Lightstep Observability offers role-based access control (RBAC) to features and functionality. You can either manually add users by inviting them or automatically add users by authorizing domains.

This page describes Lightstep Observability’s user roles and how to create and manage users. If you’re using Google Workspace, this page also shows how to set up single sign-on (SSO) for your account.

Lightstep Observability also supports using Okta for user provisioning and single-sign-on (SSO) or OneLogin for SSO.

You must have the Admin role to create and manage users.

User roles

Lightstep Observability offers three different user roles with different levels of access to features:

  • Admin: Has access to all of Lightstep Observability. You should assign only a few members the Admin role. Typically, these people are Lightstep Observability power users and understand different parts of the product well.
  • Member: Has access to everything except creating/editing/deleting projects, Microsatellite management, and organization features. You should assign most people this role.
  • Viewer: Can only view span data, metrics, and project settings on different pages in Lightstep Observability (like notebooks, dashboards, alerts, and Service Directory). They can view and copy all notebooks for a project, but can only create, edit, delete, and save their own. Assign new and onboarding members of an organization this role to prevent them from inadvertently modifying existing dashboards or alerts. Temporary users should also use this role.

All Lightstep Observability user roles have access to all projects in the organization.

  Admin Member Viewer
View Explorer and run queries ✔️ ✔️ ✔️
View and favorite dashboards ✔️ ✔️ ✔️
View charts and Streams ✔️ ✔️ ✔️
View alert conditions and destinations ✔️ ✔️ ✔️
View and favorite notebooks ✔️ ✔️ ✔️
View project settings ✔️ ✔️ ✔️
View workflow links ✔️ ✔️ ✔️
Create, edit, and delete dashboards ✔️ ✔️  
Create, edit, and delete charts ✔️ ✔️  
Create, edit, and delete Streams ✔️ ✔️  
Create, edit, and delete alert conditions and destinations ✔️ ✔️  
Create, edit, copy, and delete notebooks ✔️ ✔️ Can copy, but only edit and delete their own
Create, edit, and delete workflow links ✔️ ✔️  
Edit project settings ✔️ ✔️  
View Data Retention policy ✔️ ✔️  
View and edit organization settings ✔️    
Create, edit, and delete projects ✔️    
Create, edit, and delete users ✔️    
Create, edit, and delete allowed domains ✔️    
Create and delete API Keys ✔️ ✔️ But only with Member access  
View Microsatellite and pools pages ✔️    
Set and modify Data Retention policy ✔️    

Manually create users

You manually create users from the Projects and users page. Once you add a user, Lightstep Observability sends them an email inviting them to create an account.

This image shows how to create a new user. The steps below describe the procedure in more detail.

Create users

  1. In Lightstep Observability’s navigation bar, click Account management > Projects and users.

  2. In the New users section, click the drop-down to set the Default role.

    Lightstep assigns the default role to all new users. You can change users’ roles once they’re in the system.

    Don’t set the default role to Admin. If you set it to Admin, all new users get full access to Lightstep Observability.

  3. Next, click Invite new user, enter the new user’s email in the dialog, and click Invite.

    Lightstep Observability sends an email to the user, asking them to set their password and sign in. The new user appears in the list of users. You and other Admin users can change their role if needed.

Search for a user

On the Projects and users page, use the search box to find users. As you type, Lightstep Observability returns users that match.

The image below shows an example where the search term lightstep returns two users:

Search for users

Change a user’s role

Only users with the Admin role can change a user’s role.

This image shows how to change a user’s role. The steps below describe the procedure in more detail.

Change user role

  1. In Lightstep Observability’s navigation bar, click Account management > Projects and users.
  2. Find the user whose role you want to change and click the role drop-down to select the new role.
  3. In the dialog, click Confirm to finalize your changes.

Change a user’s password

If you’re using Google for single sign-on, users can’t change passwords in Lightstep Observability.

If you’re not using Google for single sign-on, users can change their password on the Personal settings page. This image shows how to change a user’s password. The steps below describe the procedure in more detail.

Steps to change password

  1. In Lightstep Observability’s navigation bar, click Account management > Personal settings.
  2. In the Change password section, enter your current password, and then enter and verify the new password.
  3. Click Save changes to finish changing your password. You can now log in with your new password.

Delete users

You can delete a single user or delete multiple users in bulk. Once you delete a user, they can no longer access Lightstep Observability.

Follow these steps to delete users:

  1. In Lightstep Observability’s navigation bar, click Account management > Projects and users.

  2. In the Users section:

    • Delete a single user by finding the user, clicking the Trash icon, and clicking Confirm in the dialog.
    • Delete users in bulk by selecting them, clicking Delete selected users, and clicking Confirm in the dialog.

Automatically create users by authorizing your domain

If you authorize your domain with Lightstep Observability, anyone with that domain as their email address can log into Lightstep Observability and create an account.

If you have a Google domain, once you authorize the domain with Lightstep Observability, you can set up SSO for your account.

The ability to allow a domain is available only for Lightstep Observability Enterprise accounts.

This image shows how to authorize a domain for user provisioning. The steps below describe the procedure in more detail.

Authorize a domain

  1. In Lightstep Observability’s navigation bar, click Account management > Projects and users.

  2. In the New users section, click the drop-down to set the Default role.

    Lightstep assigns the default role to all new users. You can change users’ roles once they’re in the system.

    Don’t set the default role to Admin. If you set it to Admin, all new users get full access to Lightstep Observability.

  3. On the same page, go to the Allowed domains for JIT user provisioning section and click Add domain.

  4. In the dialog, enter the domain’s URL and click Confirm.

    Now, anyone with that domain in their email address can log into Lightstep Observability at https://app.lightstep.com. They have access to your Lightstep Observability organization and are assigned to the default role. You can manually change the role once the user is in the system.

To remove an allowed domain, click Remove next to that domain. Once you remove the domain, new users from that domain can’t be added, but existing users can still log in.

Set up SSO for Google Workspace accounts

With SSO, users can sign into Lightstep Observability with their managed Google credentials. In other words, they can click Sign in with Google without a second sign-in.

Follow these steps to set up SSO for Lightstep Observability:

  1. Sign into your Google Admin console as an administrator.
  2. In the sidebar, click Security > Access and data control > API controls.
  3. On the API controls page, click Manage Third-Party App Access.
  4. Click the Add app drop-down and select OAuth App Name or Client ID.
  5. Enter the client ID below, click Search, and then click Select next to the Lightstep app.
    1
    
    746217134341-pp9knfd5e0b6b6n84jg3cjd5hsuguuot.apps.googleusercontent.com
    
  6. Check OAuth Client ID, click Select, check Limited, and then click Configure to save your changes and return to the API controls page.

You can revisit your settings by going to the API controls page and clicking Manage Third-Party App Access > Lightstep.