Access control

Overview

Access Control in Go Fig governs who can view, edit, and manage resources across your organization, teams, projects, and data through hierarchical permissions, role-based access control (RBAC), and data-level security. Permission Hierarchy:

Organization → Team → Project → Data/Dashboards/Workflows

Inheritance: Organization Admins access everything. Team Admins access all team content. Project Owners access all project content. Team Members only access shared/published content.

Organization Roles

Role	Key Permissions	Use Case
Organization Admin	Manage billing, create teams, view all data, add/remove users, configure SSO	C-level executives, IT admins
Organization Member	Access assigned teams only	All employees, contractors

Organization Admin Capabilities

Organization Management: Settings, billing, SSO, branding
User Management: Invite/remove users, assign roles, create teams, view audit logs
Security & Compliance: Configure security policies, manage API keys, data retention, export logs
Data Governance: Global data policies, manage all data sources, monitor usage

Access at Settings → Organization (Admins only)

Organization Member Capabilities

Can access assigned teams, view own profile, and update personal settings. Cannot view org settings/billing, access unassigned teams, manage users, or view org-wide analytics.

Organization Members can be Team Admins. Organization role is separate from team roles.

Team Roles

Role	Key Permissions	Use Case
Team Admin	Manage settings, add/remove members, access all projects	Department heads, team leads
Team Member	Access shared/published projects, create own projects	Analysts, engineers, contributors
Team Guest	View-only specific published content	External consultants, contractors

Team Admin Capabilities

Member Management: Add/remove members, assign roles, manage permissions
Settings & Policies: Configure publishing permissions, default project permissions, Team Page customization, team connectors
Project Oversight: View all projects (including private), access any project, transfer ownership, delete projects
Analytics: Team-wide usage metrics, member activity, content inventory, growth trends

Team Member Capabilities

Can create private projects, access shared/published content, collaborate in real-time, and publish content (if policy allows). Cannot view others’ private projects (unless shared), manage team, access analytics, or delete others’ projects.

Team Guest Capabilities

Can view specific published content, export data (if allowed), and add comments (if allowed). Cannot create projects, edit content, access Team Pages directly, or see team members/projects.

Project Permissions

See Sharing Projects for details. Quick Reference:

Owner: Full control (share, delete, transfer ownership)
Editor: Edit and create assets (cannot share or delete project)
Viewer: Read-only (view, run, export only)

Data-Level Security

Row-Level Security (RLS)

Restrict rows users see based on user attributes (e.g., sales reps see only their region). Configuration: Define data attributes → Create RLS rules mapping user to data attributes → Rules auto-apply Example: user.region = data.region means users only see rows matching their assigned region. Access at Data Source → Settings → Row-Level Security

Column-Level Security

Hide sensitive columns from specific users/roles (e.g., hide salary from non-managers). Configuration: Select data source → Choose columns to restrict → Specify which roles can view Access at Data Source → Settings → Column-Level Security

Managing Roles

Adding Users

Invite users

Settings → Users → Invite Users. Enter emails, assign organization role and teams, then send invitations.

Changing Roles

Organization: Settings → Users → Find user → Click role dropdown → Select new role
Team: Team → Settings → Members → Find user → Click role dropdown → Select new role

Removing Users

From Organization: Settings → Users → Remove (loses all access)
From Team: Team → Settings → Members → Remove from Team (keeps other teams)

Best Practices

Least Privilege: Start with lower roles and elevate as needed.

Getting started

Centralize your data

Workflows

Dashboards

Collaboration

Overview

Organization Roles

Organization Admin Capabilities

Organization Member Capabilities

Team Roles

Team Admin Capabilities

Team Member Capabilities

Team Guest Capabilities

Project Permissions

Data-Level Security

Row-Level Security (RLS)

Column-Level Security

Managing Roles

Adding Users

Changing Roles

Removing Users

Best Practices

Getting started

Centralize your data

Workflows

Dashboards

Collaboration

​Overview

​Organization Roles

​Organization Admin Capabilities

​Organization Member Capabilities

​Team Roles

​Team Admin Capabilities

​Team Member Capabilities

​Team Guest Capabilities

​Project Permissions

​Data-Level Security

​Row-Level Security (RLS)

​Column-Level Security

​Managing Roles

​Adding Users

​Changing Roles

​Removing Users

​Best Practices

Overview

Organization Roles

Organization Admin Capabilities

Organization Member Capabilities

Team Roles

Team Admin Capabilities

Team Member Capabilities

Team Guest Capabilities

Project Permissions

Data-Level Security

Row-Level Security (RLS)

Column-Level Security

Managing Roles

Adding Users

Changing Roles

Removing Users

Best Practices