Admin & Setup Lesson 2 of 63 ⏱ 5 min read ⏳ Video coming soon

Roles and permissions — the mental model

Lesson summary

How DashboardFox roles work. One system role (Admin), three per-app roles (App Builder, Composer, Agent), and a separate Billing Admin — and how they layer with groups and folder permissions.

By the end of this lesson

  • You'll know what each role can do and where to grant it
  • You'll know why a brand-new app is invisible — even to its creator
Video coming soon. The written guide below has everything you need to understand who can do what in DashboardFox. We'll add the video here when it's recorded.

Background

DashboardFox has two layers of roles, plus one separate role just for billing. Once you can hold the layers in your head, almost every "why can't this person see this?" question answers itself.

Layer 1 — system role: Admin. An Admin manages the whole instance. Adds users, configures branding, sets up the SMTP gateway for email delivery, runs the audit log. You can have as many Admins as you like — most teams have one or two.

Layer 2 — per-app roles: App Builder, Composer, Agent. These three roles are granted one app at a time. App Builder shapes the data model. Composer builds reports and dashboards. Agent runs what others built. The same person can be a Composer on Sales data and an Agent on HR data — different roles per app, by design.

Separate — Billing Admin. A flag any user can have, even an Agent. It manages your subscription and credit card, and it lives in the Billing section in the side panel of DashboardFox — not in Settings. That separation is on purpose: it lets a finance team member handle billing without granting them any access to data or product administration.

Confused about which role someone needs? Email team@dashboardfox.com with the situation — we'll walk through it with you.

Do it

  1. The system role: Admin

    Admins live in Settings → Security → Users. Mark a user as an Admin and they get full access to the Settings area — Integrations, Security, Branding, Server Settings, the Audit App. Admins can create new apps and assign per-app roles to others.

    One important rule: being an Admin does not by itself give you access to data. An Admin can see that an app exists, but until someone assigns them a per-app role on it, they can't open it in App Builder, Composer, or the Library. This catches almost every new admin in their first week — see the pitfalls below.

  2. Per-app roles: App Builder, Composer, Agent

    Per-app roles are assigned at Settings → Security → Apps. For each app, you pick which users (or groups) get which role:

    • App Builder — shapes the data model. Adds tables, builds relationships, configures the report tree, writes formula fields. Usually your data lead.
    • Composer — builds reports and dashboards on the model. Picks fields, applies filters, makes charts. Most analytics-savvy folks get this on the apps relevant to their work.
    • Agent — runs reports, opens dashboards, applies prompts, schedules emails, exports. The largest population in most organizations.

    You can grant roles to individual users or to groups. Groups scale better — see step 3.

  3. Groups and the All Users shortcut

    Instead of granting a per-app role to every user one at a time, put users in a group and grant the role to the group. Groups are configured at Settings → Security → Groups.

    Every instance ships with a built-in All Users group. If you want everyone in your company to be Agents on (say) the Sales app, assign Agent on that app to All Users. Done — every existing user and every new user picks it up automatically.

    For multi-customer or multi-team isolation, see Groups & folders and Tenant mode in Module 4.

  4. Library folder permissions — the third layer

    Even after a per-app role is granted, what reports a user actually sees in the Library (also called Documents) is gated by folder permissions. Folders cascade: if you can see a parent folder, you can see all its subfolders unless they're explicitly restricted.

    This means it's possible to be a Composer on an app but only see one folder of saved reports — because that's where the team has organized the reports relevant to your role. Library structure in Module 10 covers folder-permission patterns that scale.

    Not sure which folder permission is blocking someone? Email team@dashboardfox.com with the username and what they expected to see — we'll help you trace it.

  5. Billing Admin — the separate one

    Billing Admin is a flag, not a role on the role tiers above. Any user can have it, regardless of their other roles — your finance person could be an Agent on every app and still manage the subscription, or have no per-app roles at all.

    To grant: Settings → Security → Users, edit the user, enable Billing Admin, save. Once granted, the user sees the Billing section in the side panel of DashboardFox, with plan management, invoices, and credit-card setup. Admins without the Billing Admin flag don't see this section at all.

If you're stuck

Almost every first-week confusion about permissions is one of these.

I created an app, but I can't see it in App Builder

You're an Admin, but you don't have a per-app role on the new app yet. Creating an app and being granted access to it are two separate steps. Go to Settings → Security → Apps, find the app, click Edit, assign yourself App Builder, and save. The app then shows up for you. This trips up almost everyone — it's on purpose, to prevent accidentally exposing a new data source to the wrong people.

I'm an Admin but I still can't open this app

Same root cause as above — system Admin doesn't equal per-app App Builder, Composer, or Agent. Open Settings → Security → Apps, edit the app, and assign yourself a per-app role. The two grants are independent.

I gave someone Composer but they can't find the report in the Library

Library access is folder-controlled, separate from per-app roles. The user has permission to build a report on the app's data — but the saved report lives in a folder they don't have access to. Open the folder in the Library, edit its permissions, and grant the user (or their group) at least read access.

I removed someone from a group, but they still see the report

Two common causes. First, they may also have access via another group, or via a direct user-level grant — check the user's profile and the report's folder permissions for any other path. Second, browser sessions cache permissions for a few minutes; have the user sign out and back in.

My Billing Admin can't see any data

That's expected — Billing Admin is only for billing. To give that person access to data, assign them a per-app role on the apps they need (or a system Admin role if they're also doing administration). The two grants are independent.

None of these match my situation

Email team@dashboardfox.com with what you're trying to grant, who you're trying to grant it to, and what they're seeing instead. Same business day reply.

Reference Glossary → Module 1 — start Welcome to DashboardFox → Module 2 — next How DashboardFox connects to data →

Related lessons

Module 1 · 7 min

Welcome

Watch the tour, then pick the path that matches what you're here to do.

 Module 2 · 3 min read

How connections work

Pick your path: direct DB, ODBC, files, or API. Plus the pattern they all share.

 Module 2 · 6 min

Direct database

Connect Postgres, MySQL, SQL Server, Azure SQL, or Oracle.
7-day free trial — no credit card

Built lean. Priced fairly. Supported by humans.

Full access to all features. No credit card required.

Start Free Trial Have questions? Let's talk

Prefer no subscriptions & full control? Self-hosted from $4,995 one-time →

Click once to extend to 14 days — need more time? Just reach out.

25+ years building BI tools Support from the team that builds it Available in US & EU regions
DashboardFox mascot