Lightstep Observability offers role-based access control (RBAC) to features and functionality. You can either manually add users by inviting them or automatically add users by authorizing domains.
This page describes Lightstep Observability’s user roles and how to create and manage users. If you’re using Google Workspace, this page also shows how to set up single sign-on (SSO) for your account.
Lightstep Observability also supports using Okta for user provisioning and single-sign-on (SSO) or OneLogin for SSO.
You must have the Admin role to create and manage users.
User roles
Lightstep Observability has four user roles: Admin, Billing admin, Member, and Viewer.
Users assigned to any role can view all projects in the organization. The sections below describe the role-specific permissions.
Admin
Users with the Admin role can do almost everything in Lightstep. Admin users can’t access some billing-related features.
Only assign a few users to the Admin role. In most cases, Admin users are Lightstep power users and understand the product well.
Users with the Admin role can do the following:
- Create and delete API Keys
- Create, edit, and delete alert conditions and destinations
- Create, edit, and delete allowed domains
- Create, edit, and delete charts
- Create, edit, and delete dashboards
- Create, edit, and delete projects
- Create, edit, and delete Streams
- Create, edit, and delete users
- Create, edit, and delete workflow links
- Create, edit, copy, and delete notebooks
- Edit project settings
- Set and modify Data Retention policy
- View alert conditions and destinations
- View and edit organization settings
- View and favorite dashboards
- View and favorite notebooks
- View charts and Streams
- View contract details
- View Data Retention policy
- View Explorer and run queries
- View metric ingestion rules
- View Microsatellite and pools pages
- View project settings
- View usage and overage percentages
- View workflow links
Users with the Admin role can’t do the following:
- Create, edit, and delete metric ingestion rules
- Export billing information to CSV
- View overage costs (For Active service bundle plans only)
Billing admin
Users with the Billing admin role can do everything in Lightstep, including billing-related tasks. Billing admin users are also the only users who get emails about Lightstep billing overages.
Only Lightstep Customer Success representatives can assign the Billing admin role. Contact your Customer Success representative to assign or reassign the Billing admin role. Note that the Billing admin role doesn’t exist in free Lightstep plans.
Users with the Billing admin role can do the following:
- Create and delete API Keys
- Create, edit, and delete alert conditions and destinations
- Create, edit, and delete allowed domains
- Create, edit, and delete charts
- Create, edit, and delete dashboards
- Create, edit, and delete metric ingestion rules
- Create, edit, and delete projects
- Create, edit, and delete Streams
- Create, edit, and delete users
- Create, edit, and delete workflow links
- Create, edit, copy, and delete notebooks
- Edit project settings
- Export billing information to CSV
- Set and modify Data Retention policy
- View alert conditions and destinations
- View and edit organization settings
- View and favorite dashboards
- View and favorite notebooks
- View charts and Streams
- View contract details
- View Data Retention policy
- View Explorer and run queries
- View metric ingestion rules
- View Microsatellite and pools pages
- View overage costs (For Active service bundle plans only)
- View project settings
- View usage and overage percentages
- View workflow links
Member
Users with the Member role can view and manage key Lightstep features, such as alerts, charts, dashboards, and notebooks. Member users can’t manage several things in Lightstep, including projects, users, organizations, and Microsatellites.
Assign this role to most users.
Users with the Member role can do the following:
- Create and delete API Keys (but only with Member access)
- Create, edit, and delete alert conditions and destinations
- Create, edit, and delete charts
- Create, edit, and delete dashboards
- Create, edit, and delete Streams
- Create, edit, and delete workflow links
- Create, edit, copy, and delete notebooks
- Edit project settings
- View alert conditions and destinations
- View and favorite dashboards
- View and favorite notebooks
- View charts and Streams
- View Data Retention policy
- View Explorer and run queries
- View metric ingestion rules
- View project settings
- View usage and overage percentages
- View workflow links
Users with the Member role can’t do the following:
- Create, edit, and delete allowed domains
- Create, edit, and delete metric ingestion rules
- Create, edit, and delete projects
- Create, edit, and delete users
- Export billing information to CSV
- Set and modify Data Retention policy
- View and edit organization settings
- View contract details
- View Microsatellite and pools pages
- View overage costs (For Active service bundle plans only)
Viewer
Users with the Viewer role can see several Lightstep features, including existing alerts, charts, dashboards, and notebooks. Viewer users can only manage their own notebooks.
Assign this role to new and onboarding organization members. The role can keep users from inadvertently changing existing configurations. You may also want to assign this role to temporary users.
Users with the Viewer role can do the following:
- Copy notebooks
- Create, edit, and delete their own notebooks
- View alert conditions and destinations
- View and favorite dashboards
- View and favorite notebooks
- View charts and Streams
- View Explorer and run queries
- View metric ingestion rules
- View project settings
- View usage and overage percentages
- View workflow links
Users with the Viewer role can’t do the following:
- Create and delete API Keys
- Create, edit, and delete alert conditions and destinations
- Create, edit, and delete allowed domains
- Create, edit, and delete charts
- Create, edit, and delete dashboards
- Create, edit, and delete metric ingestion rules
- Create, edit, and delete projects
- Create, edit, and delete Streams
- Create, edit, and delete users
- Create, edit, and delete workflow links
- Edit project settings
- Export billing information to CSV
- Set and modify Data Retention policy
- View and edit organization settings
- View contract details
- View Data Retention policy
- View Microsatellite and pools pages
- View overage costs (For Active service bundle plans only)
Manually create users
You manually create users from the Projects and users page. Once you add a user, Lightstep Observability sends them an email inviting them to create an account.
This image shows how to create a new user. The steps below describe the procedure in more detail.
-
In Lightstep Observability’s navigation bar, click Account management > Projects and users.
-
In the New users section, click the drop-down to set the Default role.
Lightstep assigns the default role to all new users. You can change users’ roles once they’re in the system.
Don’t set the default role to Admin. If you set it to Admin, all new users get full access to Lightstep Observability.
-
Next, click Invite new user, enter the new user’s email in the dialog, and click Invite.
Lightstep Observability sends an email to the user, asking them to set their password and sign in. The new user appears in the list of users. You and other Admin users can change their role if needed.
Search for a user
On the Projects and users page, use the search box to find users. As you type, Lightstep Observability returns users that match.
The image below shows an example where the search term lightstep returns two users:
Change a user’s role
Only users with the Admin role can change a user’s role.
This image shows how to change a user’s role. The steps below describe the procedure in more detail.
- In Lightstep Observability’s navigation bar, click Account management > Projects and users.
- Find the user whose role you want to change and click the role drop-down to select the new role.
- In the dialog, click Confirm to finalize your changes.
Change a user’s password
If you’re using Google for single sign-on, users can’t change passwords in Lightstep Observability.
If you’re not using Google for single sign-on, users can change their password on the Personal settings page. This image shows how to change a user’s password. The steps below describe the procedure in more detail.
- In Lightstep Observability’s navigation bar, click Account management > Personal settings.
- In the Change password section, enter your current password, and then enter and verify the new password.
- Click Save changes to finish changing your password. You can now log in with your new password.
Delete users
You can delete a single user or delete multiple users in bulk. Once you delete a user, they can no longer access Lightstep Observability.
Follow these steps to delete users:
-
In Lightstep Observability’s navigation bar, click Account management > Projects and users.
-
In the Users section:
- Delete a single user by finding the user, clicking the Trash icon, and clicking Confirm in the dialog.
- Delete users in bulk by selecting them, clicking Delete selected users, and clicking Confirm in the dialog.
Automatically create users by authorizing your domain
If you authorize your domain with Lightstep Observability, anyone with that domain as their email address can log into Lightstep Observability and create an account.
If you have a Google domain, once you authorize the domain with Lightstep Observability, you can set up SSO for your account.
The ability to allow a domain is available only for Lightstep Observability Enterprise accounts.
This image shows how to authorize a domain for user provisioning. The steps below describe the procedure in more detail.
-
In Lightstep Observability’s navigation bar, click Account management > Projects and users.
-
In the New users section, click the drop-down to set the Default role.
Lightstep assigns the default role to all new users. You can change users’ roles once they’re in the system.
Don’t set the default role to Admin. If you set it to Admin, all new users get full access to Lightstep Observability.
-
On the same page, go to the Allowed domains for JIT user provisioning section and click Add domain.
-
In the dialog, enter the domain’s URL and click Confirm.
Now, anyone with that domain in their email address can log into Lightstep Observability at
https://app.lightstep.com
. They have access to your Lightstep Observability organization and are assigned to the default role. You can manually change the role once the user is in the system.
To remove an allowed domain, click Remove next to that domain. Once you remove the domain, new users from that domain can’t be added, but existing users can still log in.
Set up SSO for Google Workspace accounts
With SSO, users can sign into Lightstep Observability with their managed Google credentials. In other words, they can click Sign in with Google without a second sign-in.
Follow these steps to set up SSO for Lightstep Observability:
- Sign into your Google Admin console as an administrator.
- In the sidebar, click Security > Access and data control > API controls.
- On the API controls page, click Manage Third-Party App Access.
- Click the Add app drop-down and select OAuth App Name or Client ID.
- Enter the client ID below, click Search, and then click Select next to the Lightstep app.
1
746217134341-pp9knfd5e0b6b6n84jg3cjd5hsuguuot.apps.googleusercontent.com
- Check OAuth Client ID, click Select, check Limited, and then click Configure to save your changes and return to the API controls page.
You can revisit your settings by going to the API controls page and clicking Manage Third-Party App Access > Lightstep.