Members and roles
Every member of a Flynt organisation has a role that decides what they can do, from read-only viewing up to billing and security. This page explains the tier ladder, how a member's role is set, and how to build custom roles.
The tier ladder
Flynt ships eight system roles. Each tier includes everything below it and adds a capability layer on top.
| Tier | Name | Adds |
|---|---|---|
| T1 | Viewer | View cards, dashboards, suites and folders; manage own favourites; read the data dictionary. |
| T2 | Explorer | Build and share cards, dashboards and suites from approved datasets; duplicate content; preview the app as a lower tier. |
| T3 | Creator | Create folders, organise content into them, and share them with others. |
| T4 | Builder | Write SQL: create, edit and publish datasets; certify content and take part in peer review; write the data dictionary; see own query history. |
| T5 | Designer | Free-form canvas dashboards, decoration and free-form cards, and full theme control. |
| T6 | Architect | Org-wide architecture: manage connectors and cache schedules, set guardrails, configure peer review, see and take over any content (including datasets whose author has left), watch and stop live queries, mark content sensitive, view the app as a specific user. |
| T7 | Administrator | People: invite members, assign roles, create custom roles and groups, view the plan, read the audit log, run GDPR export and deletion, see backup status. |
| T8 | Owner | Billing and security: manage the subscription and seats, authentication settings, IP allow and block lists, email domain blocklist, and edit any role. |
How a member's role is set
A member's role comes from one of two places:
- Per-user assignment. On the Members & roles page (Admin area) each member has an assigned-role dropdown. Whatever you pick there is that member's role -- a system tier or a custom role. Requires the Administrator tier (T7) or above.
- The default from your identity provider. Until a member has an assigned role, their sign-in role decides: organisation admins act as Administrator (T7), ordinary members as Explorer (T2). The Members & roles page shows these as "Unassigned" alongside the sign-in role.
A per-user assignment always overrides the default, in both directions -- you can promote a member to Builder or restrict an admin to Viewer.
To bring new people in, see Inviting and seats; invitees arrive with the role you chose at invite time, so most members never sit on the default.
Custom roles
If no tier fits -- say a Builder who must not certify content -- create a custom role. Requires the Administrator tier (T7) or above.
- A custom role is a named set of permissions picked from the same catalogue the system tiers use.
- The ceiling rule: you can only grant permissions you yourself hold. An Administrator cannot mint a role that includes Owner-only billing permissions; only an Owner can build or edit such a role.
- System roles are immutable. T1 to T8 cannot be edited or deleted; if you want a variant, create a custom role.
- A custom role cannot be deleted while anyone is assigned to it -- reassign those members first.
Reviewer designation
Whether a member acts as a peer reviewer is a separate switch, not a tier. A Builder is not automatically a reviewer; an Administrator marks a member as one on the Members & roles page. See Certification and peer review.
Good to know
- Flynt refuses a role change that would demote the last assigned member who can manage people, so an organisation cannot lock itself out of administration in one click.
- Moving a member into a tier whose seats are full is refused until a seat is free or bought -- see Inviting and seats.
- Every role assignment and role edit is recorded in the audit log (Audit, backups and GDPR).