Overview
This guide helps you understand Sight Machine's user roles and assign the right permissions to users in your organization. By the end, you'll be able to choose appropriate roles for different user types and configure access levels for your team.
Understanding User Roles
Sight Machine has 6 primary user roles and 1 add-on role. Each role determines what a user can access and modify across Factory Analyze, Build, Connect, Operate, and App Builder.
Role Hierarchy
Roles are organized by permission level (highest to lowest):
- Sight Machine (highest) - Full platform access, internal Sight Machine staff
- Administrator - Full platform access for customer admins
- Developer - Full development and configuration access
- Process Expert - Runtime authoring and configuration access
- Basic User - Facility-scoped viewing and editing
- Customer - Shared content viewing only
- All Facilities (add-on) - Extends any role to access all facilities
Role Permissions Reference
This section provides detailed CRUD (Create, Read, Update, Delete) permissions for each role across all Sight Machine products.
Factory Analyze
What it does: Dashboards, applications, data tables, reports on analytics for manufacturing performance
Access Levels (CRUD):
- CRUD (all facilities): Create, read, update, and delete all dashboards and reports across all facilities
- Read (assigned facilities): View dashboards and reports only for assigned facilities
- Read (shared only): View only dashboards and reports explicitly shared with you
- None: No access
| Role | Create | Read | Update | Delete |
|---|---|---|---|---|
| Sight Machine | ✅ All | ✅ All | ✅ All | ✅ All |
| Administrator | ✅ All | ✅ All | ✅ All | ✅ All |
| Developer | ✅ All | ✅ All | ✅ All | ✅ All |
| Process Expert | ✅ All | ✅ All | ✅ All | ❌ |
| Basic User | ❌ | ✅ Assigned facilities | ❌ | ❌ |
| Customer | ❌ | ✅ Shared only | ❌ | ❌ |
Factory Build
What it does: Data foundation via workspaces, pipelines and artifacts
Access Levels (CRUD):
- CRUD: Create, read, update, and delete workspaces, pipelines, and artifacts
- Create + Update: Create and update workspaces, pipelines, and artifacts (cannot delete)
- None: No access (can only view results in Factory Analyze)
| Role | Create | Read | Update | Delete |
|---|---|---|---|---|
| Sight Machine | ✅ | ✅ | ✅ | ✅ |
| Administrator | ✅ | ✅ | ✅ | ✅ |
| Developer | ✅ | ✅ | ✅ | ✅ |
| Process Expert | ✅ | ✅ | ✅ | ❌ |
| Basic User | ❌ | ❌ | ❌ | ❌ |
| Customer | ❌ | ❌ | ❌ | ❌ |
Factory Connect
What it does: Configure data connections to IT and OT data sources
Access Levels (CRUD):
- CRUD: Create, read, update, and delete data source connections and configuration
- Read + Dev Tools: View connections plus API access, debugging, and testing tools
- None: No access
| Role | Create | Read | Update | Delete | Dev Tools |
|---|---|---|---|---|---|
| Sight Machine | ✅ | ✅ | ✅ | ✅ | ✅ |
| Administrator | ✅ | ✅ | ✅ | ✅ | ✅ |
| Developer | ✅ | ✅ | ✅ | ✅ | ✅ |
| Process Expert | ❌ | ❌ | ❌ | ❌ | ❌ |
| Basic User | ❌ | ❌ | ❌ | ❌ | ❌ |
| Customer | ❌ | ❌ | ❌ | ❌ | ❌ |
Factory Operate
What it does: Real time operations
Two Types of Access:
- Configuration Access (setting up the tool):
- CRUD: Create, read, update, delete monitoring workflows, alert rules, display configurations
- Update: Modify existing workflows and alert thresholds (cannot create/delete)
- Read: View tool configuration without editing
- Usage Access (working with data in the tool):
- CRUD: Create downtimes, log issues, enter production data, acknowledge alerts, update shift notes
- Read: View runtime displays and production data only
Configuration CRUD:
| Role | Create Config | Read Config | Update Config | Delete Config |
|---|---|---|---|---|
| Sight Machine | ✅ | ✅ | ✅ | ✅ |
| Administrator | ✅ | ✅ | ✅ | ✅ |
| Developer | ❌ | ✅ | ✅ | ❌ |
| Process Expert | ❌ | ✅ | ✅ | ❌ |
| Basic User | ❌ | ✅ | ❌ | ❌ |
| Customer | ❌ | ✅ | ❌ | ❌ |
Usage CRUD:
| Role | Create Data | Read Data | Update Data | Delete Data |
|---|---|---|---|---|
| Sight Machine | ✅ | ✅ | ✅ | ✅ |
| Administrator | ✅ | ✅ | ✅ | ✅ |
| Developer | ✅ | ✅ | ✅ | ✅ |
| Process Expert | ✅ | ✅ | ✅ | ✅ |
| Basic User | ❌ | ✅ | ✅ | ❌ |
| Customer | ❌ | ✅ Shared only | ✅ Shared only | ❌ |
App Builder
What it does: Build custom applications on top of the Sight Machine platform
Two Types of Access:
- Configuration Access (building the app):
- CRUD: Create, read, update, delete, and publish apps
- Update: Modify existing app configurations (cannot create/delete apps)
- Read: View app configuration without editing
- Usage Access (using the app):
- CRUD: Enter data into forms, submit work orders, update records, complete tasks in the app
- Read: View app content and data only (no data entry)
Configuration CRUD:
| Role | Create App | Read Config | Update Config | Delete App | Publish |
|---|---|---|---|---|---|
| Sight Machine | ✅ | ✅ | ✅ | ✅ | ✅ |
| Administrator | ✅ | ✅ | ✅ | ✅ | ✅ |
| Developer | ✅ | ✅ | ✅ | ✅ | ✅ |
| Process Expert | ❌ | ✅ | ✅ | ❌ | ❌ |
| Basic User | ❌ | ✅ Shared | ✅ Shared | ❌ | ❌ |
| Customer | ❌ | ✅ Shared | ✅ Shared | ❌ | ❌ |
Published App Access :
| Role | Can open shared apps? | Can submit/update data? | Notes |
|---|---|---|---|
| Sight Machine | ✅ All apps | ✅ | Full control, including deletes |
| Administrator | ✅ All apps | ✅ | Manage and submit data |
| Developer | ✅ All apps | ✅ | Full control, including deletes |
| Process Expert | ✅ Shared apps | ❌ | View-only unless promoted |
| Basic User | ✅ Shared apps | ❌ | Read-only runtime access |
| Customer | ✅ Shared apps | ❌ | Read-only runtime access |
User Management
What it does: Create, modify, and delete user accounts; assign roles and facility access; manage user status and credentials
What users see in UI: Settings > User Management
Operations:
- Create Users: Add new users, assign initial role and facility access
- Read Users: View user profiles, roles, facility assignments, login history
- Update Users: Change roles, facility access, reset password, enable/disable account
- Delete Users: Remove users from system (deactivate account)
Access by Role:
| Role | Create | Read | Update | Delete | Delegate | Notes |
|---|---|---|---|---|---|---|
| Sight Machine | ✅ | ✅ | ✅ | ✅ | ✅ | Full user administration |
| Administrator | ✅ | ✅ | ✅ | ✅ | ⚠️ | Full user administration |
| Developer | ❌ | ⚠️ Self only | ⚠️ Self only | ❌ | ❌ | Can view/edit own profile only |
| Process Expert | ❌ | ❌ | ❌ | ❌ | ❌ | No user management access |
| Basic User | ❌ | ❌ | ❌ | ❌ | ❌ | No user management access |
| Customer | ❌ | ❌ | ❌ | ❌ | ❌ | No user management access |
API Keys & Integrations
What it does: Create and manage API keys for connecting external tools, BI systems, and building custom integrations
Sight Machine provides two paths for API key generation:
-
Connect API keys (Connect > API Keys)
- Available to Developer role (and above)
- Keys are created per environment. All users with access can use those keys
- For transmitting data from Connect to storage like Kafka or Fabric
-
Platform API keys (Settings > Profile > Security > API Key)
- Available to Developer role (and above)
- One key per user (1:1 relationship)
- Inherits the user's roles and facility restrictions
- For development, testing, SDK and OBDC access
Operations:
- Create API Keys: Generate new keys for applications, integrations, or personal use
- Read API Keys: View existing keys and their metadata (key secrets cannot be recovered after initial creation)
- Update API Keys: Modify title, description, or regenerate keys
- Delete API Keys: Immediately revoke access; used for rotating compromised keys or removing unused keys
Access by Role:
| Role | Connect API Keys | Platform API Keys (My Profile) | Notes |
|---|---|---|---|
| Sight Machine | ✅ CRUD | ✅ CRUD | Full access to both API key types |
| Administrator | ✅ CRUD | ✅ CRUD | Full access to both API key types |
| Developer | ✅ CRUD | ✅ CRUD | Full access to both API key types |
| Process Expert | ❌ | ✅ CRUD | Platform API key access |
| Basic User | ❌ | ✅ CRUD | Platform API key access |
| Customer | ❌ | ❌ | No API key access |
📝 Note: Demoting a user's role (e.g., Developer to Basic User) does not automatically revoke existing API keys. Keys must be explicitly deleted to revoke access.
Feature Controls
What it does: Control which Sight Machine features are enabled or disabled in your environment; features can be toggled via UI or backend configuration
What users see in UI: Settings > Features
Operations:
- View Feature Controls: See which features are enabled/disabled and their descriptions
- Modify UI Controls: Enable/disable features via Settings > Features page
- Modify Backend Configuration: Change features that require backend configuration (non-UI toggleable)
- Additional functions: Preview upcoming features, gradually roll out features, A/B test with user groups
Access by Role:
| Role | View Controls | Modify Controls | Notes |
|---|---|---|---|
| Sight Machine | ✅ | ✅ | Full control |
| Administrator | ✅ | ✅ | Full control |
| Developer | ✅ | ✅ | Full control |
| Process Expert | ❌ | ❌ | No feature control access |
| Basic User | ❌ | ❌ | No feature control access |
| Customer | ❌ | ❌ | No feature control access |