Delphi uses two independent access controls that work together: role-based scope, which determines what a person can do, and data classification, which determines what a person can see. Both are enforced on the server on every request, and both fail closed — if Delphi cannot confidently confirm access, it denies it. That means you can invite the whole company without worrying about accidental exposure of sensitive data.
The six roles
Every dashboard member is assigned exactly one of six roles. Higher roles always inherit the capabilities of lower ones.
Owner. Full control over the command center, including deleting the dashboard, transferring ownership, and managing billing. Owners can see every classification including restricted data.
Admin. Everything an owner can do except delete or transfer the dashboard. Admins manage permissions, generate and revoke API keys, configure MCP sessions, and see every classification including restricted data.
Editor. Full day-to-day operational access. Editors can create and modify datasets, visualizations, connectors, KPIs, scenarios, agents, and reports, and can use every chat tool including mutating ones. Editors see public, internal, and confidential data, but not restricted data.
Analyst. Read-only plus query tools. Analysts can explore data, run chat queries, build scenarios in draft, and export reports, but cannot mutate the underlying dashboard. Analysts see public and internal data only — confidential and restricted are hidden.
Auditor. Read-only plus the full audit trail. Auditors exist specifically for compliance reviewers and internal audit teams: they can see public, internal, and confidential data (enough to verify controls), but never restricted data, and they cannot change anything. This sits deliberately between viewer and analyst on the scope ladder — less operational reach than an analyst, but broader data visibility for audit purposes.
Viewer. Read-only access to public data only. Ideal for stakeholders, external partners, or anyone who only needs to watch headline metrics without touching anything sensitive.
Data classification levels
Every dataset, connector, document, and KPI in Delphi carries a classification tag that determines who can read it.
- Public. Non-sensitive information appropriate for any dashboard member or external stakeholder.
- Internal. Information appropriate for employees and trusted collaborators, but not for unauthenticated or external audiences.
- Confidential. Sensitive business data, HR-adjacent records, or personal information that should only reach people with a clear operational or audit need.
- Restricted. The most sensitive tier: regulated data, secrets, legal holds, or executive-only material that even editors should not touch.
Items without an explicit classification are treated as public for backward compatibility, but unknown or misspelled classifications are denied outright.
How they combine
Access to any item in Delphi requires two checks to pass. First, your role must meet the minimum scope for the action (for example, editing a dataset requires editor or higher). Second, your role must be allowed to see that item’s classification (for example, viewers cannot read internal data even if they technically have read access to the dashboard).
Both checks are enforced every time — there is no cached “approved” state that survives a role change. Revoking a role or lowering a classification takes effect on the next request. And because Delphi is fail-closed, a typo, an unknown classification, or a missing permission record all produce the same answer: denied. Every role change and permission update is recorded in the audit log, so you can always reconstruct who had access to what and when — see the audit log guide for how to review that history.
Choosing the right role
Start from the principle of least privilege: give each person the lowest role that lets them do their job, and promote later if needed. Most operators should be editors, most executives and stakeholders should be viewers or analysts, and only a small handful of people should hold admin or owner. Reserve auditor for people whose entire job is verifying controls, not running the business.
When you are ready to bring people in, head over to the invite your team guide for the step-by-step invitation flow.