Managing user roles
Last updated
Was this helpful?
Last updated
Was this helpful?
There are five different user roles available for CARTO users:
Superadmin: Superadmins have all Admin capabilities plus the ability to view, delete, and transfer the ownership of any asset in the organization.
Admin: Admins can do everything an Editor can, plus they can access the Organization Settings. This allows them to invite other users, modify their roles, check the organization quotas and enable CARTO Support access, among other things.
There can be more than one admin
Admin users count as "Editor" users for the quota calculations
Editor: Editors can create connections, applications, tokens, workflows, and maps. They can also edit and delete their creations, as well as collaborate on maps made by other editors. Editors can also share their creations with viewers.
Guest viewer: Guest viewers are viewers that can only see the maps that have been explicitly shared with them, nothing else.
Viewer: Viewers can only see and interact with maps, workflows, and applications previously shared with them or with the whole organization.
Across the "Users & Groups" tabs you'll find an option called Default role for new users. This lets you control which role new users will take when they first join CARTO through auto-join, request or SSO signup.
By default, new users will take the Viewer role and you will need to upgrade them to Editor/Admin manually, which tends to be the recommended option for security.
For a quicker setup (for example when starting your team trial) you can change this default role to Editor.
You can change the role of a specific user by clicking the dropdown button next to their role:
Admins can't be downgraded to Viewers in a single operation. They need to be Editors first. The same is true when turning Viewers into Admins.
You, as an Admin, can't change your own role. Only other Admins can change your role.
If you downgrade an Editor or Admin to Viewer, you will have to select which user will inherit their assets (such as Maps, Workflows, Connections, CARTO Data Warehouse private files, apps, etc). Viewers can't own any assets in CARTO.
You must select a user that will inherit the assets of the user being downgraded. By default, the admin performing the action is selected.
Superadmins have all Admin privileges plus access to the Asset Management table in the Settings. This table displays all Maps, Connections, and Workflows that exist in the organization, regardless of ownership or discoverability settings.
From the Asset Management table, Superadmins can:
Delete any asset in the organization
Transfer ownership of any asset to any user, including themselves
Select multiple items for bulk deletion or ownership transfer
Filter assets by owner
When transferring assets, be aware that dependent assets may break if their required resources are unavailable after the transfer. For example, if you transfer a map that relies on a private connection, the recipient won't be able to view it because they lack access to that connection.
Unlike other user roles, the first Superadmin user requires special provisioning and can only be manually invited by the CARTO team. This first Superadmin can then invite or promote additional Superadmins in that organization.
Superadmins can leverage the CARTO API to manage assets programatically, along with a few additional capabilities:
Get all Maps, Workflows and Connections in your organization.
View detailed asset relationships, such as the Connection that a Map is using or the Workflows created with a specific Connection.
Execute batch deletion or transfer of assets.
For more information, please check the CARTO API documentation – Superadmin.
Admins can invite and share maps with Guest viewers. Unlike other CARTO user roles, Guest viewers can only see the Maps that have been explicitly shared with them, while the rest of the organization remains inaccessible:
They can't access maps shared with the whole organization.
They can't access Workflows, Applications, the Data Observatory, etc.
Like regular Viewers, they can't create, edit, or modify any content.
This role is especially useful for organizations that want to share maps securely with clients, partners, and collaborators but don't want to make those maps publicly available or invite those clients/partners/collaborators to their organization as regular users.
Admins can Invite Guest viewers through the regular user invitation flow by selecting Guest viewer as the role. Once the guests have signed up, Editors will be able to share specific Maps with them.
So far we've reviewed the possibilities of manually assigning roles to each user, but this can prove challenging when you're trying to onboard and manage dozens or hundreds of users.
If you want to manage roles programmatically, the recommended way is to leverage new or existing groups coming from your SSO integration, and then map each group to a role. Users in those groups will automatically get the role assigned to their group. Learn more about mapping groups to roles in CARTO.
