dbt-labs · mirnawong1 · Jan 18, 2024 · Jan 17, 2024 · Jan 17, 2024 · Jan 17, 2024
@@ -11,7 +11,7 @@ In dbt Cloud, _licenses_ are used to allocate users to your account. There are t
 
 - **Developer** &mdash; Granted access to the Deployment and [Development](/docs/cloud/dbt-cloud-ide/develop-in-the-cloud) functionality in dbt Cloud.
 - **Read-Only** &mdash; Intended to view the [artifacts](/docs/deploy/artifacts) created in a dbt Cloud account. Read-Only users can receive job notifications but not configure them.
-- **IT** &mdash; Can manage users, groups, and licenses, among other permissions. IT users can receive job notifications but not configure them. Available on Enterprise and Team plans only.
+- **IT** &mdash; Can manage users, groups, and licenses, among other permissions. IT users can receive job notifications but not configure them. Available on Enterprise and Team plans only.  In Enterprise plans, the IT license type grants access equivalent to the ['Security admin' role](/docs/cloud/manage-access/enterprise-permissions#account-permissions-for-account-roles). 
 
 The user's assigned license determines the specific capabilities they can access in dbt Cloud.
 
@@ -29,6 +29,12 @@ The user's assigned license determines the specific capabilities they can access
 
 ## Licenses
 
+:::tip Licenses or Permission sets
+
+The user's license type always overrides their assigned [Enterprise permission](/docs/cloud/manage-access/enterprise-permissions) set. This means that even if a user belongs to a dbt Cloud group with 'Account Admin' permissions, having a 'Read-Only' license would still prevent them from performing administrative actions on the account.
+
+:::
+
 Each dbt Cloud plan comes with a base number of Developer, IT, and Read-Only licenses. You can add or remove licenses by modifying the number of users in your account settings. 
 
 If you have a Developer plan account and want to add more people to your team, you'll need to upgrade to the Team plan. Refer to [dbt Pricing Plans](https://www.getdbt.com/pricing/) for more information about licenses available with each plan.

@@ -20,6 +20,11 @@ control (RBAC).
 
 The following roles and permission sets are available for assignment in dbt Cloud Enterprise accounts. They can be granted to dbt Cloud groups which are then in turn granted to users. A dbt Cloud group can be associated with more than one role and permission set. Roles with more access take precedence. 
 
+:::tip Licenses or Permission sets
+
+The user's [license](/docs/cloud/manage-access/seats-and-users) type always overrides their assigned permission set. This means that even if a user belongs to a dbt Cloud group with 'Account Admin' permissions, having a 'Read-Only' license would still prevent them from performing administrative actions on the account.
+:::
+
 <Permissions feature={'/snippets/_enterprise-permissions-table.md'} />
 
 ## How to set up RBAC Groups in dbt Cloud