Promote Permissions
This page covers the roles and permissions required to run promote operations across containers and datastores.
Two Permission Systems
Qualytics has two separate role systems. User Roles (Member, Manager, Admin) control what a user can do across the entire workspace. Team Permissions (Reporter, Viewer, Drafter, Author, Editor) control what a user can do on specific datastores they have access to through team membership. The systems are independent — a user needs the right combination of both to run a promote operation.
The Gate: Editor on Both Sides
Every promote operation — Quality Checks, Computed Fields, Computed Tables, Computed Files — uses the same single gate at the backend: the user must have Editor team permission on both the source and the destination.
| Promote Type | Required Team Permission (source) | Required Team Permission (destination) |
|---|---|---|
| Quality Checks | Editor | Editor |
| Computed Fields | Editor | Editor |
| Computed Tables | Editor | Editor |
| Computed Files | Editor | Editor |
Users with Reporter, Viewer, Drafter, or Author team permissions cannot run any promote operation, even if they can view the source assets.
Source and Destination Are Both Checked
Promote is unique among operations because it involves two assets — the source container/datastore and the destination container/datastore. The platform enforces team-permission checks on both sides before the operation is enqueued:
- The user must have Editor team permission on the source container or datastore.
- The user must have Editor team permission on the destination container or datastore.
If either side fails the check, the API returns 403 Forbidden and the operation is not started.
Common Pitfall
A user who can see and edit the source datastore but lacks Editor permission on the destination cannot promote. Verify both team memberships before troubleshooting permission errors.
User Roles (Workspace-Level)
| Action | Member | Manager | Admin |
|---|---|---|---|
| Run a promote operation | |||
| View promote operation results | |||
| Abort a running promote operation |
The user role gate is Member or higher. The actual access control happens through team permissions (see below).
Team Permissions (Asset-Level)
| Action | Reporter | Viewer | Drafter | Author | Editor |
|---|---|---|---|---|---|
| Run any promote operation | |||||
| View promotion results |
How Both Layers Work Together
To run any promote operation, a user must satisfy all of the following:
- User Role: At least Member at the workspace level.
- Source Team Permission: Editor on the source container or datastore.
- Destination Team Permission: Editor on the destination container or datastore.
Admin Bypass
Users with the Admin workspace role bypass all team-permission checks and can promote between any source and destination, regardless of team membership.
Audit Trail
Every promote operation records the user who triggered it. This information is preserved in two places:
- The
triggered_byfield on the promote operation, visible on the Activity page. - The version history of every entity created or updated by the promotion records the promote operation as the author, so changes are attributable to the promotion rather than to a manual edit.
Full Permissions Reference
For the complete permissions and roles matrix across all Qualytics features, see the Team Permissions page.