Learn about the roles and permissions in Cloud Observability’s role-based access control (RBAC).
Overview
RBAC lets you manage user access to Cloud Observability with permissions and roles.
A permission is something users can do in Cloud Observability, for example, create dashboards. And a role is a named set of permissions you assign to users.
Cloud Observability has five organization roles (Organization Admin, Organization Billing Admin, Organization Editor, Organization Viewer, and Organization Restricted Member) and two project roles (Project Editor and Project Viewer). Users can have one organization role and several project roles. Examples:
spacecatis an Organization Restricted Member. At the project level,spacecatis a Project Viewer for project A, Project Editor for project B, andspacecatcan’t access project C.astronomer123is an Organization Viewer. At the project level,astronomer123is a Project Editor for project C.
For conceptual information about managing users and roles and possible setups, visit User and role management.
Organization roles
Organization roles are sets of permissions users have across all Cloud Observability projects. Some organization roles also have administrative permissions.
These sections summarize Cloud Observability’s organization roles. To see all role permissions, view the table below.
Organization Admin
Users with the Organization Admin role can do almost everything in Cloud Observability. Organization Admin users can’t access some billing-related features.
Only assign a few users to the Organization Admin role. In most cases, Organization Admin users are Cloud Observability power users and understand the product well.
Organization Billing Admin
Users with the Organization Billing Admin role can do everything in Cloud Observability, including billing-related tasks. Organization Billing Admin users are also the only users who get emails about Cloud Observability billing overages.
Only Cloud Observability Customer Success representatives can assign the Organization Billing Admin role. Contact your Customer Success representative to assign or reassign the Organization Billing Admin role.
Organization Editor
Users with the Organization Editor role can view and manage key Cloud Observability features, such as alerts, charts, dashboards, and notebooks. Organization Editor users can’t manage several things in Cloud Observability, including projects, users, organizations, and Microsatellites.
Assign this role to most users.
Organization Restricted Member
Users with the Organization Restricted Member role have no project access by default. Organization Restricted Member users can get access to specific projects with the Project Editor and Project Viewer roles.
Organization Viewer
Users with the Organization Viewer role can see several Cloud Observability features, including existing alerts, charts, dashboards, and notebooks. Organization Viewer users can only manage their own notebooks.
Assign this role to new and onboarding organization users. The role can keep users from inadvertently changing existing configurations. You may also want to assign this role to temporary users.
Project roles
Project roles are sets of permissions users have for specific Cloud Observability projects.
These sections summarize Cloud Observability’s project roles. To see all role permissions, view the table below.
Project Editor
Users with the Project Editor role have access to specific Cloud Observability projects. In those projects, Project Editor users can view and manage key Cloud Observability features, such as alerts, dashboards, and notebooks.
Project Viewer
Users with the Project Viewer role have access to specific Cloud Observability projects. In those projects, Project Viewer users can view several Cloud Observability features including existing alerts, dashboards, and notebooks. Project Viewer users can also create, edit, and delete their own notebooks in specific projects.
Role permissions
The tabs below show the permissions in Cloud Observability’s organization and project roles.
Note that project-role permissions are scoped to projects. For example, Project Editors can only edit dashboards in the projects they can access.
The tabs don’t include the Organization Restricted Member role. Users with that role can only log into Cloud Observability. To give them access to Cloud Observability features, assign them the Project Editor or Project Viewer role.
-
Permissions Organization Admin Organization Billing Admin Organization Editor Organization Viewer Project Editor Project Viewer Activate previews for Slack integrations ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ Activate Slack integrations ✔️ ✔️ Create and revoke Satellite keys (for Enterprise accounts only) ✔️ ✔️ Create, edit, and delete metric ingestion rules ✔️ Create, edit, and delete projects ✔️ ✔️ Create, view, and edit default roles ✔️ ✔️ Create, view, and revoke API keys ✔️ ✔️ ✔️
(Organization Editors can only create API keys with Organization Editor, Organization Viewer, Project Editor, and Project Viewer permissions.)✔️
(Project Editors can only create API keys for the projects they have access to.
The API keys can have Project Editor or Project Viewer permissions, and Project Editors can only view and revoke their own API keys.)Create, view, edit, and delete domains for JIT provisioning ✔️ ✔️ Create, view, edit, and delete single sign-on (SSO) ✔️ ✔️ Create, view, edit, and delete users ✔️ ✔️ Edit own password (for manually added users only) ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ Export billing information to CSV ✔️ Subscribe and unsubscribe from monthly instrumentation digest emails ✔️ ✔️ Subscribe and unsubscribe from service-level instrumentation emails ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ View and edit timezones ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ View billing contract details ✔️ ✔️ View billing overage costs (For Active service bundle plans only) ✔️ View billing usage and overage percentages ✔️ ✔️ ✔️ ✔️ View metric ingestion rules ✔️ ✔️ ✔️ ✔️ View the metric usage page ✔️ ✔️ ✔️ ✔️ View the trace usage page ✔️ ✔️ ✔️ ✔️ -
Permissions Organization Admin Organization Billing Admin Organization Editor Organization Viewer Project Editor Project Viewer Create and delete log rehydration events ✔️ ✔️ ✔️ ✔️ Create and edit Data Retention policy ✔️ ✔️ Create, edit, and delete workflow links ✔️ ✔️ Create, view, edit, and delete access tokens ✔️ ✔️ ✔️ ✔️ Create, view, edit, and delete AWS integrations ✔️ ✔️ ✔️ ✔️ Edit Metric details ✔️ ✔️ View and edit deployment versions ✔️ ✔️ ✔️ ✔️ View and edit Inferred services ✔️ ✔️ ✔️ ✔️ View and edit Ingest service blocking ✔️ ✔️ ✔️ ✔️ View and edit Instrumentation quality ✔️ ✔️ ✔️ ✔️ View and edit Mapping metrics to services ✔️ ✔️ ✔️ ✔️ View and edit Satellite pools ✔️ ✔️ View Data Retention policy ✔️ ✔️ ✔️ ✔️ View log rehydration events ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ View Metric details ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ View workflow links ✔️ ✔️ ✔️ ✔️ -
Permissions Organization Admin Organization Billing Admin Organization Editor Organization Viewer Project Editor Project Viewer Create, edit, and delete alert conditions and destinations ✔️ ✔️ ✔️ ✔️ Create, edit, and delete charts ✔️ ✔️ ✔️ ✔️ Create, edit, and delete dashboards ✔️ ✔️ ✔️ ✔️ Create, edit, and delete Streams ✔️ ✔️ ✔️ ✔️ Create, view, edit, delete, and favorite notebooks ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ (Project Viewers can only work with their own notebooks.) View alert conditions and destinations ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ View and work with the logs tab ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ View projects ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ View and favorite dashboards ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ View charts ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ View Explorer and run queries ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ View Streams ✔️ ✔️ ✔️ ✔️ ✔️ ✔️
Visit the links below to learn more about setting up and using RBAC.
See also
Updated Oct 18, 2023