Access Control & Permissions

Manage report access

In Mode's paid plans admins can use a combination of private Collections and database connection permissions to control view and edit access to reports in their Workspace:

  • a Workspace member must have query access to all database connections used by a report in order to edit or clone that report.
  • a Workspace member must have view access to all database connections used by a report in order view that report.
  • If a report is in a private Collection, it can only be accessed by the members of that Collection.

Create Groups

Use Groups to manage access to resources in Mode. By granting an individual user membership to a Group, you grant them access to resources based on their Group membership. Each Group in Mode can be configured with a unique set of permissions. Mode’s permission system gives you the flexibility to change the role of an individual user by adding or removing that user to or from different Groups.

You can create Groups by navigating to

Workspace Settings

and clicking into the


tab. Select a Group from the list to manage its members.

From here, selecting the




tabs will provide visibility into which Collections and Connections a Group can access.



To programmatically provision Groups and Users in Mode, talk to your CSM about implementing Okta SCIM.


Admins in Mode have the highest level of access to all resources by default. Only make users Admins if they are authorized to manage all groups, connections, collections and reports in Mode.

Set Up Connection Permissions

Access to a Connection determines a user’s ability to query and view data in Mode. Manage access to Connections by navigating to

Workspace Settings

, clicking into the

Manage Connections

tab, selecting a Connection and clicking the



View Current Connection Access

For each Connection, you will see the default org-wide access at the top. This is the access that every member of your Workspace has to the Connection by default. Below that, you will see a list of users with additional access, along with their access level and how they got that access — they can have access via Group permissions, individual permissions or their status as an Admin. Use the filter dropdowns to show a list of individual users or Groups with access to the Connection.


Manage Connection Permissions

Manage the default access level for the Connection by updating the setting to








: Set


as the default access level for Connections that are used to build heavily trafficked reports. For connections to data sources that contain sensitive data that only certain Groups should view, set the default access to


and grant those Groups access using the

Add members




: Updating a Connection’s default access to


may cause users to lose view or edit access to Reports they could previously access. We recommend adding the Groups who should have access to view & query the Connection before changing the default access.

To grant permissions for individuals and Groups in addition to the default access, use the

Add members

button. This will surface the modal shown below.


There are three types of permissions that can be granted to an individual or Group:







  • The


    permission allows users to manage Connection settings without making them an Admin. This includes managing permissions. Only grant the


    permission to non-Admin users who should be able to change permissions or settings for the Connection.
  • The


    permission allows users to write & modify queries against the Connection. Only users with this permission can create and edit Reports using this Connection.
  • The


    permission allows users to view Reports created using the Connection. This includes the ability to use parameters and run Reports.


: All Admins have


permission for all Connections, regardless of the default access set for a Connection ー this permission cannot be modified. When a user is removed as an Admin, they will lose access to all Connections, unless they are granted permissions via a Group or as an individual user.


How do Collection and Connection permissions determine Report access for users?

Users must both have permission for the Connections used in a Report and the Collection that contains a Report in order to access the Report. For example, if a user has view permission for all Connections used in a Report but is not a member of the private Collection containing the Report, they will be unable to view the Report. They must have access to both.

What will users see if they don’t have access to view or edit a Report I share with them?

If users do not have access to view a Report, they will see a screen with the message below: Permissions6 If users do not have access to edit a Report, they will be able to view the Report, without the link to take them to the editor. Users with view access can still run the Report and subscribe to existing schedules. They cannot create new schedules.

If the Connection default access is set to “None,” only 1 user has “Query” permission, and they create a Report in a public Collection, would anyone be able to see it or edit it?

If default access is “None,” only users who have been granted access will be able to take the associated actions.

  • Query: Write queries against Connection, edit & create Reports using the Connection
  • View: View and explore Reports created on that Connection

If only one user has “Query” permission to the Connection, all other users will be able to view the Report but they will not be able to edit the Report.

Was this article helpful?

decorative particle

Get our weekly data newsletter

Work-related distractions for every data enthusiast.