Team Best Practices
Follow these guidelines to keep your teams well-organized and secure.
Team Organization
- Organize teams around functional boundaries (e.g., "Data Engineering", "Data Quality", "Analytics").
- Use descriptive names that clearly indicate the team's purpose and scope.
- Keep team sizes manageable — smaller, focused teams are easier to audit and maintain.
- Create teams for individual users — use team-level access, not user-level.
- Assign all datastores to the Public team — this defeats the purpose of team-based access control.
Permission Assignment
- Assign the least privilege permission level needed for the team's work
- Use Viewer or Reporter for teams that only need read access
- Use Editor only for teams that need full datastore management capabilities
- Review and update permissions when team responsibilities change
Public Team Usage
- The Public team is meant for datastores that should be accessible to everyone in the organization
- Avoid assigning sensitive datastores to the Public team
- If users need no default access, keep the Public team with no datastores assigned
Membership Strategy
- Add Service Users to teams to scope their access to specific datastores
- Use Directory Sync to automate team assignments from your identity provider
- For more details on how team membership works with service users, see the Team Membership Strategy documentation
Regular Audits
- Periodically review team membership to ensure users still belong to the correct teams
- Remove users from teams when they change roles or responsibilities
- Review which datastores are assigned to each team to avoid unnecessary exposure