Lightstep Observability offers role-based access control (RBAC) to features and functionality. You can add users manually or automatically via domain allowing, authorizing user at the domain access without an explicit invitation. When you authorize a Google domain, you can configure your Google Apps account so that users can log in with their Google email address.

Lightstep Observability also supports using Okta for user provisioning and single-sign-on (SSO) or OneLogin for SSO.

You must have the Admin role to create and manage users.

User roles

Lightstep Observability offers three different user roles with different levels of access to features:

  • Admin: Has access to all of Lightstep Observability. You should assign only a few members the Admin role. Typically, these people are Lightstep Observability power users and understand different parts of the product well.
  • Member: Has access to everything except creating/editing/deleting projects, Microsatellite management, and organization features. You should assign most people this role.
  • Viewer: Can only view trace data and project settings on different pages in Lightstep Observability (like Service Directory, Explorer, Streams, alert configurations). They can view and copy all notebooks for a project, but can only create, edit, delete, and save their own. Assign new and onboarding members of an organization this role to prevent them from inadvertently modifying existing dashboards or alerts. Temporary users should also use this role.

All Lightstep Observability user roles have access to all projects in the organization.

  Admin Member Viewer
View Explorer and run queries ✔️ ✔️ ✔️
View and favorite dashboards ✔️ ✔️ ✔️
View charts and Streams ✔️ ✔️ ✔️
View alerts, conditions and destinations ✔️ ✔️ ✔️
View and favorite Notebooks ✔️ ✔️ ✔️
View project settings ✔️ ✔️ ✔️
View workflow links ✔️ ✔️ ✔️
Create, edit, and delete dashboards ✔️ ✔️  
Create, edit, and delete charts ✔️ ✔️  
Create, edit, and delete Streams ✔️ ✔️  
Create, edit, and delete alerts, conditions and destinations ✔️ ✔️  
Create, edit, copy, and delete Notebooks ✔️ ✔️ Can copy, but only edit and delete their own
Create, edit, and delete workflow links ✔️ ✔️  
Edit project settings ✔️ ✔️  
View Data Retention policy ✔️ ✔️  
View and edit organization settings ✔️    
Create, edit, and delete projects ✔️    
Create, edit, and delete Users ✔️    
Create, edit, and delete allowed domains ✔️    
Create and delete API Keys ✔️ ✔️ But only with Member access  
View Microsatellite and pools pages ✔️    
Set and modify Data Retention policy ✔️    

Manually create users

You manually create users from the Account Settings page. Once you add a user, Lightstep Observability sends them an email inviting them to create an account.

To manually create a user:

  1. In the left-hand navigation bar, click Account and choose Account Settings.

  2. Click the Projects & Users tab. In the New Users area of the Account Settings page, set the Default Role. This is the role that all new users will be assigned. You can change a user’s role once they are created.

  3. In the New Users area of the Account Settings page, click Invite New User.

  4. Enter the new user’s email and click Invite. An email is sent to that address asking them to log into Lightstep Observability and create an account.

    The new user displays in the list of users. You and other Admin users can change the role if needed.

Search for a user

Use the search field to find users. As you type, Lightstep Observability returns users that match.Search for users

Change a user’s role

Only users with the Admin role can change a user’s role.

  1. Click Account > Account Settings from the side navigation bar.

  2. Click the Projects & Users tab. Find the user whose role you want to change and use the role dropdown to select the correct role.

Change a user’s password

Users can change their password themselves from the Account Settings page.

If your account uses Google for single sign-on, then passwords can’t be changed.

  1. Click Account > Account Settings from the side navigation bar.

  2. In the Update Password area, enter your current password, enter and verify the new password, and click Save New Password.

Delete users

You can delete a single user or bulk delete multiple users at once. Once you delete a user, they can no longer access Lightstep Observability.

  1. Click Account > Account Settings from the side navigation bar.

  2. To remove a single user, in the Users section, find the user to delete and click the Trash icon.

    To bulk delete users, select them and then click Delete selected users. Bulk delete users

Automatically create users by authorizing your domain

If you authorize your domain with Lightstep Observability, anyone with that domain as their email address can log into Lightstep Observability and create an account. If your domain is with Google, then once you authorize that domain with Lightstep Observability, you can also configure single sign-on (SSO) with Google Apps for Work Teams to allow users to sign in with their Google email.

The ability to allow a domain is available only for Lightstep Observability Enterprise accounts.

To authorize a domain for user provisioning:

  1. Click Account > Account Settings from the side navigation bar.

  2. Click the Projects & Users tab. In the New Users area of the Account Settings page, set the Default Role. Be sure to select the role that most users should have, as all users you create using the allowed domain will be assigned this role. After you create a user, you can manually change the role.

    Make sure your default role isn’t Admin unless you want all users to have full access when they are created.

  3. In the Allowed Domains for JIT User Provisioning area, click Add Domain.

  4. Enter the domain’s URL and click Confirm. Anyone with that domain in their email address logging into Lightstep Observability at will have access to your Lightstep Observability organization and will be assigned the role you set as the default. You can manually change the role once the user is created.

To remove an allowed domain:
Remove an allowed domain by clicking Remove for that domain. Once you remove the domain, new users from that domain can’t be added, but existing users will continue to be able to log in.

Allow google apps for single sign-on access

Google Apps for Work teams can streamline the process further by adding Lightstep Observability to your Google IT Apps List. Enabling allows users to click the Sign in with Google button and use Google to authenticate.

Extracted from Google’s developer documentation

Your Google Apps administrator can authorize Lightstep Observability for the entire organization so that users can skip the authorization page during the sign-in process.

  1. Open the Google Apps Admin Console.
  2. Click the Security icon, then click Show More > Advanced Settings > Manage API client access.

  3. Authorize Lightstep Observability by adding these credentials.
    Client Name:

    API scopes:,

  4. Click Authorize. The authorization will take effect in about 30 minutes.