Example Role Assignments
This page provides real-world examples of how to assign Tamr Cloud roles to common user types. Each example follows the principle of least privilege — granting users only the minimum access required to do their jobs.
The examples are based on an organization that stores data in Snowflake and that is using a B2B Customers data product with a System of Record. This organization curates data in Curator Hub.
For reference documentation on each role type, see:
Business User Example
Anita is a sales operations analyst who uses the B2B Customers 360 pages to look up mastered account data and occasionally suggests merges when she spots obvious duplicates. She does not need to configure anything in the system.
| Level | Role | Notes |
|---|---|---|
| Tenant | No role | Anita is assigned No Role at the tenant level (least privilege). She does not have access to tenant admin settings, API keys, or global user management. |
| Connection | No role | Anita is not assigned a Connection role. As a business user, she consume 360-page data and has no need to add sources or configure publish destinations. |
| Project | No role | Anita does not need a Project role. Instead, she is granted a role directly on specific data products. She can see the project name in the Projects menu because she has a data product role inside it, but cannot view sources, configure workflows, or take any project-level actions. |
| Data product | Viewer | Anita is assigned the Viewer role on the B2B Customers data product. She can view 360 pages. She can also suggest merges from 360 pages — available to all users with any project or data product access. |
Data Steward Example
Priya is a data steward responsible for ensuring the quality of the B2B Customers data product. She reviews suspected duplicates in the Curator Hub, overrides incorrect attribute values, and resolves curation tasks — but she does not configure pipelines or publish data.
| Level | Role | Notes |
|---|---|---|
| Tenant | No role | Priya is assigned No Role at the tenant level (least privilege). She does not have access to tenant admin settings, API keys, or global user management. |
| Connection | No role | Priya is not assigned a Connection role. As a data steward, she has no need to add sources or configure publish destinations. |
| Project | No role | Priya does not require a project role. Instead, she is granted a role directly on specific data products. She can see the project name in the Projects menu because she has a data product role inside it, but cannot view sources, configure workflows, or take any project-level actions. |
| Data product | Curator Viewer | Priya is assigned the Curator and Viewer roles for the B2C Customers data product. She can access Curator Hub to review and resolve curation queue items for this data products, and view all of its records. |
Project Manager Example
James is a project manager overseeing a Healthcare Providers mastering initiative. He needs to add and configure data sources, create data products, monitor jobs, and share data product access with stakeholders — but he does not need to create connections or manage webhook integrations.
Inherited roles are shown in italics.
| Level | Role | Notes |
|---|---|---|
| Tenant | Editor | As a Tenant Editor, James can add sources and data products, view connections in the Admin Center, view and manage jobs, and access the Curator Hub. |
| Connection | Editor | James inherits Connection Editor from the Tenant Editor role. He can add source data from approved connections (for example, pulling Healthcare Providers data from S3) and select connections when configuring publish destinations. |
| Project | Editor | James inherits Project Editor from the Tenant Editor role. He can edit project metadata, add sources, add data products, and access the Curator Hub. He cannot delete the project or manage publish destinations. |
| Data product | Developer Curator Viewer | James inherits Data Product Developer, Curator, and Viewer from the Project Editor role. He can configure data product settings, refresh the data product, add and manage publish configurations, and run publish jobs. He can also perform hands-on data curation and view all data product data. |
IT / System Admin Example
Marcus is an IT administrator responsible for maintaining external system integrations. He needs to create and manage the Snowflake connections that data teams use as sources and publish destinations — but he should not be able to view or modify customer data in Tamr.
Inherited roles are shown in italics.
| Level | Role | Notes |
|---|---|---|
| Tenant | Tenant Operator | As a Tenant Operator, Marcus can create and fully manage connections and webhooks. He can also create and delete projects and edit project metadata. However, he cannot access data or manage users' tenant, project, or data product roles. |
| Connection | Admin | Marcus can add and manage the Snowflake connections for ingesting and export data. He cannot view actual data stored in those connections. |
| Project | No role | Tenant Operators do not inherit project roles. Marcus can create or delete project containers, but cannot view source data, run jobs, or see data product results inside a Tamr project. |
| Data product | No role | Tenant Operators do not inherit data product roles. Marcus cannot view data product results or curation queues within Tamr. |
Admin Example
Sharon is a Tamr tenant admin at a financial services firm. She onboards users, configures SSO, creates connections to Snowflake, and ensures everyone has the right level of access. She needs access to all resources in Tamr.
Inherited roles are shown in italics.
| Level | Role | Notes |
|---|---|---|
| Tenant | Admin | As a Tenant Admin, Sharon has full access to all tenant resources, users, jobs, API keys, connections, and webhooks. |
| Connection | Admin | Sharon inherits Connection Admin on all connections. She can add, edit, and delete Snowflake, S3, and other connections. |
| Project | Admin | Sharon inherits Project Admin on all projects. She can delete projects, manage sources, configure workflows and publish destinations, and assign project roles. |
| Data product | Admin and all lower roles | Sharon inherits Data Product Admin on all data products. She can configure, curate, publish, delete, copy, and manage permissions for every data product. |