit | Window |
Login (/api/auth/login) | 10 requests | 60 seconds |
| General API | 200 requests | 60 seconds |
Rate limiting is enabled by default. Localhost requests are exempt. Configure trusted proxy IPs via auth.rate_limit.trusted_proxies for correct client IP detection behind a reverse proxy.
Two-Factor Authentication (2FA)
- Optional by default (
require_2fa: false) - When enabled globally, all users must set up TOTP before accessing the platform
- Uses TOTP (Time-based One-Time Password) with standard authenticator apps
- Recovery codes are generated during 2FA setup
API Key Authentication
API keys provide programmatic access without interactive login.
dango_ak_<32-character-url-safe-random-token>
- Prefix:
dango_ak_ (used to identify Dango API keys) - Display prefix: First 12 characters shown for identification (e.g.,
dango_ak_XYZ) - Storage: Only a SHA-256 hash is stored in the database; the raw key is shown once at creation
Usage
Include the API key as a Bearer token in the Authorization header:
curl -H "Authorization: Bearer dango_ak_..." http://localhost:8800/api/sources
Key Properties
| Property | Default | Description |
| Expiry | None (never expires) | Optional per-key expiry date |
| Scope | Full user permissions | Key inherits all permissions of the associated user |
| Revocation | Manual | Revoke via API or admin UI |
Related Pages