Skip to content

Personal Account Best Practices

Follow these guidelines to keep Personal Accounts secure and well-managed.

Least Privilege Principle

  • Assign the Member role by default — only elevate to Manager or Admin when explicitly needed
  • Scope team membership to only the datastores the user needs to access
  • Conduct recurring access reviews to remove unnecessary permissions
  • Document justification for any elevated roles

Role Assignment

  • Start with the most restrictive role and escalate only when needed.
  • Use Manager for users who need to create datastores and manage global assets.
  • Reserve Admin for platform administrators responsible for user and team management.
  • Grant Admin to all users for convenience.
  • Share accounts between multiple people.

Team Management

  • Organize teams around functional boundaries (e.g., "Data Engineering", "Data Quality", "Analytics")
  • Assign datastores to teams rather than relying on the Public team for everything
  • Remove users from teams when they change roles or responsibilities
  • Use the Public team only for datastores that should be accessible to everyone

User Lifecycle

  • Deactivate users promptly when they leave the organization or change roles
  • Review deactivated users periodically and clean up accounts that will not be reactivated
  • Use Directory Sync to automate user provisioning and de-provisioning through your identity provider

Token Hygiene

  • Encourage users to create Personal Access Tokens for API access instead of sharing credentials
  • Set appropriate token expiration periods
  • Never use Personal Access Tokens for production pipelines — use Service Users instead

Tip

For production automation and shared workflows, always use a Service User instead of a Personal Account.