lightdash · jesshitchcock · Jun 9, 2026 · May 29, 2026 · Jun 9, 2026 · Jun 9, 2026
diff --git a/references/workspace/custom-roles.mdx b/references/workspace/custom-roles.mdx
@@ -103,6 +103,39 @@ Custom roles are assigned at the project level to provide granular access contro
 
 ## Scope reference
 
+### Content-as-code scopes
+
+Three scopes control access to [content as code](/guides/developer/dashboards-as-code), the CLI workflow for managing charts and dashboards as YAML files. They form a read → write → narrow-write ladder.
+
+**Download content as code** (`view:ContentAsCode`) lets a user pull existing charts and dashboards as YAML via `lightdash download`. It does not allow pushing changes back. This is the common "let people pull templates" grant.
+
+**Upload content as code to own previews** (`manage:ContentAsCode@self`) is a narrow upload right: users can run `lightdash upload` only against preview projects they created themselves. This is the intended day-to-day scope for non-Developer users in CI/CD-style workflows where they need to validate their own preview but shouldn't push to shared projects. Pair it with `view:ContentAsCode` so they can still pull from shared projects.
+
+**Download and upload content as code** (`manage:ContentAsCode`) grants both download and upload across any project the role applies to. Users with this scope can run `lightdash upload` to overwrite charts and dashboards in the project. This implies `view:ContentAsCode` and the `@self` upload right.
+
+Use **download-only** to let a user pull production YAML for local development, diffing, or inspection without giving them the ability to overwrite production content. Combine with a controlled promotion path (e.g., CI/CD running with a service account that holds the manage scope) so writes only land via the pipeline.
+
+#### Restrict developers to preview uploads (agentic development workflow)
+
+A common pattern for agentic development of dashboards and content as code is to let developers iterate freely on their own preview projects while preventing direct `lightdash upload` to production. Promotion to production then happens through a reviewed CI/CD pipeline instead of an individual's CLI, or through [promoting content](/guides/how-to-promote-content) in the UI.
+
+To set this up:
+
+1. **Clone the built-in Developer role** to create a custom role (for example, `Developer (no prod upload)`).
+2. **Remove** the **Download and upload content as code** (`manage:ContentAsCode`) scope from the cloned role.
+3. **Add** the **Download content as code** (`view:ContentAsCode`) and **Upload content as code to own previews** (`manage:ContentAsCode@self`) scopes.
+4. **Assign the custom role to the user at the project level** on the production project.
+
+<Warning>
+  Custom project roles can only narrow scopes the user would otherwise inherit. If the user is an **Organization Admin** or **Organization Developer**, they will inherit `manage:ContentAsCode` from their org role and the project-level custom role will not block them. For this pattern to work, the user's organization role must be **Viewer**, **Interactive Viewer**, or **Member**.
+</Warning>
+
+With this setup, the user can:
+
+- Run `lightdash download` against the production project to pull YAML for local editing.
+- Run `lightdash preview` and `lightdash upload` against their own preview projects to validate changes.
+- Receive a `403` when attempting `lightdash upload` against the production project — production writes must go through the promotion pipeline.
+
 ### SQL-related scopes
 
 Three scopes control different SQL-authoring features. They are independent — granting one does not grant the others.

diff --git a/references/workspace/roles.mdx b/references/workspace/roles.mdx
@@ -35,7 +35,8 @@ Project Admins can invite users to their project and assign users or [groups](/r
 | Manage project access and permissions                    | <Icon icon="square-check" iconType="solid" /> |     <Icon icon="xmark" iconType="solid" />    |     <Icon icon="xmark" iconType="solid" /> |     <Icon icon="xmark" iconType="solid" />    |     <Icon icon="xmark" iconType="solid" />    |
 | Delete project                                           | <Icon icon="square-check" iconType="solid" /> |     <Icon icon="xmark" iconType="solid" />    |     <Icon icon="xmark" iconType="solid" /> |     <Icon icon="xmark" iconType="solid" />    |     <Icon icon="xmark" iconType="solid" />    |
 | Create a preview project                                 | <Icon icon="square-check" iconType="solid" /> | <Icon icon="square-check" iconType="solid" /> |     <Icon icon="xmark" iconType="solid" /> |     <Icon icon="xmark" iconType="solid" />    |     <Icon icon="xmark" iconType="solid" />    |
-| Use dashboards as code (CLI)                             | <Icon icon="square-check" iconType="solid" /> | <Icon icon="square-check" iconType="solid" /> |     <Icon icon="xmark" iconType="solid" /> |     <Icon icon="xmark" iconType="solid" />    |     <Icon icon="xmark" iconType="solid" />    |
+| Download content as code (CLI)                           | <Icon icon="square-check" iconType="solid" /> | <Icon icon="square-check" iconType="solid" /> | <Icon icon="square-check" iconType="solid" /> |     <Icon icon="xmark" iconType="solid" />    |     <Icon icon="xmark" iconType="solid" />    |
+| Upload content as code (CLI)                             | <Icon icon="square-check" iconType="solid" /> | <Icon icon="square-check" iconType="solid" /> |     <Icon icon="xmark" iconType="solid" /> |     <Icon icon="xmark" iconType="solid" />    |     <Icon icon="xmark" iconType="solid" />    |
 | Rename models, dimensions, and metrics (CLI and UI)      | <Icon icon="square-check" iconType="solid" /> |     <Icon icon="xmark" iconType="solid" />    |     <Icon icon="xmark" iconType="solid" /> |     <Icon icon="xmark" iconType="solid" />    |     <Icon icon="xmark" iconType="solid" />    |
 
 
@@ -54,7 +55,8 @@ Organization Admins can assign roles to organization members, which gives access
 | Admin for **all** projects                 | <Icon icon="square-check" iconType="solid" /> | <Icon icon="xmark" iconType="solid" />        | <Icon icon="xmark" iconType="solid" />        | <Icon icon="xmark" iconType="solid" />        | <Icon icon="xmark" iconType="solid" />        | <Icon icon="xmark" iconType="solid" />        |
 | Invite users to organization               | <Icon icon="square-check" iconType="solid" /> | <Icon icon="xmark" iconType="solid" />        | <Icon icon="xmark" iconType="solid" />        | <Icon icon="xmark" iconType="solid" />        | <Icon icon="xmark" iconType="solid" />        | <Icon icon="xmark" iconType="solid" />        |
 | Manage organization access and permissions | <Icon icon="square-check" iconType="solid" /> | <Icon icon="xmark" iconType="solid" />        | <Icon icon="xmark" iconType="solid" />        | <Icon icon="xmark" iconType="solid" />        | <Icon icon="xmark" iconType="solid" />        | <Icon icon="xmark" iconType="solid" />        |
-| Use dashboards as code (CLI)                         |      <Icon icon="square-check" iconType="solid" />       |        <Icon icon="square-check" iconType="solid" />         |       <Icon icon="xmark" iconType="solid" />        |             <Icon icon="xmark" iconType="solid" />              |       <Icon icon="xmark" iconType="solid" />        |
+| Download content as code (CLI)                       |      <Icon icon="square-check" iconType="solid" />       |        <Icon icon="square-check" iconType="solid" />         |      <Icon icon="square-check" iconType="solid" />       |             <Icon icon="xmark" iconType="solid" />              |       <Icon icon="xmark" iconType="solid" />        |
+| Upload content as code (CLI)                         |      <Icon icon="square-check" iconType="solid" />       |        <Icon icon="square-check" iconType="solid" />         |       <Icon icon="xmark" iconType="solid" />        |             <Icon icon="xmark" iconType="solid" />              |       <Icon icon="xmark" iconType="solid" />        |
 | Rename models, dimensions, and metrics (CLI and UI)      | <Icon icon="square-check" iconType="solid" /> |     <Icon icon="xmark" iconType="solid" />    |     <Icon icon="xmark" iconType="solid" /> |     <Icon icon="xmark" iconType="solid" />    |     <Icon icon="xmark" iconType="solid" />    |