Service User Permissions
This page covers the roles and permissions required to create and manage Service Users.
Workspace-Level Only
Service User management is a global platform feature. Only users with the Admin role can create, manage, and maintain Service Users. Team Permissions do not apply to Service User management itself — only to the resources a Service User can access after creation.
User Roles (Workspace-Level)
Only Administrators can create, manage, and maintain Service Users. This ensures centralized control over automated system access.
| Action | Member | Manager | Admin |
|---|---|---|---|
| Create a Service User | |||
| View Service Users | |||
| Generate Service Token | |||
| Revoke Service Token | |||
| Delete Service Token | |||
| Assign Roles to Service User | |||
| Assign Teams to Service User |
Role-Based Access for Service Users
Service Users themselves can be assigned any of the following roles, which control what the account can access:
| Role | Access Level |
|---|---|
| Admin | Full platform access, including user management and settings. Bypasses team permissions. |
| Manager | Create datastores, manage connections, tags, integrations, and library content. Subject to team permissions for datastore content. |
| Member | Standard access — actions are scoped by team permissions (Editor, Author, Drafter, Viewer, Reporter). |
Tip
Apply the Least Privilege Principle — assign only the minimum role required for the Service User's intended use case. For example, a metadata sync integration typically only needs the Member role.
Team Membership
Service Users can be assigned to specific teams to scope their access:
- The Public team is automatically included for all Service Users
- Additional teams can be assigned during creation or updated later
- Team membership determines which datastores and resources the Service User can access
API Permissions
| Endpoint | Method | Required Role | Description |
|---|---|---|---|
/users |
POST | Admin | Create a Service User. |
/users/{id} |
PUT | Admin | Update role or team assignments. |
/users/{id} |
DELETE | Admin | Deactivate a Service User. |
/user-tokens |
POST (with user_id) |
Admin | Generate a Service Token for a Service User. |
/user-tokens/service |
GET | Admin | List all Service Tokens across Service Users. |
Team Permissions
For detailed information about team-level permissions (Editor, Author, Drafter, Viewer, Reporter), refer to the Team Permissions documentation.
Full User Roles Reference
For the complete User Roles matrix across all Qualytics features, see the User Roles page.