Team Roles

Team roles let you control which DBCode features your team members can use. Each team member is assigned a role that determines their access level. This is useful for enforcing company policies around data handling, AI usage, and information sharing.

How Roles Work

Every team member has exactly one role. The role determines two things:

1. Team management access - whether they can manage seats and assign roles (admin only)
2. Feature access - which DBCode features they can use

When a feature is restricted by a role, the team member sees it as disabled with a “Restricted by your team role” message. Features are never hidden, just disabled, so there is no confusion about what is available.

Built-in Roles

DBCode includes four built-in roles that cover common configurations:

Role	Team Management	Feature Restrictions
admin	Can manage team members and assign roles	None (full access)
member	No management access	None (full access)
no-export	No management access	Data Export, Data Copy, Data Share
restricted	No management access	AI, History Sync, Data Export, Data Copy, Data Share

Built-in roles cannot be modified or deleted. They serve as ready-made configurations for common use cases.

Custom Roles

If the built-in roles don’t fit your needs, you can create custom roles with any combination of restrictions. Custom roles can restrict the following features:

Feature	Key	What It Controls
AI	ai	All AI features (or restrict individually below)
AI Completions	ai.completions	Inline SQL completions as you type
AI Analysis	ai.analysis	Query explanations and execution plan analysis
AI Query Builder	ai.queryBuilder	AI-assisted query construction
AI Explore	ai.explore	AI-powered data exploration
AI Grid	ai.grid	AI assistance in the data grid
History Sync	historySync	Cloud sync of query history across devices
Data Export	dataExport	Export to CSV, Excel, JSON, Parquet, and other formats
Data Copy	dataCopy	Copy cells and rows from the data grid to clipboard
Data Share	dataShare	Share data and reports via shareable links

Restricting a parent feature (like AI) automatically restricts all its sub-features. You can also restrict sub-features individually if you want more granular control. For example, you might allow AI completions but restrict AI analysis.

Managing Roles

Viewing Roles

In the Account tab, expand your license details. If you have a team subscription and are an owner or admin, you will see a Roles section listing all available roles (built-in and custom).

Creating a Custom Role

1. Click the + icon next to the Roles heading
2. A role editor will open. Enter a name for your role
3. Uncheck the features you want to restrict
4. Click Create

Editing a Custom Role

1. Click the pencil icon next to the role you want to edit, or click the role name
2. The role editor will open showing the current configuration
3. Modify the name or feature restrictions as needed
4. Click Save

Deleting a Custom Role

1. Click the trash icon next to the custom role you want to delete
2. Confirm the deletion

When a custom role is deleted, any team members assigned to that role will revert to full access (equivalent to the member role).

Viewing Built-in Roles

Click any built-in role to open the role editor in read-only mode. This lets you see exactly what each built-in role restricts without being able to modify it.

Assigning Roles

To assign a role to a team member:

1. In the Seats section, find the team member
2. Click the shield icon next to their name
3. Select a role from the list

The role takes effect on the team member’s next extension activation or within 12 hours (the permission refresh interval). Restarting VS Code will apply the change immediately.

Changing Roles

Assigning a new role replaces the previous one. For example, changing someone from admin to no-export removes their team management access and adds the export restrictions.

The Owner Role

The account owner always has full access and their role cannot be changed. The owner is the person who created the subscription.

Policy Tool, Not a Security Boundary

Team roles are a policy enforcement tool designed to help organizations manage how their team uses DBCode. They prevent accidental misuse and help enforce company guidelines around data handling and AI usage.

Caution

Roles are not a security boundary. They enforce policy within the extension, but a user could work around restrictions by:

• Signing out of their team account
• Using another database client or tool
• Accessing the database directly outside of DBCode

For sensitive data protection, always use database-level access controls (grants, row-level security, network restrictions, etc.) as your primary security mechanism. Roles complement database security but do not replace it.

Think of roles as the equivalent of a company policy document, but enforced automatically within the tool, rather than relying on people to remember and follow the rules.

How Restrictions Are Enforced

When a feature is restricted:

• AI features - Completions stop appearing, AI assist commands show a restriction message
• History Sync - The sync toggle is disabled, local history continues to work normally
• Data Export - Export menu items and commands show a restriction message
• Data Copy - Clipboard copy from the data grid is blocked
• Data Share - Share options show a restriction message

In all cases, the user sees “Restricted by your team role” so they understand why the feature is unavailable.

Storage and Privacy

Role definitions and assignments are stored in your Stripe subscription metadata alongside your existing team seat data. No separate database or third-party service is involved. Role assignments are cached locally on each team member’s machine and refreshed every 12 hours.

Requesting Additional Features

If you need to restrict features not currently available in the role system, let us know at [help@dbcode.io](mailto:help@dbcode.io?subject=Restrict team features). We are actively expanding the list of features that can be managed through roles.