> For the complete documentation index, see [llms.txt](https://docs.trustlogix.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.trustlogix.io/administration/users/delegated-administration.md).

# Delegated Administration

TrustLogix offers a role-based delegation model for administering data security and governance operations across data sources, domains, and compliance features. The roles are designed to support operational separation of duties and ease of administration.

#### Super User

* Scope: Global and full access across all TrustLogix functionalities.
* Responsibilities:
  * Manage all data sources and configurations.
  * Create and manage users and assign roles.\
    Access to all modules, including DSPM, access governance, tagging, data risks, monitoring, and reporting.
  * Can create domain and products also assign the data assets to them
* UI Access: Full UI access.

#### Data Source Administrator

* Scope: Admin rights restricted to specific data sources.
* Responsibilities:
  * Manage configurations for the assigned data source(s).
  * Assign policy administrators and manage related policies.
  * Perform data classification, sensitive data tagging, access tracking, and alert configuration for the assigned data sources.
  * They can manage the users, like updating domains or database assignment of the users assigned to a  data source
  * Can create domain and products also assign the data assets to them
* UI Access: Full access is limited to their assigned data sources.

#### Compliance Manager

* Scope: DSPM (Data Security Posture Management) functionalities across the environment.
* Responsibilities:
  * View and analyze data sprawl reports, access patterns, and sensitive data movement.
  * Monitor alerts and policy violations.
  * Generate compliance and risk reports.
* UI Access: Read/write access to DSPM dashboards and reports.

#### Policy Administrator

* Scope: Limited by Data Source or Domain assignment.
* Responsibilities:
  * Create and manage access control policies (RBAC, ABAC, masking).
  * When assigned:
    * Data Source Level: Policies can be created and applied only to that data source using database-level templates.
    * Domain Level: Can manage policies using domain-level templates, and only for assets defined within that domain.
      * Can manage products and their assets
* Restrictions:
  * Cannot use system-wide templates.
  * UI visibility and functionality are limited to their scope.
  * Policy administrators with domain assignments will:
  * Only see policies mapped to their domain.
  * Only use domain-specific templates.
  * Policy administrators with database assignments will:
  * Only see policies mapped to their assigned databases.
  * Only use database-specific templates.
* UI Access: Yes, based on assigned scope.

#### User Attribute Administrator

* Scope: User Attribute Configuration to the assigned data sources.
* Responsibilities:
  * Define and manage user attributes for the assigned data sources used in ABAC policies.
  * Maintain allowed values and hierarchical mappings for user entitlements.
* UI Access: Yes, limited to attribute management panels.

#### Attribute Value Manager

* Scope: User Attribute Value Configuration to the assigned data sources.
* Responsibilities:
  * Maintain allowed values and hierarchical mappings for user entitlements for the assigned data source.
* UI Access: Yes, limited to attribute value management panels.

#### Policy Reader

* Scope: Read-only access to the assigned data sources
* Responsibilities:
  * View configurations, policies, reports, and dashboards.
  * No create, edit, or delete permissions.
* UI Access: Read-only access.

#### Policy Promoter

* Scope: Integration-focused automation.
* Responsibilities:
  * Promote and push policies using TrustLogix APIs.
  * Does not interact with the UI.
  * Commonly used in CI/CD pipelines or external integrations.

UI Access: No UI access.

### Permissions Matrix

<table data-header-hidden><thead><tr><th width="204.6875">Role</th><th>Create Domain</th><th>Manage Products</th><th>Define Policies</th><th>Use Templates</th><th>Manage Attributes</th><th>Manage DSPM</th></tr></thead><tbody><tr><td>Role</td><td>Create Domain</td><td>Manage Products</td><td>Define Policies</td><td>Use Templates</td><td>Manage Attributes</td><td>Manage DSPM</td></tr><tr><td>Super User</td><td>Yes</td><td>Yes</td><td>Yes</td><td> Yes (All templates)</td><td>Yes (All attributes)</td><td>Yes</td></tr><tr><td>Data Source Administrator</td><td>Yes</td><td>Yes</td><td>Yes</td><td>Yes (All templates)</td><td>Yes (All attributes)</td><td>Yes</td></tr><tr><td>Policy Administrator(Domain Level)</td><td>No</td><td>Yes (Assigned Domain only)</td><td>Yes (On Data Products from  Assigned Domains only)</td><td>Yes (Domain-level Templates only)</td><td>No</td><td>No</td></tr><tr><td>Policy Administrator(Database Level)</td><td>No</td><td>No</td><td>Yes(On Assets which are under assigned databases only)</td><td>Yes(Database level templates only)</td><td>No</td><td>No</td></tr><tr><td>User Attribute Manager(Domain Level)</td><td>No</td><td>No</td><td>No</td><td>No</td><td>Yes (ALL or On Data Products from Assigned Domains only)</td><td>No</td></tr><tr><td>User Attribute Manager(Database Level)</td><td>No</td><td>No</td><td>No</td><td>No</td><td>Yes (Restricted to Non Data Products attributes)</td><td>No</td></tr><tr><td>Policy Reader(Domain Level)</td><td>No(Read only access)</td><td>No(Read only access)</td><td>No(Read only access)</td><td>No</td><td>No(Read only access)</td><td>No</td></tr><tr><td>Policy Reader(Database Level)</td><td>No</td><td>No</td><td>No(Read only access)</td><td>No</td><td>No(Read only access)</td><td>No</td></tr><tr><td>Compliance Manager</td><td>No</td><td>No</td><td>No</td><td>No</td><td>No</td><td>Yes</td></tr></tbody></table>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.trustlogix.io/administration/users/delegated-administration.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.